Meraki

Community

AnyConnect VPN - Migration from ASA to Meraki MX84

CCIE19763
Conversationalist
‎Aug 20 2019 6:44 PM
‎Aug 20 2019 6:44 PM

AnyConnect VPN - Migration from ASA to Meraki MX84

Hi All. 

 

I have a customer that purchased an MX84 v14.39 and will be migrating away from an ASA which has AnyConnect.

 

From my search on the interwebs; Meraki doesnt support AnyConnect.

 

Is this a fact?

 

 

Thank you.

10 Replies 10
SoCalRacer
Kind of a big deal
‎Aug 20 2019 6:51 PM
‎Aug 20 2019 6:51 PM

Correct, Meraki doesn't support AnyConnect.

In response to SoCalRacer
MerakiDave
Meraki Employee
Meraki Employee
‎Aug 20 2019 8:31 PM
‎Aug 20 2019 8:31 PM

Not at this time but it is an active feature request and is being developed, however no timeline to share yet.

 

In response to MerakiDave
svennerski
Here to help
‎Aug 21 2019 11:44 AM
‎Aug 21 2019 11:44 AM

Interesting. I'd really like to see this feature.

0 Kudos
cb123
Conversationalist
‎Aug 21 2019 6:36 AM
‎Aug 21 2019 6:36 AM

Fact.

 

Just throw the ASA behind the MX, forward the ports and do VPN on a stick.  That is what I am having to do at 2 of my VPN points and it works fine.

0 Kudos
In response to cb123
CCIE19763
Conversationalist
‎Aug 21 2019 6:39 AM
‎Aug 21 2019 6:39 AM

Thanks for the suggestion however, my customer is renting the ASA and will be replaced by the Meraki.

0 Kudos
In response to CCIE19763
SoCalRacer
Kind of a big deal
‎Aug 21 2019 7:25 AM
‎Aug 21 2019 7:25 AM

I am assuming you will be using Windows computers, within I would say get comfortable using powershell to deploy the vpn profile. Windows breaks it all the time.

0 Kudos
In response to SoCalRacer
Nash
Kind of a big deal
‎Aug 21 2019 7:40 AM
‎Aug 21 2019 7:40 AM

@SoCalRacer wrote:

I am assuming you will be using Windows computers, within I would say get comfortable using powershell to deploy the vpn profile. Windows breaks it all the time.

I've got some scripts you can adapt if you'd like, for Win10. Read the comments. Make changes as necessary. Do what you want. 🙂 

 

It's set to change the phonebook so your computer doesn't try to log into remote servers using Meraki cloud credentials. Creates a rasphone desktop shortcut to avoid issues with the pretty Windows 10 "overlay", such as saying "Connecting..." forever. 

 

It can add a registry key that fixes a Windows 10 problem with NAT-Traversal, if you want. You can also use em to setup split tunnels.

 

I'm not promising that they're the best, but they've significantly reduced the number of repeat "my VPN is broken" tickets that need escalating from my tier 1 help desk.

 

N.B. The big gotcha is that Meraki's built-in client VPN has one group to rule them all. You can't setup multiple groups with custom restricted access like you can with ASAs and AnyConnect.

Windows 10 Client VPN scripts: Makes life better!
In response to cb123
DSCP_jpk
Here to help
‎Mar 16 2020 7:27 AM
‎Mar 16 2020 7:27 AM

What did you end up doing? Thanks!

0 Kudos
In response to cb123
DSCP_jpk
Here to help
‎Mar 16 2020 7:30 AM
‎Mar 16 2020 7:30 AM

Does this config allow the MX to inspect the RA-VPN internet-bound traffic? Seems like encryption would terminate on the ASA, but is the MX the gateway for RA-VPN internet bound traffic? Or alternatively do you 1:1 NAT the ASA on the MX?



I ask because the ASA uses firepower to inspect RA-VPN tunnel-all. If one were to rip and replace with Meraki MX advanced sec, the ASA no longer does deep packet inspection on RA-VPN traffic (I want to make sure the MX can inspect the RA-VPN tunnell-all traffic, without keeping Firepower active).
0 Kudos
SteveHemi
Comes here often
‎Aug 21 2019 7:38 AM
‎Aug 21 2019 7:38 AM

You could use pfSense to provide those Client VPN connections as Cb123 recommended since the ASA is going away. It uses OpenVPN.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.