Meraki

Community

In Secure Client VPN what constitutes a trusted network?

DanielBHSNIT
Getting noticed
‎Mar 18 2024 1:00 PM
‎Mar 18 2024 1:00 PM

In Secure Client VPN what constitutes a trusted network?

In my mission to deploy an always on VPN except for our local networks I'm thinking since all of our sites are site-to-site connected then anywhere you go in the agency is a trusted network, no?

 

In the profile editor I put in our trusted domains i.e. domain.org and *.domain.org, I also put in the two DNS servers by IP.  We also use Azure SSO I figured out what needed to be excluded for that and it seems to be okay, except since my office is not at the main VPN hub, I'm at once of the spokes, the client isn't thinking that this location is a trusted network.

 

Thoughts? Am I not seeing something that is in plain sight?

0 Kudos
7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 18 2024 6:09 PM
‎Mar 18 2024 6:09 PM

A trusted network is your company's network, an untrusted network is any other network (your home, a shopping mall, etc.)

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
DanielBHSNIT
Getting noticed
‎Mar 19 2024 4:23 AM
‎Mar 19 2024 4:23 AM

My question is stated with some sarcasm because how you define it is also how I define but my AnyConnect profile doesn't "trust" my network and is forcing VPN connection and I'm trying to figure out why.

0 Kudos
DarrenOC
Kind of a big deal
Kind of a big deal
‎Mar 18 2024 11:49 PM
‎Mar 18 2024 11:49 PM

Or in a world of Zero Trust implicit Trust no longer exists.  Your network is already compromised.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Mar 19 2024 4:57 AM
‎Mar 19 2024 4:57 AM

It's described quite nicely in the docs:

 

  1.  You'll have to define the trusted Domain that will be
  2. resolved by a Trusted DNS server that will resolve
  3. a trusted hist URL

Apart from that it's not really easy to troubleshoot your issued without further knowledge about your environment.

0 Kudos
In response to CptnCrnch
DanielBHSNIT
Getting noticed
‎Mar 19 2024 5:21 AM
‎Mar 19 2024 5:21 AM

Let's say I put in trusted dns domains; i.e. domain.org,*.domain.org

For trusted DNS servers I put in the internal IP's, 192.168.0.19,192.168.1.7 (should I use fqdn's for those?)

We don't have internal servers that have SSL certificates installed.  Is this an absolute necessity?

0 Kudos
In response to DanielBHSNIT
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Mar 19 2024 5:33 AM
‎Mar 19 2024 5:33 AM

Yes: "You must have a secure web server that is accessible with a trusted certificate to be considered trusted."

0 Kudos
In response to CptnCrnch
DanielBHSNIT
Getting noticed
‎Mar 25 2024 10:48 AM
‎Mar 25 2024 10:48 AM

We set up a web server internally and applied our SSL certificate to it. In the VPN Profile Editor we add it as a trusted server and to my pleasant surprise it pulls the certificate hash that it is supposed to.  I save the profile and move it over to my test machine.  Upon reboot; it's still not seeing the network as a trusted network.  Granted our site is site-to-site VPN'd back to the host site that has the trusted web server.  Is that not enough?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.