The Meraki Community
Register or Sign in
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • About Craig_Tompkins
Craig_Tompkins

Craig_Tompkins

Here to help

Member since Jun 5, 2020

‎02-10-2023
Kudos given to
User Count
JohnT
JohnT
1
boundless-digit
boundless-digit
1
View All

Community Record

16
Posts
0
Kudos
0
Solutions

Badges

ECMS1
First 5 Posts
Lift-Off View All
Latest Contributions by Craig_Tompkins
  • Topics Craig_Tompkins has Participated In
  • Latest Contributions by Craig_Tompkins

Re: Restrict MX VPN access to only Domain Computers using AnyConnect and Wi...

by Craig_Tompkins in Security / SD-WAN
‎02-10-2023 10:27 AM
‎02-10-2023 10:27 AM
Thank you. ... View more

Re: Restrict MX VPN access to only Domain Computers using AnyConnect and Wi...

by Craig_Tompkins in Security / SD-WAN
‎02-10-2023 09:06 AM
‎02-10-2023 09:06 AM
I know this is really old, but this is the closest post I've been able to find in what I'm looking for.  @JohnT you mentioned that this was possible with Cisco ASA and Anyconnect.  Can you point me to some documentation?  I can't find any.  I too would like to pass the computer ID so in NPS I can require machine group to equal "Domain Computers".  I'll actually be using this via Firepower, but ASA to Firepower seems to have all the same features, maybe just in different menus. ... View more

Re: Intermittent NAT type unfriendly

by Craig_Tompkins in Security / SD-WAN
‎08-08-2022 11:55 AM
‎08-08-2022 11:55 AM
As a followup - We did the port forwarding of port 55555 on the cable modem and then assigned that on the Manual NAT Traslation on the Meraki and it's working.  Of note, Comcast would not let us sign up for a static IP, so we do understand that should the public IP of the cable modem change, this location will go down and we'll have to update the Manual settings. ... View more

Re: Intermittent NAT type unfriendly

by Craig_Tompkins in Security / SD-WAN
‎08-02-2022 06:42 AM
‎08-02-2022 06:42 AM
I fond my answer in the documentation and will give this a try.  Putting that info here to help future Google searches and I'll update our results when we have them.   Manual: Port forwarding: If the Automatic option does not work, you can use this option. When Manual: Port forwarding is enabled, Meraki VPN peers contact the MX-Z device using the specified public IP address and UDP port number. You will need to configure the upstream firewall to forward all incoming traffic on that UDP port to the IP address of the MX-Z device. Make sure the port number you have chosen is not already used by another service. For example, do not use port 500 or 4500 as these are used for Client VPN and 3rd party VPN peer communication. ... View more

Re: Intermittent NAT type unfriendly

by Craig_Tompkins in Security / SD-WAN
‎08-02-2022 06:02 AM
‎08-02-2022 06:02 AM
Thanks for the info.  Do we have to setup port forwarding on the cable modem?  I notice if I change the radio button to Manual it asks for a port.  How do we determine that?  Or is it exactly that - I do port forwarding on the cable modem of a port that I pick, then tell the Meraki what that port is?   Assuming that's it, I assume I would not have to do a static IP, but SHOULD do a static IP because if the users home IP ever changed it would break.  And to be clear I would try to do so, but don't know how fast Comcast will be in doing so. ... View more

