Meraki

Community

Routing to 3rd party website via site to site VPN.

JasonNgAcuutech
Comes here often
‎May 29 2024 2:02 AM
‎May 29 2024 2:02 AM

Routing to 3rd party website via site to site VPN.

Hi,

I'm having an issue accessing a website in China. I believe it is an issue with the ISP. I am trying to come up with a temporary workaround.

Currently, I have a site-to-site VPN that is connected to a Singapore office, which is Meraki MX configured as Non-Meraki VPN peers.

The workaround I want to achieve is for this website to be routed through the site-to-site VPN via the Singapore office.

Under static route, I don't see an option where I can select the next hop as "Singapore VPN gateway"

Any advice will be greatly appreciated.

 

Labels:
0 Kudos
6 Replies 6
ww
Kind of a big deal
Kind of a big deal
‎May 29 2024 2:32 AM
‎May 29 2024 2:32 AM

You have to add the website ip to the subnets in your vpn settings

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#Non-Meraki_VPN_Peers

0 Kudos
In response to ww
JasonNgAcuutech
Comes here often
‎May 29 2024 2:36 AM
‎May 29 2024 2:36 AM

 

Hi,

Forget to mention, in the China network, I added the Public IP in under the "Private subnets" under the Non-Meraki VPN peers to Singapore and can see it reflecting under the Route table.

However, it is still not working.

0 Kudos
In response to JasonNgAcuutech
ww
Kind of a big deal
Kind of a big deal
‎May 29 2024 3:07 AM
‎May 29 2024 3:07 AM

Does the other side have routes back to your source subnet from where you try to access it from

0 Kudos
In response to ww
JasonNgAcuutech
Comes here often
‎May 29 2024 6:03 AM
‎May 29 2024 6:03 AM

Yes. The LAN IP are working between the S2S VPN.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 29 2024 3:15 AM
‎May 29 2024 3:15 AM

If you want to do it only for a single site you'll need to deploy something like HA Proxy in Singapore.  You can use a config like this:

 

 

frontend https-frontend
        mode tcp
        bind *:443
        default_backend https-backend

backend https-backend
        mode tcp
        balance source
        server website a.b.c.d:443 check check-ssl verify none

 

 

 

 

Where a.b.c.d is the public IP address that the website resolves to.

 

Then create an entry in AD DNS for the exact website FQDN pointing to the private IP address of the HA Proxy server.

0 Kudos
In response to PhilipDAth
JasonNgAcuutech
Comes here often
‎May 29 2024 6:04 AM
‎May 29 2024 6:04 AM

Thanks for the suggestion.

However, we would like to minimise the workaround without deploying more solutions to the infra.

0 Kudos
li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.