About CptnCrnch

CptnCrnch

Interesting question! I pretty sure that DHCP logs will contain the information your NAC appliance (ISE?) will need to do its job. They simply don't contain fields like Client-Identifier etc.

CptnCrnch

Best practice would be something like a "Datacenter Switch" that your server(s) are connected to. As you normally have more than one server in place something like the MX would pose a serious limitation due to its limited number of ethernet ports. Some customers on the other hand have a (very) low number of DMZ servers directly connected to the MX, but even this is a rather special case.

CptnCrnch

Perhaps somebody in the Meraki Go Community can help out

CptnCrnch

This is not a Meraki native issue, we're seeing this with a lot of customers and their log sources. As @KarstenI mentioned, there are several options from syslog-ng up to expensive commercial offering that are used to "pre-filter" logs going to the SIEM.

CptnCrnch

So DNAT is done on the Palo side for incoming traffic on TCP/444? By default, MX is listening for AnyConnect connections on TCP/443. Can you check which port is used on the MX (Server settings -> AnyConnect Port)?

CptnCrnch

Sorry, could have thought about this, so SSL-VPN is perfectly OK in this case.

CptnCrnch

This is about AnyConnect, not the old L2TP over IPSec-Client, so there shouldn't be any issues. Which protocol are you using? IKEv2 or SSL-VPN?

CptnCrnch

Special congrats to @DarrenOC for achieving first place. Definitely something that doesn‘t happen each month. 😉 Great job everybody else too!

CptnCrnch

I don't think so unfortunately. 3rd Party VPN is kinda limited, I'm trying to avoid it as much as I can.

CptnCrnch · ‎08-22-2023

Six years already? Wow, just realize what you have achieved @MeredithW and @AmyReyes! Big fat congrats to you and all of us too. This is what has become the most friendly, helpful space that I'm aware (and proud) of! Woohoo! 🎉

CptnCrnch · ‎08-16-2023

Same here. Great job!

CptnCrnch · ‎08-15-2023

Congrats everybody. Gotta love these announcements to remind everyone what a great bunch of people are connected in here!

CptnCrnch · ‎07-19-2023

It looks like that thing has an Ethernet port, so yes, this should be working flawlessly. As I'm pretty sure that Telekom will use CGNAT in the backend, you could get into issues if you're trying to do VPN (especially Remote Access) on the MX95 though.

CptnCrnch · ‎07-18-2023

Congrats all! Keep up the great community work! 👍

CptnCrnch · ‎07-18-2023

Good catch, thanks for sharing!

CptnCrnch · ‎07-13-2023

Try using http://mx.meraki.com with the device serial (upper case letters and dashes) as username without any password.

CptnCrnch · ‎07-08-2023

It is getting more and more interesting! Such a great contest…but hey, it‘s the best IT related from here for a reason! 👍🏼

CptnCrnch · ‎07-07-2023

Correct, but that's the most common use case: 😉 Most DNS [RFC1034] transactions take place over UDP [RFC768]. TCP [RFC793] is always used for full zone transfers (using AXFR) and is often used for messages whose sizes exceed the DNS protocol's original 512-byte limit. https://www.rfc-editor.org/rfc/rfc7766

CptnCrnch · ‎07-07-2023

https://support.umbrella.com/hc/en-us/articles/230904088-Preventing-circumvention-of-Cisco-Umbrella-with-firewall-rules That's basically all that's needed: 1. Allow both Anycast IPs und port 53 (UDP is enough, there's no need for your users to do Zone transfers) 2. Deny everything else to port 53 either UDP swell as TCP 3. In addition block port 853 TCP 4. Block the categories "Proxy / Anomymizer" and "DoH / DoT" within Umbrella.

CptnCrnch · ‎07-07-2023

I really love this Member of the month-thing. It always reminds me how great this place is - thanks to its members. So keep it up folks! And of course: congrats to all of these special people mentioned above!

CptnCrnch · ‎07-02-2023

Good luck and kudos to everyone!

CptnCrnch · ‎06-30-2023

That's what's called an open question, right? 😉 Yes, of course. Both of them speak TCP/IP. What exactly are you referring to? Site-to-Site VPN perhaps?

CptnCrnch · ‎06-30-2023

No, EVE has nothing to do with Umbrella. It's something like Encrypted Traffic Analytics (enriched Netflow data from switches going to Secure Network Analytics) for the Firewall line. Highly interesting topic! I'd love to see this on the MX line but wouldn't hold my breath until we get it. 😉

CptnCrnch · ‎06-29-2023

If it's not needed anymore, I'd also recommend to completely delete the Vlan. I don't see an advantage in switching back to "Single Vlan"-mode though. Especially when dealing with boxes as big as the MX450, chances are high that there will be a requirement for more than one Vlan sooner or later. P.S.: There will be no outages for either of the options (at least from the outside point of view).

CptnCrnch · ‎06-28-2023

Exactly what @thomasthomsen said: if you've got 150 users sitting behind a MX64 doing nothing, everything is perfectly fine. If each and everybody is downloading dozens of Linux ISO images (e.g.) at the same time, things will start to get interesting...

CptnCrnch

Chris

Community Record

Badges