Meraki

Community

Auto VPN # Diverting traffic over the VPN for a single host address - Is it possible?

MonkeySocks
Conversationalist
8 hours ago
8 hours ago

Auto VPN # Diverting traffic over the VPN for a single host address - Is it possible?

We have a public company-website hosted with a third party that presents different home pages dependant on the source IP.
I.e. If the web server receives client requests from source IP = X.X.X.X, present the employees page, else present the public page.
 
Our main office hosts an MX Security Appliance, uses traffic shaping to ensure traffic bound for this company-website leaves from WAN 2 (X.X.X.X).
 
The main office also has the role of SD-WAN Hub (site-to-site AutoVPN). The branch offices or Spokes also using MX Security Appliances do not use the hub default route option because we want local breakout for internet etc, only specific subnets are enabled for VPN.
 
I'm attempting (without success) to redirect traffic bound to our company-website from branch offices to traverse the VPN to the main office and out of WAN 2 so that staff see the employee page.
 
I've messed with various settings, static routes on and off the VPN, I've tested VPN traffic shaping rules to no avail and AI tools seem to provide instructions using options I do not even see on the Meraki Dashboard. It would be nice to simply configure the third party web server to account for all Spoke WAN IP's but we're unable to do that.
 
Branch offices continue to see the company-website public page as traffic is being directed to local WAN breakout instead of being directed over the VPN.
 
From what I can see, in order for traffic to be a part of the VPN it has to be the whole subnet, however I just need a single host address only to traverse the VPN.
 
I hope that's clear enough... Would anyone be kind enough to give me some pointers please.
Labels:
0 Kudos
7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal
8 hours ago
8 hours ago

Perhaps you can achieve this using Internet Breakout.

 

https://documentation.meraki.com/SASE_and_SD-WAN/MX/Design_and_Configure/Configuration_Guides/Site-t...)

 

Note: Application-based VPN exclusion rules(Smart Breakout) are only supported on MX devices with a Secure SD-WAN Plus

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
MonkeySocks
Conversationalist
6 hours ago
6 hours ago

Hey alemabrahao Many thanks for your kind suggestion.

Unfortunately the local internet breakout on a branch / spoke site has a different WAN IP address of the one expected on the company-website hosted with a third party. That's why I'm trying to send traffic to the hub to route out of WAN 2 that has the expected WAN IP.

 

Only the IP on the hub MX_WAN 2 is approved for displaying the employees page, yes I can add a few more to the allow list but we have over 100+ sites and IP's are not all static.

Thanks again!
 

0 Kudos
In response to MonkeySocks
alemabrahao
Kind of a big deal
Kind of a big deal
6 hours ago
6 hours ago

So I'm almost 100% sure you won't be able to do that with Meraki alone.

I believe the most viable solution for you would be to use some kind of proxy, such as ZIA.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
MonkeySocks
Conversationalist
5 hours ago
5 hours ago

Thanks alemabrahao, great to see people offering help 🙂

0 Kudos
Mloraditch
Kind of a big deal
Kind of a big deal
5 hours ago
5 hours ago

The only way you are going to be able to do this when not using the hub for all traffic is have the hub point it to something else, a secondary firewall generally and then have that devices public ip be the ip for the site to work.

However, your website host should be able to allow multiple public ips to see the employee site. That may be onerous to maintain depending on how many sites and ISPs you have, but it's a solution that doesn't require new hardware and once setup, should be fairly simple to maintain.


If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to Mloraditch
MonkeySocks
Conversationalist
5 hours ago
5 hours ago

Thanks for your kind suggestion Mloraditch.

The third party hosting the site claim they can only append a small number of public IP's on the allow-list, we have over 100+ and not all are static.

 

Thanks again, much appreciated! 

0 Kudos
In response to Mloraditch
PhilipDAth
Kind of a big deal
Kind of a big deal
13m ago
13m ago

>The only way you are going to be able to do this when not using the hub for all traffic is have the hub point it to something else, a secondary firewall

 

This solution will work.

 

 

Another solution I have used is to deploy an HAProxy VM that forwards all traffic it receives to the website.  Create an internal DNS entry in Active Directory, www.company.com, pointing to the private IP address of the HA Proxy.

 

This causes anyone accessing that website to go via the HA Proxy, and for all of their traffic to appear to come from one IP address.

 

You can do something similar on Windows with:

netsh interface portproxy add v4tov4 listenport=443 listenaddress=0.0.0.0 connectaddress=x.x.x.x connectport=443

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.