We access a vendor website that is locked down with an IP whitelist.   Our workforce is primarily remote (work from home). We want to be able to only have to whitelist one IP address across all our remote users.   We have a vMX in Azure which our employees use to access Azure resources via AnyConnect Client VPN. The vMX is configured in Passthrough / VPN Concentrator mode. I'm using split tunneling and dynamic client routing in the client VPN settings to specify that traffic to this website should go over the VPN. My goal was to have all traffic appear to be coming from the public IP of the vMX so we could whitelist that IP address.   For some reason this is not working. When users try to connect to the vendor website from an IP address that is not whitelisted, the site displays a "Website Restricted" message. When our users are connected to the vMX using AnyConnect, they do not get the "Website Restricted" message, but the page doesn't load. It eventually times out after a long period. So there is a different behavior when connected to the VPN vs not connected.     We have another vendor who does something similar with their website. This vendor has a non-Meraki site-to-site VPN connection to our vMX. They have whitelisted the public IP of our vMX, and the split tunneling works as expected. The only difference between the two vendors is that we have a site-to-site VPN tunnel with the second vendor, the one for whom the website connection works.   Has anyone else been able to get something like this working? I'd appreciate any ideas or suggestions. ... View more