Cisco Meraki Ssl Vpn

Posted on  by 



Correct at this time there is no SSL Vpn for the Meraki firewalls. It is my understanding that AnyConnect is being developed for the Meraki platform but there are no public timelines for that I am aware of. Will be very awesome to AnyConnect with Meraki when (and if) it happens. Thanks for confirmation. SSL VPN technology not only can help boost workforce productivity but can also reduce costs for VPN client software and support. Most users don't need to install client software SSL VPN uses SSL protocol and its successor, Transport Layer Security (TLS), to provide a secure connection between remote users and internal network resources. This short demo covers how to use Meraki MX for Client VPN (Remote Access) and secure the authentication by using Cisco DUO for 2FA.

  1. Cisco Meraki Vpn Setup
  2. Cisco Meraki Ssl Vpn Server
  3. Cisco Meraki Ssl Vpn Client
  4. Ssl Vpn Uw Medicine
  5. Meraki Ssl Vpn Client
  6. Cisco Meraki Ssl Vpn Download

Cisco Meraki MX Security Appliances can be configured to block web traffic using Content Filtering. Content Filtering uses URL patterns, pre-defined categorizations and other specifications for determining what types of traffic are let through the firewall. It can be set, for example, to block all websites that are known to be categorized as 'Games' or 'Social Networking.' The MX will return a page that displays a message letting the user know their page is being blocked by their administrator so they understand why they cannot reach a blocked site.

Cisco meraki ssl VPN: The best for many people in 2020 DNS is a better option due to its lightweight nature. Finally, we review how easy the apps are to use, and test the services off desktop and mobile devices.

This article covers troubleshooting steps for resolving issues that are commonly experienced when using Content Filtering. For instructions on configuring Content Filtering based on Active Directory LDAP groups, please refer to this article.

Configuring Content Filtering

Content Filtering can be used to filter content passing through your security appliance based on content known to exist on specified web pages. Content Filtering is best used for setting catch-all blocks for certain categories of traffic, or for blocking certain URL patterns.


Content Filtering settings can be found in the Dashboard by navigating to Security & SD-WAN > Configure > Content filtering.

Instructions on setting up Content Filtering, including details about what each section of the page does (and how to block all web traffic other than whitelisted pages), can be found in this article.

The content filtering feature is available only with an Advanced Security Edition License

Troubleshooting Content Filtering

The following sections outline troubleshooting steps for a variety of common issues experienced when using Content Filtering.

Category Filtering

Category Filtering provides a pre-made, regularly-updated list of categories that can be selected to block traffic to sites with content matching that category.

How are categories and/or reputation determined?

Category Filtering provides a list of categories than can be selected to block all web traffic destined to a URL/IP that matches with these categories on a hosted list. The list of website categories is hosted by BrightCloud. BrightCloud determines the categorization and reputation of all URLs/IPs that pass through Meraki Category Filtering. Meraki does not determine the reputation of domains directly, and requests for reclassification can be made through BrightCloud's reclassification request tool on their website.

The Meraki Dashboard has a URL category lookup tool on the Content Filtering page, below the Blocked website categories box, which can be used to check the category of a website before you decide to block that category. It is highly recommended to check for important URLs before enabling content filtering to ensure something is not accidentally blocked when it should be allowed.

Software

NOTE: Due to some limitations, any URLs looked up through the Dashboard tool that contain an embedded URL (e.g. www.example.com?url=www.dashboard.meraki.com) will return results for the the value that follows the 'url=' parameter, not the main URL itself).

This may result in some variations between what the tool reports for such URLs, and what the MX will actually classify them as.

Upstream Firewall Rules for Content Filtering Categories

In instances where another firewall is positioned upstream from the MX, the following FQDN destinations need to be allowed in order for categorization information traffic to pass successfully to the MX, so it can use the proper category classifications. Keep in mind that the IP addresses these domains resolve to will be different regionally, so ensure you are allowing the correct, current IPs if using IP-based rules instead of FQDN rules on your upstream firewall.
Domain Names to Whitelist on Upstream Firewall

  • meraki.brightcloud.com (resolves a CNAME to service.brightcloud.com)
  • service2.brightcloud.com

How can one unblock a site that is being blocked?

If a site is being blocked because it matches a certain category you've blocked, but you do not want to disable that category, you can whitelist the URL pattern. This is the easiest way to whitelist a particular site that may be blocked by a content category. URL whitelisting can be found on the Content Filtering page. Examples of pattern matching and its hierarchy can be found in this article.

If you have a website that you believe is being miscategorized by your security appliance's firewall, you can submit a URL categorization change request here. If you have a website that is marked as malicious when it should not be, you can submit a URL reputation change request and/or an IP reputation change request.

Additionally, you can remove the Content Filtering category, or can leave it out of the list until Brightcloud is able to process a reputation change.

Why is a site being blocked when it should not be?

