Skip to main content
Cisco Meraki

Site-to-site and Client VPN Port Overlap with Manual port Forwarding rules

This article discusses a pitfall that must be avoided when configuring Site-to-Site VPN with Manual Port Forwarding. If the Manual Port Forwarding is configured for ports UDP 500 or 4500, it will break the Client VPN.


Site-to-Site VPN can be configured from Security appliance > Configure > Site-to-Site VPN on your dashboard and instructions can be found here as well as why you would use Manual Port Forwarding.

Manual Port Forwarding should be used if the MX or Z1 you are VPNing to is behind a NAT and the Automatic NAT Traversal does not work. However, it is important that you  not specify ports that the client VPN works on, namely UDP 500 and 4500.  

Here is an image of what NOT to do:



If the Site-to-Site VPN is configured this way you will run into port overlapping and the Client VPN will not be able to form. To configure this correctly, use any other unused port in the range 1024-65535, other than UDP 500 and 4500.

  • Was this article helpful?