I haven't tested this - but I would expect this to be the case (nat stops working).   You would need to change the device to being in hub mode so its Internet didn't go via SecureConnect.     BUT - could you configure it as a zero trust application and access it using that method? ... View more

I've considered various scenarios of what could be asked here, but each time the answer was "no". ... View more

Does it have some kind of integrated switch module in the chassis linking the two together? For example, if you don't plug in the Ethernet cable to the second blade, can you still talk to the second blade? ... View more

Provider independent address space is address space you get by applying to an address registry (e,g. APNIC for countries in the Asia Pacific region).  That address space then "belongs" to you, not your ISP.   If you get an agreement from both ISPs, you can then route it via those ISPs.   This is something that only large companies do. ... View more

I can't find any documentation on that and it is not something I have tested. This is the closest. https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewall_Processing_Order   ... View more

From network-wide/clients, use the download option:     ... View more

I don't know the answer.   Check this out: https://documentation.meraki.com/SM/Profiles_and_Settings/Variables_in_Custom_Apple_Profiles_with_Systems_Manager   ... View more

I use routed mode 90% of the time.   You would probably would use One armed VPN concentrator mode if: You have an existing firewall. You have an HA Internet setup (using something like BGP failover) You have a layer 3 network core You need OSPF to exchange routes. You would probably use routed/NAT mode if: You can plug the MX into more than one Internet circuit so the MX can provide Internet HA itself. You need to support clients behind the MX accessing the Internet, or you want to be able to apply Meraki group policies to those users. ... View more

I can't see it either. ... View more

I don't think so.  You are going to need to use a lot more tags. ... View more

As long as the trunk ports that connect to other switches and network equipment are configured the same way, this will not cause any issues. ... View more

I posted some of the screenshots of the cloud management system of the prior system here: https://community.meraki.com/t5/Security-SD-WAN/Cisco-AnyConnect-Updates-on-the-Meraki-MX-Security-Appliances/m-p/239194/highlight/true#M53674   ... View more

Without direct support, this is going to be tricky.  Personally, I like using the cloud managed Cisco Secure Client portal (example for APJC https://secure-client.apjc.security.cisco.com/).   You can select a software train, like "Latest", and it automatically keeps the clients up to date.  It also allows you to configure every aspect of the client.   But without a partner involved, it will be hard to get access and get it setup.  The portal itself is included in an AnyConnect subscription (which you probably have).     I tihnk your best patch forward would be to buy a Cisco Secure Client AnyConnect support contract via AT&T in your companies name, so you can get direct support, and directly download the clients yourself. ... View more

This is working as designed, and it is not considered a vulnerability.   1:1 NAT mapping allows any host on any internal VLAN to access the mapped address.   You might be able to restricy this by applying a group policy to the VLAN of the MX, and applyinging firewall rules in the group policy to prevent access. ... View more

Well done everyone.  Always a big effort to make it onto this list. ... View more

Thanks for joining @Rolitto .  The more the merrier. ... View more

>MX can 'monitor' eachother if they are up and still have route to Internet.   They don't monitor each other when active/active.  They are simply two standalone units.  They need to be in seperate Meraki networks, and you need to use some kind of layer 3 device (such as a layer 3 switch) to manage the failover between each other. ... View more

Add the Windows Role "Microsoft NPS Server".  It is a RADIUS server that comes with Windows Server.  Use that for authentication. ... View more

If you have the Cisco Security Client on every machine, you can apply Umbrella policies inside of Umbrella to whatever users and groups you like.   The bonus of this method is it works even when they are out of the office. ... View more

Well done everyone.  What a lot of effort. ... View more

Configured a standard 1:1 NAT.  The secret is this actually works between all interfaces, internal and external.  The uplink isn't really a used field.   https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#1:1_NAT   ... View more

Attacking this using AnyConnect profiles is the wrong way to go.  Instead have everyone else the same profile, but have the MX enforce different sets of firewall rules.   If you are using RADIUS authentication, then use the Filter-Id atttribute to apply a group policy. https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance#Group_Policies_with_RADIUS_Filter-ID   If you are using SAML authentication (such as Entra ID) then push a SAML attribute. https://community.meraki.com/t5/Security-SD-WAN/AnyConnect-SAML-Group-Policy-assignment/m-p/247512/highlight/true#M55205   Then just create a group policy with layer 3 firewall rules for each group saying that they can access. ... View more

There are multiple ways to do this.   If you are happy to manage this in Umbrella (rather than the Meraki Dashboard) , the way I would do this is to:   * Deploy the Cisco Security Client (with the umbrella module) onto every machine. https://docs.umbrella.com/deployment-umbrella/docs/5-connect-active-directory-to-umbrella * Sync Umbrella with Active Directory. https://docs.umbrella.com/deployment-umbrella/docs/5-connect-active-directory-to-umbrella   ... View more

It does not mean there has been a successful connection to your network. ... View more

This is a "normal" HTTPS scan you are seeing.  It could be an attacker.  It could be a search engine.  It could even be Shodan. https://www.shodan.io/   ... View more