Secure Client AnyConnect on an MX64

SOLVED
KieranBessert
Here to help

Secure Client AnyConnect on an MX64

Good morning all, 

 

I'm trying to configure my company's network to allow 'Always On' for the VPN profiles, but clients can't connect to the VPN when inside the network. We are hosting the AnyConnect on our MX64 device. Any thoughts or resources about configuration?

 

EDIT: If not possible, is there a way to push "Always On" when Connected to networks other than the corporate LAN?

1 ACCEPTED SOLUTION

Take a look at this:  https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Client_deployment#Alwa...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

7 REPLIES 7
alemabrahao
Kind of a big deal
Kind of a big deal

I am almost 100% sure that it is not possible to connect to Client VPN with either Anyconnect or L2TP when it is on the same network as the MX.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

That's unfortunate.

 

Edit: Is there a way to enable "Always On" when connecting to a network that is not our corporate LAN?

Take a look at this:  https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Client_deployment#Alwa...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Normally you enable "Trusted Access".  You say when on the outside of the network enable the VPN, and when on the inside of the network disable it.

 

Read "Trusted network detection".

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect41/administration/gui... 

Thanks! This looks like it will help!

I got it to automatically connect when connected to my phone, but not to auto disconnect when connecting to the corporate network.

KieranBessert_1-1694090911077.png

 

The profile editor keeps giving me this error when trying to list my DC. I did not add port 443, which makes me think that its asking for our VPN server rather than the DC, but we use an MX64 firewall.

KieranBessert_2-1694091143243.png

 

The "Trusted Servers" list are servers inside of your own network (and if it can talk to them - it considers the network "trusted").

 

I wouldn't use this option.  Configure it to check the DNS servers.  If it sees your internal DNS servers, then consider the network trusted.

I configured it to check out only DC, and it seems to not be able to.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels