Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About MFisher
Community Record
15
Posts
6
Kudos
1
Solution
Badges
Aug 4 2022
12:38 PM
4 Kudos
I figured it out, the remote subnets that terminate at the hub were not specified in the "site to site out-bound firewall" rules. Specifying an allow from our AnyConnect subnet to those subnets corrected the issue. I had mistakenly added that same rule under the standard outbound firewall rules.
... View more
Aug 4 2022
11:33 AM
They are not, the split tunnel settings appear to state that it pushes that routing to the client and would "send all client traffic through the VPN except traffic to those subnets" But I would want the traffic to those subnets to traverse the VPN since its the only way to get to those subnets hosted in the Auto-VPN. Correct?
... View more
Aug 3 2022
3:29 PM
We have a small distributed network with 8 or so Auto-VPN peers connecting to our main Hub. On our Main Hub, we recently implemented the "Security & SD-WAN > Client VPN > AnyConnect Settings". We will need connectivity to the peer subnets at the various other sites that terminate using the Auto-VPN to this hub. The subnet used by the AnyConnect client VPN is "enabled" in the VPN settings "Security & SD-WAN > Site to Site VPN". The other Auto-VPN peers are also "enabled" there. I also added an outbound firewall rule to allow the Client AnyConnect VPN subnet source to the destination Auto-VPN peer subnets. I can see there are routes to the Auto-VPN peer subnets in the routing table, as well as the Client AnyConnect VPN. Despite all of this, we do not have connectivity to the Auto-VPN peer subnets while connected to the Client AnyConnect VPN. Any advice would be appreciated, thanks
... View more
Labels:
- Labels:
-
ACLs
-
Auto VPN
-
Client VPN
Oct 26 2021
11:24 AM
Hello, I have a rather odd question about the 1:1 NAT capabilities of the MX's. We currently have a Cisco 5506-X in place for an organization that is utilizing a 1:1 NAT translation for an address that is not present on any of the interfaces. However the ASA is capable of translating to any address that is in the same subnet as the WAN interface's address. Is this possible on the MX's as well? Thank you,
... View more
Jul 13 2021
2:49 PM
That "ip unnumbered FastEthernet0/0" did the trick! Thanks for the help!
... View more
Jul 13 2021
12:29 PM
We need to create a "Non-Meraki VPN Peer" between an MX68 and Cisco 1841 router. The trick is, this router already hosts multiple IPSec tunnels to other Cisco routers using Tunnel interfaces and a single public interface. Is it possible to create a "Non-Meraki VPN Peer" between the MX68 and C1841 while keeping the current tunnels active. All resources show a physical interface on the non-meraki appliance with a public IP that the IPSec/Crypto configurations are applied to. Doing so would break our current tunnels however. Sample router config below. object-group network REMOTE host X.X.X.X host Y.Y.Y.Y ! crypto isakmp policy 5 encr aes 192 authentication pre-share group 14 crypto isakmp key KEY address X.X.X.X crypto isakmp key KEY address Y.Y.Y.Y crypto isakmp aggressive-mode disable ! ! crypto ipsec transform-set VTI esp-aes 192 esp-sha-hmac ! crypto ipsec profile PROF1 set transform-set VTI ! ! interface Tunnel0 ip address 10.255.255.62 255.255.255.252 ip tcp adjust-mss 1380 tunnel source FastEthernet0/0 tunnel mode ipsec ipv4 tunnel destination X.X.X.X tunnel protection ipsec profile PROF1 ! interface Tunnel1 ip address 10.255.252.62 255.255.255.252 ip tcp adjust-mss 1380 tunnel source FastEthernet0/0 tunnel mode ipsec ipv4 tunnel destination Y.Y.Y.Y tunnel protection ipsec profile PROF1 ! interface FastEthernet0/0 ip address Z.Z.Z.Z 255.255.255.248 ip access-group OUTSIDE in no ip redirects no ip unreachables duplex auto speed auto no cdp enable no mop enabled ! ! router eigrp 55555 network 10.255.252.60 0.0.0.3 network 10.255.255.60 0.0.0.3 passive-interface default no passive-interface Tunnel0 no passive-interface Tunnel1 ! ! ip route X.X.X.X 255.255.255.255 Z.Z.Z.Y name TUN0 ip route Y.Y.Y.Y 255.255.255.255 Z.Z.Z.Y name TUN1 ip tacacs source-interface Loopback0 ip access-list extended OUTSIDE permit esp object-group REMOTE host Z.Z.Z.Z permit udp object-group REMOTE host Z.Z.Z.Z eq isakmp permit udp object-group REMOTE host Z.Z.Z.Z eq non500-isakmp deny ip any any
... View more
May 9 2021
11:08 AM
Our Non-Meraki peer in the different organization is up and communicating through our Hub that hosts both Auto-VPN and Non-Meraki peer connections. However, on our Hub in the separate organization, we have an implicit deny configured on its "Site-to-Site VPN outbound firewall" rules. So apparently the "site-to-site outbound firewall" rules do not restrict "Non-Meraki VPN peer" traffic since we never included those remote subnets in the site-to-site outbound firewall rules on our Hub. We only specified the Non-Meraki peer subnets in the "Non-Meraki VPN peer" configuration.