Intermittent NAT type unfriendly

by Craig_Tompkins in Security / SD-WAN
‎08-02-2022 05:33 AM
‎08-02-2022 05:33 AM
We have 40 networks each using site to site VPN.  Of those 40, 2 are hubs (primary and DR datacenters).  Because of some BGP complexity we have the other 38 sites doing site to site VPN to just 1 hub.  If we ever fail to DR, I'll have to change the hub in use on the 38 spoke networks.   I have 1 network using a Z3 that is behind Comcast cable modem at the President's house.  It works fine most of the time.  Then all of a sudden we'll get alert that VPN is down and the status page says it's behind NAT Type Unfriendly.  The fix is to either reboot the Z3 multiple times or if that does not fix it, we have to call Meraki and ask them to change to registry.  Changing the registry always fixes the issue....once we can convince the tech to do so by showing them 3 - 5 past cases where this has fixed the problem.   If I add the DR site as a 2nd hub, it comes online.  Because of the BGP routing mentioned above I don't keep the 2nd hub online, I just brought it online as a test.   Does anyone have any suggestions?  It's getting very tiresome having to call Meraki twice a month to get the registry changed.   ... View more
Labels:
  • Labels:
  • Auto VPN

Re: 802.1x and NPC

by Craig_Tompkins in Switching
‎09-28-2021 05:38 AM
‎09-28-2021 05:38 AM
I am working on setting up certificate authentication for devices that are domain joined, but I can't find a guide on how to setup a certificate authentication for something that is not domain joined.  For example, I have a cert created from my AD CA that I install on our Zero and Thin clients.  This cert has certain values of course.  In ISE I have a rule that if an 802.1x supplicant presents this cert to allow access.  I can't seem to find a way to add this cert to NPS and then create the allow rule for it. Is this possible?  We are of course trying to limit the MAB list as small as possible - only for devices that can't present an 802.1x cert as a supplicant. ... View more

Re: 802.1x and NPC

by Craig_Tompkins in Switching
‎09-27-2021 01:21 PM
‎09-27-2021 01:21 PM
Thanks Philip. You mention wired 802.1x, but not wireless off the MR.  I'm pretty sure it can do both right?   As for MAB I'm ok with this setting.  I don't see it as any different than creating a MAB list in ISE except that it's stored in AD instead of ISE.  And actually that makes it easier as the helpdesk could create the user account in AD, but we don't give them access to ISE so I have to handle the MAB list myself. ... View more

802.1x and NPC

by Craig_Tompkins in Switching
‎09-27-2021 11:57 AM
‎09-27-2021 11:57 AM
We currently have both MS and MR devices doing 802.1x authentication using Cisco ISE as our Radius server.  We authenticate domain joined devices with a domain controller CA cert (ie AD computer cert), devices that aren't domain joined such as printers we install an 802.1x cert that we created (same cert on multiple devices), Cisco phones use the MIC or LSC if the MIC has expired and then devices that don't support 802.1x we do MAC Address Bypass (MAB). We have a simple setup.  If you pass 802.1x you get put in the data/voice vlan.  If you fail, the port is blocked.  No guest vlan, no BYOD.  We have under 500 endpoints. My problem is that I HATE ISE.  I think for what we do it is overly complicated and overly expensive.   So I'm thinking about switching to Microsoft's Network Policy Server.  Can anyone relate pros vs cons on this change? How is troubleshooting failures done?   I've read over the Meraki docs for configuring NPS and while I have not clicked any buttons to follow along it seems to make sense. Has anyone followed a 3rd party configuration guide that might be even easier to follow?   Thanks in advance for any and all input. ... View more

Re: Fail Open in Dot1x authentication with Cisco ISE

by Craig_Tompkins in Switching
‎06-18-2021 04:26 AM
‎06-18-2021 04:26 AM
I hate to say this, but I put this in as a "wish" about 4 years ago.  I still want this option and that's what it should be - an option.  In the 802.1x policy there should be a drop down or radio buttons or something that lets the network admin pick what they want to happen if the ISE server is offline. ... View more

Re: Load balancing circuits of different speeds

by Craig_Tompkins in Security / SD-WAN
‎11-06-2020 05:14 AM
‎11-06-2020 05:14 AM
Thanks, I've already done that but we plan on taking this location live tomorrow (move from MPLS) so trying to make sure I set it up as best I can rather than trouble shoot later. ... View more

