cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Question about setting up a third party web-filter

New here

Question about setting up a third party web-filter

Good afternoon,

 

We are using a third party for web filtering and traffic analysis as opposed to the Meraki native tools.  We have a mix of MX100 and MX65 across a number of locations with the AutoVPN established.  At our main site, we have an MX100 with several NAT and port mapping rules set up for remote desktop, email, and an SFTP server.  In order to use the 3rd party web-filter, we had to set up a VPN to Non-Meraki peer and use 0.0.0.0/0 for the private subnet.  The VPN tunnel was established and traffic was seen on the remote web-filter.  The problem is our SMTP traffic was flowing through the web-filter and as a result showing the wrong Public IP address on SPF verification.  Additionally, RDP connections could not be completed as the outbound responses where being passed through the remote web-filter instead of returning through the NAT IP they came in on.

 

Does anyone have a similar scenario where there is a new default route created by a VPN and still is able to correctly route email and NAT/Mapped IP traffic?

 

Thank you,

Michael

2 REPLIES 2
Kind of a big deal

Re: Question about setting up a third party web-filter

The only option I can think of is to use dual Internet circuits on the MX.

 

Use the VPN on one, and use Internet flow preferences to route everything you want out the other.

 

 

But this is really the hard way of doing it.  The easy way is to use the built in system assuming you have an Advanced Security licence.

New here

Re: Question about setting up a third party web-filter

Thank you PhilipDAth,  there are reasons for this configuration that I am better off not getting into.  We already have a second WAN with Public facing IP addresses so this may be my only option.  We are working on getting technical resources from the 3rd party on with Meraki tech tomorrow and see if there are any alternatives.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.