Home > Security and SD-WAN > Other Topics > Using VPN through an MX Security Appliance

Using VPN through an MX Security Appliance

The MX security appliance is designed to be used as a VPN endpoint, but as a firewall it can also pass VPN traffic to an internal VPN endpoint. PPTP and IPsec are protocols used to establish a secure encrypted VPN connection between two end points. This article outlines how the MX handles PPTP and IPsec traffic, including routing specifics and limitations.

PPTP Outbound

PPTP passthrough for outbound traffic is supported on the MX appliance without additional configuration. Outbound traffic refers to a connection initiated from the LAN side of the appliance.

PPTP Inbound

PPTP requires a port forwarding rule for public TCP port 1723. Inbound GRE traffic initiated as part of this conversation will also be forwarded automatically. Inbound traffic refers to connections initiated from the WAN side of the appliance.


IPsec is supported for outbound traffic only when IPsec NAT-T is used between end points; the MX cannot currently route unencapsulated ESP traffic. IPsec uses IP protocols ESP or AH, and with NAT-T these IP protocols are encapsulated in UDP datagrams.

IPsec Outbound

Passthrough for outbound traffic requires no additional configuration when IPsec NAT-T is used. 

IPsec Inbound 

Inbound traffic for IPsec using NAT-T can be configured using port forwarding or 1:1 NAT, using the following port numbers:

  • UDP 500
  • UDP 1701
  • UDP 4500


Note: If port forwarding is used for these ports, the MX will not be able to establish connections for the Site-to-site VPN or client VPN features.

Last modified



This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 1377

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community