Load balancing circuits of different speeds

by Craig_Tompkins in Security / SD-WAN
‎11-06-2020 04:28 AM
‎11-06-2020 04:28 AM
I've read this doc https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Load_Balancing_and_Flow_Preferences and see "In the example below, WAN 1 is configured to pass 50Mb/s, and WAN 2 is configured to pass 10Mb/s. Since the download speed ratio is 5/1, for every five flows sent over WAN 1, a single flow will be sent over WAN 2:" That makes sense to me, but what about if the 2 circuits don't have the same upload as download and the one with the faster download has the slower upload? For example: WAN1 150down/150up (DIA circuit) WAN2 500down/35up (Cable modem) Is WAN2 still going to be used 3.33x more than WAN1? Does the MX take into account the direction of traffic or does it just look at the download speed of each circuit? If so, should I "misconfigure" WAN2 and list it as 35down/35up? ... View more

Re: Site to Site VPN behind Charter Spectrum

by Craig_Tompkins in Security / SD-WAN
‎06-09-2020 03:56 AM
‎06-09-2020 03:56 AM
The user is reaching out to Charter to request a modem changes as she currently has an Arris modem.  We'll see if they are willing to swap it and if so, if that fixes the issue.   Thanks for all the suggestions. ... View more

Re: Site to Site VPN behind Charter Spectrum

by Craig_Tompkins in Security / SD-WAN
‎06-05-2020 10:08 AM
‎06-05-2020 10:08 AM
That's a great idea, except the user only has a zero client that connects to VMware Horizon and no personal computer we could use temporarily.   ... View more

Re: Site to Site VPN behind Charter Spectrum

by Craig_Tompkins in Security / SD-WAN
‎06-05-2020 09:40 AM
‎06-05-2020 09:40 AM
Charter Spectrum is a large cable company in the US.   The Z3 does plug into the ISP router, the ISP router provides a private IP in the 192.168.20.0/24 range that it of course NATs.  I'm not sure if there is an upgrade available or not.  This user is about a 8 hour drive from me so I'm working on scheduling some time to visit when I have a couple locations to visit in the same trip.  Probably 2 weeks.   I hope someone might have experienced this before and have a possible fix for me before that time.  I just have a feeling that when I get on site and call Charter the person I talk to is not going to have a clue what I'm talking about and either tell me it's an issue with my equipment and stop there (since we can browse the Internet) or if they do escalate it will be a week before they call back. ... View more

Site to Site VPN behind Charter Spectrum

by Craig_Tompkins in Security / SD-WAN
‎06-05-2020 07:54 AM
‎06-05-2020 07:54 AM
We have a user that has Charter Spectrum at her home.  Currently she has a Cisco 5505 ASA using DHCP on the WAN connection and it's connecting to our corporate ASA without issue. As we are retiring our 5505s and moving to Meraki we have issued her a Z3 that was tested using DHCP on the WAN before being shipped to her.  When she removes the Ethernet cable from the ASA and plugs it into the Z3, the Z3 comes online.  However the site to site VPN does not get established.  The VPN registry shows connected.  NAT Type is Friendly. And it's encrypted.   The HUB it's trying to connect to has 33 other networks that are all up on the site to site without issue.   Packet capture from both the hub and the spoke show outgoing traffic but no incoming traffic.  This tells me there must be a firewall or something between them that is blocking this traffic.  Since my hub has so many other connections and doing a packet capture on my edge firewall (same device her 5505 connects to) shows the hub Meraki sending the traffic out, but no traffic from the spoke (same as the hub packet capture) my guess is that it's the Charter modem/router at her house or something at Charter.   We have reset the Z3 to factory defaults.  It checked in and download the config, but still have the same results.   Has anyone had a similar issue with Charter or any ISP for that matter?  This is the only location we have with Charter.  Other networks have AT&T, Comcast, CenturyLink and others. ... View more
Kudos given to
User Count
JohnT
JohnT
1
boundless-digit
boundless-digit
1
View All
Powered by Khoros
custom.footer.
  • Community Guidelines
  • Cisco Privacy
  • Khoros Privacy
  • Cookies
  • Terms of Use
© 2023 Meraki