Meraki

Community

Sending Single Internet Destination Down Auto VPN to Central Site Internet access

Solved
CharlieCrackle
A model citizen
‎Apr 18 2022 8:12 AM
‎Apr 18 2022 8:12 AM

Sending Single Internet Destination Down Auto VPN to Central Site Internet access

 

Have a Central MX with 30 Spoke Z3 with people working from home.  with Auto SDWAN

 

One internet application requires the source IP to be specific  (the outside IP of the MX)

 

If we set the Z3 to have default route to central MX  then all works fine   except all internet traffic from all Z3 goes via the Central MX killing the internet performance with Office 365 traffic.

 

Would like to turn off the default route  so the Z3 use local internet  and then add a single static route to all Z3 for single ip address (eg 203.44.X,Y)  and send this via the SDWAN.

 

There does not seem any way to do this from Z3..

 

I tried adding a static route at the MX  and  ticking include in VPN    the advertisement works and all the Z3 see it

 

The issue is you can not add a static route and point to the internet ???  even putting the WAN gateway IP as the next hop  is accepted but the packet is dropped by the MX as it expects the packet to go out the LAN not the WAN.

 

Any one got a way I can achieve my end result of having a single IP address routed via the Central MX and out to the internet. ??

 

Could this be done with a SDWAN Policy in traffic shaping but the Z3 does not have this option.

 

 

 

0 Kudos
1 Accepted Solution
In response to MarkB2
CharlieCrackle
A model citizen
‎Apr 26 2022 7:55 AM
‎Apr 26 2022 7:55 AM

Confirmed by Meraki Support not supported   😢

View solution in original post

0 Kudos
4 Replies 4
ww
Kind of a big deal
Kind of a big deal
‎Apr 18 2022 8:19 AM
‎Apr 18 2022 8:19 AM

It would work if you make the central mx one armed concentrator.

Or if you add a new one armed concentrator behind the current routed central mx

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 18 2022 1:56 PM
‎Apr 18 2022 1:56 PM

A more horrible option; at the central site deploy a layer 4 proxy (I like using HAProxy).  Add a domain to Active Directory exactly matching the URL you want to redirect and point it at the private IP address of the proxy.  Have the proxy forward the request onto the real URL.

 

You could potentially do it with the windows "port proxy" feature as well (instead of HAProxy).

https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portpr... 

MarkB2
Here to help
‎Apr 19 2022 12:52 PM
‎Apr 19 2022 12:52 PM

This is a problem we've encountered as well, we do split tunnel with everything external routing out locally at the branch, only internal routes via the AutoVPN tunnels. Some vendors implement IP whitelisting which would be a nightmare to manage with the number of branches we have deployed, so we need traffic to those destinations to egress our datacenters.

 

Two options:

 

1 - (Preferred) - If you are running BGP to your hubs and have the route in the upstream router, simply advertise that route to the MX hub. If you don't have the specific route you could leak it our just install a static and redistribute to the MX.

 

2 - (Hack) - Configure the IP or subnet you want to pull back over VPN as a local route on the MX hub. Be sure to block the hub from advertising that to the upstream peer.

 

Caveat - Our hubs are in one armed concentrator mode, not sure if similar fixes would apply to different configurations.

 

I'm under the impression that this is not a problem with other SD-WAN providers... you can build exceptions to route over the VPN in split tunnel in the same manner Meraki allows you to build exceptions to route over the public connection when full tunnel. Hopefully Meraki implements this some day.

In response to MarkB2
CharlieCrackle
A model citizen
‎Apr 26 2022 7:55 AM
‎Apr 26 2022 7:55 AM

Confirmed by Meraki Support not supported   😢

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.