Meraki

Community

Route Client VPN traffic over public IP on vMX

PKT1099
New here
9 hours ago
9 hours ago

Route Client VPN traffic over public IP on vMX

We access a vendor website that is locked down with an IP whitelist.

 

Our workforce is primarily remote (work from home). We want to be able to only have to whitelist one IP address across all our remote users.

 

We have a vMX in Azure which our employees use to access Azure resources via AnyConnect Client VPN. The vMX is configured in Passthrough / VPN Concentrator mode. I'm using split tunneling and dynamic client routing in the client VPN settings to specify that traffic to this website should go over the VPN. My goal was to have all traffic appear to be coming from the public IP of the vMX so we could whitelist that IP address.

 

For some reason this is not working.

  • When users try to connect to the vendor website from an IP address that is not whitelisted, the site displays a "Website Restricted" message.

  • When our users are connected to the vMX using AnyConnect, they do not get the "Website Restricted" message, but the page doesn't load. It eventually times out after a long period.

  • So there is a different behavior when connected to the VPN vs not connected.

 

 

We have another vendor who does something similar with their website. This vendor has a non-Meraki site-to-site VPN connection to our vMX. They have whitelisted the public IP of our vMX, and the split tunneling works as expected. The only difference between the two vendors is that we have a site-to-site VPN tunnel with the second vendor, the one for whom the website connection works.

 

Has anyone else been able to get something like this working? I'd appreciate any ideas or suggestions.

0 Kudos
3 Replies 3
MartinLL
Building a reputation
8 hours ago
8 hours ago

Dont use the vMX instance public ip. In fact i'm pretty sure that you cant.

The vMX VM public IP is not something the vMX can NAT to, so you wont reach the internet that way.

 

What i would do instead is to pin all traffic egressing the vMX towards Azure to an Azure Firewall or something. This way you can create DNAT/SNAT rules on the Azure Firewall, have your vendors whitelist the AZFW Public IP and reach it that way instead.

 

look at my post history. I have explained this setup a few times.

if you have more questions after reading my posts feel free to ask.

MLL
0 Kudos
In response to MartinLL
PKT1099
New here
7 hours ago
7 hours ago

I have a single vnet in Azure with multiple subnets. I also have a NAT Gateway.

 

The NAT Gateway is associated with the subnet containing my hosted servers. This causes traffic coming from those servers to appears to be originating from a single IP address. I had the vendor (who hosts the website) whitelist the public IP address of the NAT Gateway, and I can access the website from those servers.

 

Is there any way to do this for traffic coming from the AnyConnect subnet? 

 

I've tried associating the NAT Gateway with the AnyConnect subnet, but I am still unable to access the website.

 

I'm really trying to avoid having to spin up and pay for a second firewall (whether it be Meraki or Azure).

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
2 hours ago
2 hours ago

To do this you have to use VMX NAT mode.

https://documentation.meraki.com/MX/Other_Topics/vMX_NAT_Mode_Use_Cases_and_FAQ

 

This requires re-deploying the VMX.  It has lots of limitations, such as clients can initiate traffic into servers in Azure, but servers can not initiate traffic to clients or AutoVPN spokes.

Personally, I would look at using SecureConnect.
https://documentation.meraki.com/CiscoPlusSecureConnect

You can tunnel all of your traffic through it, and it all appears to come from one subnet (not a single IP).

https://support.umbrella.com/hc/en-us/articles/360059292052-Additional-Egress-IP-Address-Range

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.