Meraki

Community

Route over Tunnel Question

NolanHerring
Kind of a big deal
‎Jul 3 2019 8:11 AM
‎Jul 3 2019 8:11 AM

Route over Tunnel Question

I feel like I'm looking for my car keys and their already in my hand with this question.

 

Is there a way to 'force' traffic for a specific internet-based-URL over the MX tunnel vs going out the internet for split-tunnel setups? Via DNS and not IP based that is

 

Site has way too many public IP's for their URL, but we want it to go through data center and then out to the internet because they have our IP whitelisted, but remote branches not because we dont have statics all the time.

Nolan Herring | nolanwifi.com
TwitterLinkedIn
0 Kudos
2 Replies 2
jdsilva
Kind of a big deal
‎Jul 3 2019 6:46 PM
‎Jul 3 2019 6:46 PM

Interesting ask. I've had single site customers that have this requirement since I've been working with Meraki, but never multi-site customers. There's no policy based mechanism that can do this that I'm aware of. It actually blurs the line between Internet and VPN flow preferences since you want to route Internet traffic into AutoVPN. 

 

The only trick I can think of that might work is if maybe the IPs the site has can possibly be summarized? If they can be then you can inject a bogus route from the DC down to the sites that will send traffic into the tunnel. There might be come collateral damage with other sites going through the DC but that might be the cost of doing business. 

http://blog.brokennetwork.ca | @jdsilva
In response to jdsilva
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 4 2019 3:45 AM
‎Jul 4 2019 3:45 AM

There is no easy way to do this.  If it was me I would ...

 

Deploy an Ubuntu VM at the DC.  Configure this machine to use external DNS (such as 8.8.8.8).  Install HAProxy.  Create a configuration to proxy common tcp ports.  Note this is done at layer 4, so it doesn't look at the actual http/https request.  Something like:

 

frontend http-frontend
        mode tcp
        bind *:80
        default_backend http-backend
 
frontend https-frontend
        mode tcp
        bind *:443
        default_backend https-backend

 

backend http-backend
        mode tcp
        balance source
        server http-backend <dns name>:80 check verify none

 

backend https-backend
        mode tcp
        balance source
        server https-backend <dns name>:443 check verify none

 

Then I would create an entry in Active Directory for the exact DNS name that the users are trying to access and give it the IP address of the HAProxy in your DC.

 

 

Now users trying to access the site will get invisibly redirected to HAProxy in the DC.  HAProxy will accept the TCP connection and make a request to the real web site from the DC, and then pass the reply back.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.