Meraki

Community

Special Routing Over AnyConnect VPN

Solved
Zee9
New here
‎Nov 19 2024 10:18 AM
‎Nov 19 2024 10:18 AM

Special Routing Over AnyConnect VPN

We have a vendor we work with that needs to see our whitelisted IP when we connect to their network.  We just moved over to Meraki from an ASA that had this ability. It was configured by our ISP.  We want traffic destined for a specific public IP to show as coming from our VPN IP.  Is this possible on the Meraki?  If so, where would that be setup?

0 Kudos
1 Accepted Solution
In response to Zee9
Mloraditch
Kind of a big deal
‎Nov 20 2024 12:32 PM
‎Nov 20 2024 12:32 PM

I'd have the developers use the old client vpn. As far as I'm aware you can run both simultaneously and with your authentication setup (RADIUS) you would still have the same level of login security.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

12 Replies 12
CptnCrnch
Kind of a big deal
‎Nov 19 2024 12:15 PM
‎Nov 19 2024 12:15 PM

By default, an MX will do NAT and hide everything within your internal network (and Reote Access VPN) to its offical IP address on the outside interface. 

So, in a nutshell - it could be working right out of the box. Don‘t know anything about your infrastructure though

In response to CptnCrnch
Zee9
New here
‎Nov 19 2024 12:23 PM
‎Nov 19 2024 12:23 PM

As it's setup now, and we went live on Friday night, while in the office it shows the IP address we need.  While remote on VPN it shows the remote public IP.  Can it show a specific IP while remote over VPN to a specific public IP? So, only traffic looking to get to the public IP of a vendor we use will show a public IP as if in the office over VPN. Hope that makes sense. We have a Meraki MX 68. 

0 Kudos
Mloraditch
Kind of a big deal
‎Nov 19 2024 1:27 PM
‎Nov 19 2024 1:27 PM

If you do full tunneling on your client or anyconnect vpn it should work. If you do split tunneling this scenario is not supported by Meraki directly. It will only work if you have another firewall to route this traffic out of and thus could include the relevant static route in the client vpn.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to Mloraditch
Zee9
New here
‎Nov 19 2024 1:31 PM
‎Nov 19 2024 1:31 PM

That's what I was afraid of. Full tunneling would mean all users on VPN always use everything on the VPN network instead of taking advantage of their own network, correct?

0 Kudos
In response to Zee9
Mloraditch
Kind of a big deal
‎Nov 19 2024 1:32 PM
‎Nov 19 2024 1:32 PM

Correct

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
Zee9
New here
‎Nov 20 2024 10:05 AM
‎Nov 20 2024 10:05 AM

What about adding a second connection profile for AnyConnect like we had on the ASA and making that a full-tunnel VPN? Is that even possible?

0 Kudos
In response to Zee9
Mloraditch
Kind of a big deal
‎Nov 20 2024 10:34 AM
‎Nov 20 2024 10:34 AM

Based on the documentation and the GUI, I don't believe that's possible. You could do that with the old school client vpn as split tunneling is a client side configuration.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to Mloraditch
Zee9
New here
‎Nov 20 2024 10:48 AM
‎Nov 20 2024 10:48 AM

Thanks for all your replies.

Then let me ask you this...  What would you do in this scenario without over complicating the new setup?

-You moved to a new internet circuit with a Meraki MX68

-Using AnyConnect VPN split-tunneling (w\RADIUS/AD Authentication) for 70 remote workers

-You have 2 developers that need to show a specific public IP to connect to a 3rd party server

Would you even entertain the idea of going with a full tunnel for all?

0 Kudos
In response to Zee9
Mloraditch
Kind of a big deal
‎Nov 20 2024 12:32 PM
‎Nov 20 2024 12:32 PM

I'd have the developers use the old client vpn. As far as I'm aware you can run both simultaneously and with your authentication setup (RADIUS) you would still have the same level of login security.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to Mloraditch
Zee9
New here
‎Nov 20 2024 12:56 PM
‎Nov 20 2024 12:56 PM

Ok, thanks we might just do that.  I guess that would be the easiest.  There will have to be some major cleanup on the ASA so it's not conflicting with the Meraki.  We actually didn't change the AnyConnect client.  It worked with the Meraki.  Would've been a lot more work.

0 Kudos
Zee9
New here
‎Nov 22 2024 10:10 AM
‎Nov 22 2024 10:10 AM

Just wanted to add the end solution to this in case anyone runs into the same problem.  It was resolved by adding the remote host IP in the split tunneling configuration as one of the interesting traffic to be allowed through the VPN Tunnel.

In response to Zee9
tcanty
Here to help
‎Nov 22 2024 11:21 AM
‎Nov 22 2024 11:21 AM

Was just about to suggest doing this exact solution, that's how we have got around it.

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.