Meraki

Community

Split tunneling problems with content networking - MX options

MerakiMed
Getting noticed
‎Jul 24 2023 10:15 AM
‎Jul 24 2023 10:15 AM

Split tunneling problems with content networking - MX options

I have found more businesses using content delivery networks sharing IP address space with each other. Let's say business partner ACME is using public ip address 23.5.5.4 and want to see our traffic coming from a specific source address. In the past that's been easy. I add 23.5.5.4 to the local networks defined in VPN settings. The traffic would come back to our data center and take on the source IP that ACME is expecting to see. 

 

But now suppose another company DOPLER is using Akamai to deliver content and the addresses are all over the place in the 23.5.0.0/16 network - at times including the 23.5.5.4 address. In the case of Palo Alto Network firewall terminating global protect, I could use DNS resolution to define the split tunnel over-riding the IP definition. So in this case I could say exclude any *.dopler.com from the split tunnel. But I don't have this option with the Meraki. 

Has anyone else run into this issue over overlapping address space causing problems for your split tunneling? Thank you.

0 Kudos
1 Reply 1
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 24 2023 1:40 PM
‎Jul 24 2023 1:40 PM

If you are using AnyConnect in split tunnel mode, you can specify FQDNs to exclude from the split tunnel.

PhilipDAth_0-1690231046220.png

 

If you are referring to using the Microsoft Client VPN, then you can do this using PowerShell:

https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html 

(check out the code it produces for exclusions for things like Office 365).

 

If you are referring to AutoVPN, then you need an "SD-WAN" Plus licence:

https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2... 

 

 

If somewhere else - you'll need to give us more of a hint.  The question is a bit vague.  🙂

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.