... View more
May 7 2021
12:52 PM
We are setting up a new Non-Meraki VPN Peer to connect 2 different organizations. One end has Auto-VPN peers in addition to this new Non-Meraki peer. Is it required to configure the remote site "Non-Meraki VPN Peer" subnets to the "Site-to-Site Outbound firewall rules" on the hub hosting both Auto-VPN and Non-Meraki peers? Or do I only need to configure the subnets in the "Non-Meraki VPN Peers" configuration above that? Thanks,
... View more
May 20 2020
2:16 PM
I finally received a similar response from Meraki support. Thanks for the quick reply!
... View more
May 20 2020
2:02 PM
1 Kudo
We have an MX68 in production and recently started receiving syslog messages with event ype "security_filtering_file_scanned" stating that a file download was blocked. The associated domains AND file hashes are not listed malicious from other online sources. Below is one of the parsed logs. "dst_ip": "XXXXXXXX", "@version": "1", "@timestamp": "2020-05-20T09:51:26.319Z", "client_mac": "XXXXXXXXXX", "log_type": "security_event", "url": "http://officecdn.microsoft.com.edgesuite.net/pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114/Office/Data/v32_16.0.11929.20708.cab", "src_ip": "XXXXXXXX", "host": "XXXXXXXX", "epoch": "1589968286.289412569", "dst_port": "80", "src_port": "50830", "sec_type": "security_filtering_file_scanned", "hostname": "XXXXXXXXX", "enc": "sha256", "disposition": "malicious", "hash": "a14c085acbc26c3c9dce99c8955c95c3d0db2fd5ecc4741b4735b6c50d55cdb7", "action": "block" How does AMP cloud determine the download is malicious? Is it the URL or the file hash? Side note, we don't see any record of these security events in "Security & SD-WAN > Security Center" or "Network Wide > Event Log". We only get the syslog messages saying these file downloads were blocked.
... View more
Jun 7 2019
9:13 AM
The problem with that would be losing configuration of other devices still in that old network that I wanted to keep the same.
... View more
Jun 7 2019
9:10 AM
I understand the config is within the Network, that's my problem. Say I want to return the config for that device within the Network to a default state. How can that be done?
... View more
Jun 7 2019
9:08 AM
1 Kudo
Removing the device from a Network and then adding it back in still keeps the config for the MX.
... View more
Jun 7 2019
8:55 AM
I am working with a MX68 to test a few things before implementation. I need to be able to clear the config of the MX68 almost like a factory reset but remotely. I can only find the "Solution" of moving the device to a new network. However this only keeps the empty base config within that NEW network. Example: Moving the MX from Network 1 to Network 2 applies the base config of Network 2 but when moving the MX back to Network 1 the old config is re-applied. How do I clear the config within a Network for a specific MX or MS device?
... View more
My Accepted Solutions
| Subject | Views | Posted |
|---|---|---|
| 1165 | Aug 4 2022 12:38 PM |
My Top Kudoed Posts
© 2024 Cisco Systems, Inc.
