Skip to main content

 

Cisco Meraki Documentation

Resolving NAT Mode and Site-to-Site VPN Conflicts

  1. Last updated
  2. Save as PDF

Overview

When a client connects to an SSID configured for Network Address Translation (NAT) Mode on a Cisco Meraki MR access point, the client is assigned an IP address from an isolated 10.0.0.0/8 network with limited access to the local LAN. This configuration can cause conflicts if another network also uses a 10.x.x.x addressing scheme.

This article explains how overlapping subnets between NAT Mode's Meraki DHCP and a site-to-site VPN can prevent client connectivity. It also provides recommended troubleshooting steps to resolve subnet conflicts.

Diagram showing a NAT Mode client with the IP address 10.44.90.223, assigned by Meraki DHCP, attempts to connect to a corporate network that uses the 10.0.0.0/8 private addressing scheme. A conflict occurs because the local and remote subnets overlap.

 Diagram depicting the scenario described above. The NAT client is a VPN client located behind an MX appliance, which has a VPN tunnel to a site where the corporate intranet is located.

Troubleshooting NAT mode and site-to-site VPN subnet conflicts

A subnet conflict can occur when the client's local network and the remote private network use overlapping subnets.

Possible causes

A subnet conflict can occur under the following conditions:

  • The Cisco Meraki MR access point is configured for NAT Mode with Meraki DHCP and assigns client IP addresses within the 10.0.0.0/8 range.
  • The remote site uses a 10.0.0.0/n private addressing scheme.
  • A wireless client receives a 10.0.0.0/8 IP address from the MR access point. The last three octets of the client IP address are generated by running the client's MAC address through a hashing algorithm.
  • If the remote site also uses a 10.0.0.0/n private addressing scheme, the wireless client may receive the same IP address as a client on the remote site, preventing the VPN client from connecting.
  • The subnet overlap persists in both full tunnel and split tunnel site-to-site VPN configurations.

Troubleshooting steps

  1. Configure a less common client address range for clients that use the site-to-site VPN.
    • Recommended address ranges include:
      • 172.16.0.0/14
      • 172.16.20.0/24
      • 172.16.25.0/24
  2. Verify whether the remote site uses a 10.0.0.0/n private addressing scheme.
    • If the remote site uses 10.0.0.0/n addressing, clients cannot associate with a NAT Mode SSID.
    • Create and serve a non-10.0.0.0/n addressing scheme to clients that need to communicate with the remote site.
  3. Use a Bridge Mode SSID to place clients on an isolated VLAN that you can secure with firewall rules.
  4. If you are not using Meraki DHCP and the subnet conflict persists, Cisco Meraki devices support VPN translation.

Contact Cisco Meraki support for questions about the VPN translation feature.

Additional resources

Refer to the following article for related information.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Reference
    Stage
    Final
  2. Tags
    1. CS_12432
    2. site-to-site
    3. vpn conflict