- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AnyConnect VPN - Migration from ASA to Meraki MX84
Hi All.
I have a customer that purchased an MX84 v14.39 and will be migrating away from an ASA which has AnyConnect.
From my search on the interwebs; Meraki doesnt support AnyConnect.
Is this a fact?
Thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct, Meraki doesn't support AnyConnect.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not at this time but it is an active feature request and is being developed, however no timeline to share yet.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interesting. I'd really like to see this feature.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fact.
Just throw the ASA behind the MX, forward the ports and do VPN on a stick. That is what I am having to do at 2 of my VPN points and it works fine.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the suggestion however, my customer is renting the ASA and will be replaced by the Meraki.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am assuming you will be using Windows computers, within I would say get comfortable using powershell to deploy the vpn profile. Windows breaks it all the time.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@SoCalRacer wrote:I am assuming you will be using Windows computers, within I would say get comfortable using powershell to deploy the vpn profile. Windows breaks it all the time.
I've got some scripts you can adapt if you'd like, for Win10. Read the comments. Make changes as necessary. Do what you want. 🙂
It's set to change the phonebook so your computer doesn't try to log into remote servers using Meraki cloud credentials. Creates a rasphone desktop shortcut to avoid issues with the pretty Windows 10 "overlay", such as saying "Connecting..." forever.
It can add a registry key that fixes a Windows 10 problem with NAT-Traversal, if you want. You can also use em to setup split tunnels.
I'm not promising that they're the best, but they've significantly reduced the number of repeat "my VPN is broken" tickets that need escalating from my tier 1 help desk.
N.B. The big gotcha is that Meraki's built-in client VPN has one group to rule them all. You can't setup multiple groups with custom restricted access like you can with ASAs and AnyConnect.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What did you end up doing? Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ask because the ASA uses firepower to inspect RA-VPN tunnel-all. If one were to rip and replace with Meraki MX advanced sec, the ASA no longer does deep packet inspection on RA-VPN traffic (I want to make sure the MX can inspect the RA-VPN tunnell-all traffic, without keeping Firepower active).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could use pfSense to provide those Client VPN connections as Cb123 recommended since the ASA is going away. It uses OpenVPN.