Home > Security Appliances > NAT and Port Forwarding > Site-to-site and Client VPN Port Overlap with Manual port Forwarding rules

Site-to-site and Client VPN Port Overlap with Manual port Forwarding rules

Table of contents

This article discusses a pitfall that must be avoided when configuring Site-to-Site VPN with Manual Port Forwarding. If the Manual Port Forwarding is configured for ports UDP 500 or 4500, it will break the Client VPN.

Details

Site-to-Site VPN can be configured from Security appliance > Configure > Site-to-Site VPN on your dashboard and instructions can be found here as well as why you would use Manual Port Forwarding.

Manual Port Forwarding should be used if the MX or Z1 you are VPNing to is behind a NAT and the Automatic NAT Traversal does not work. However, it is important that you  not specify ports that the client VPN works on, namely UDP 500 and 4500.  

Here is an image of what NOT to do:

 

If the Site-to-Site VPN is configured this way you will run into port overlapping and the Client VPN will not be able to form. To configure this correctly, use any other unused port in the range 1024-65535, other than UDP 500 and 4500.

You must to post a comment.
Last modified
15:16, 18 Feb 2016

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 1331

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case