Meraki

Community

VPN Inclusion for specific Destination/Public Subnet

Tencot64
Conversationalist
Monday
Monday

VPN Inclusion for specific Destination/Public Subnet

Hello

 

We have a WAN setup consisting of Circa 10 Spoke VPN sites with 2 VPN Hubs. All Meraki MX appliances have SD-WAN license. All sites are set break out locally to the internet and route via Hub VPNs for respective internal resources.

We have a specific application with a fixed public IP range. Our goal is to ensure traffic sourced from any local subnet at any spoke site, destined to the specific application (Public Range) routes via the Hub VPNs, breaking out centrally (rather than local breakout of the specific site). This is due to Public IP address source restriction on the specific application

So effectively default behavior for internet traffic for each spoke is to breakout locally, with the exception for the specific Public destination to backhaul for central breakout.

I appreciate we can add each sites's local public range as a whitelist for the application, however some addresses are dynamic.

There appears to be the ability to backhaul all traffic from spokes to hubs and setting exclusions, but not the reverse.

https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2...)

Thanks


Labels:
0 Kudos
7 Replies 7
alemabrahao
Kind of a big deal
Monday
Monday

Look, I've seen people exclude certain traffic so that it doesn't go to the tunnel and not the other way around.

The only way I can think of to do this is to create an entry in your DNS server so that the application's URL responds to an internal IP address within your network. I believe that would be the most practical way.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Mloraditch
Kind of a big deal
Monday
Monday

The only way Ive done this previously was to have a secondary firewall at my core (that is not an MX or an MX not in the AutoVPN mesh) and then add a static route to the site on my main mx via the secondary firewall and include that in the VPN.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
GreenMan
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
Monday
Monday

You need to add the specific public IP addresses / subnets for that service as Local Networks from the Hubs at your central location;   the Spokes dependent on that Hub will prefer that more specific route and route traffic over the VPN

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#Local_Networks

0 Kudos
In response to GreenMan
Tencot64
Conversationalist
Tuesday
Tuesday

Thanks you for your response. I'm having difficulty understanding how the solution would function. When a public subnet is added as an interface, local subnet it can be advertised to the spokes via VPN. However, upon reaching the hub, the destination would be recognised as a directly connected network, preventing the traffic from being routed through the internet or the default route. As previously suggested, achieving this might involve a second firewall and an advertised static route. I'm seeking configuration options that are limited to the existing MX appliance, without requiring modifications to other network services, such as DNS.

 

0 Kudos
In response to Tencot64
GreenMan
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
Tuesday
Tuesday

I had made the assumption that the Hub was in VPN Concentrator / Passthrough mode.   As Philip hinted and as you've implied from your own reply;  this makes quite a difference.   I take it your Hub is in Routed mode?

0 Kudos
In response to GreenMan
Tencot64
Conversationalist
Wednesday
Wednesday

Hi GreenMan, yes it's in routed mode, sorry I didn't make this clear.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
Monday
Monday

Assuming that hubs are in routed mode; I have solved this a couple of times using different methods.

 

1. Deploy an HA proxy at the hub. Add the service's domain name to the internal DNS pointing at HA Proxy, and then have HA Proxy forward that on. This is a cheap, reliable solution.

 

2. Use Umbrella SIG or SecureConnect. This routes all of your web traffic through Cisco Umbrella. You then have them add the Umbrella proxy ranges as allowed. This solution is quite expensive and complex, but it does give you other security benefits.

 

Another option is to convert the app to support SAML authentication (aka start on a zero-trust journey), remove the IP address restriction, and use a SAML provider (like Cisco Duo) to limit access to only authorised machines. I have done many of these kinds of deployments.  It's just much stronger security wise.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.