Sometimes, sites will be blocked even though their URL category is not blocked. Usually this happens when the IP has a bad reputation but the URL reputation is good. This happens commonly with very large domains like Google that own many IP addresses and sometimes purchase new IP addresses that have not yet been recategorized to take their new owner into consideration. In situations like this, these IPs sometimes have a category of 'Phishing and Other Frauds,' or various other categories that may actually be blocked:

Cisco Meraki Ssl Vpn

This issue can be permanently resolved by upgrading your MX Firmware to the latest stable firmware version. In the latest firmware revision, URL reputation is prioritized over IP reputation, as opposed to IP reputation being the deciding factor on previous firmware versions. Firmware can be upgraded by navigating to Organization > Monitor > Firmware upgrades.

If you are on the latest stable firmware version and are still experiencing issues with sites being blocked that should not be, there are a few other factors that could contribute:

  • Group Policies: Often, a client will have a group policy applied to it that will override the default category whitelist. Group policy rules always take priority over default network rules.
  • Blocked URL Patterns: Blocked URL patterns could match with the site you are attempting to reach. Make sure the site is not blocked here.
  • AMP: Sometimes, downloads on a site will be blocked. This can be caused by AMP (threat protection). Make sure the site is on the whitelist on your Threat Protection page.
  • Upstream Firewall: Try finding the client you are using by navigating to Network-wide > Monitor > Clients, opening their client page, and setting their 'Policy' (lower-left corner) to 'Whitelisted.' If this is done and the client is still blocked, then the MX's firewall is probably not contributing to the block, and an upstream router/firewall could be contributing to this issue. This could also be verified by connecting directly to the upstream modem/router and seeing if the issue persists.

Why is a site NOT being blocked when it should be?

There are several factors that can contribute to a website not being blocked when it should be. Consider the following factors:

  • When Content Filtering rules are configured/changed, it can take a while for them to fully take effect. This goes for both blocking and unblocking content. This process can sometimes take up to 10 minutes.
  • Make sure that the client you are configuring is not whitelisted. Try finding the client you are testing with by navigating to Network-wide > Monitor > Clients, opening their client page, and making sure their 'Policy' is not set to 'Whitelisted.'
  • Additionally, clients can also be unintentionally whitelisted by having Group Policies applied to them. ALL Group Policy rules take priority over default network rules unless set to 'Use network default' settings.
  • Check to make sure that the URL is not in the URL whitelist on the Content Filtering page.
  • It is possible that the site does not actually have a good reputation, or may be in a different category than it should be. Be sure to check the IP/URL reputation on BrightCloud.
  • In the latest stable firmware version, URL reputation is prioritized over IP reputation, as opposed to IP reputation being the deciding factor on previous firmware versions. If for some reason the IP has a different categorization then the URL, the client could be allowed through. Firmware can be upgraded by navigating to Organization > Monitor > Firmware upgrades.

How can one tell what policy is blocking a client?

If a client is being blocked from accessing a page, the easiest way to tell whether content filtering is blocking the traffic is to check your Event log. When looking at the Security Appliance network in the Dashboard, navigate to Network-wide > Monitor > Event log. To help narrow down the scope, the event type 'Content filtering blocked URL' can be included in the 'Event type include' field.

In the 'Details' section, the category will be defined if the traffic was blocked by the content filter. You will also be able to see what IP address and URL is being blocked. This can also be helpful information to use for whitelisting embedded content on a page.

Why is the Meraki block page not displayed?

If the website you are trying to reach is using HTTPS/SSL (rather than HTTP), the browser will display an error page rather than the Meraki block page. Because HTTPS/SSL traffic is encrypted, the MX cannot decrypt and redirect HTTPS traffic to the block page. Instead, the request will simply time out (as seen in the image below).

Additionally, if the website/IP is being blocked by any Layer 7 Firewall rules, these will take effect before the Content Filtering rules do.

Why is an allowed site loading, but missing images/content?

Sometimes, when a page is allowed through the firewall, the page will load, but it will be missing pictures or images. This is usually because there is content on the page that is actually hosted on another domain but displayed on the page, and that hosting domain is being blocked by URL blocking, category filtering, or firewall rules.

Example:
When Category filtering for 'Social Networking' is turned on, but 'twitter.com' is explicitly allowed in the URL whitelist, the page will sometimes load, but not all images and content will appear as seen in the following picture, which is what is displayed when navigating to 'twitter.com':

When the Event log is checked, there are entries for 'Content filtering blocked URL' for Social Networking. While 'twitter.com' was allowed, their image/content hosting domain 'twimg.com' was not.

In order to display the full page properly, the hosting domain would also need to be whitelisted.

Why are certain downloads (like PDFs) on a page hanging or not working correctly?

This issue is usually not related to Content Filtering. This is usually caused by AMP (threat protection) blocking certain hosts from providing downloads. There is a whitelist that can be applied by navigating to Security & SD-WAN > Configure > Threat protection. Both URLs and specific files can be whitelisted here.

Why are pages loading slowly (especially the first time they're visited)?

When URL category list size is set to 'Full list,' it can significantly slow down access to web pages; especially the first time they're visited. If a site is not in the list of 'Top sites,' the URL will have to be looked up and this will noticeably affect browsing speeds. This value can be changed back to 'Top sites' to improve speeds if the 'Top sites' list is sufficient. This feature is found on the Content Filtering page, next to Blocked website categories.

Web Search Filtering

Web Search Filtering is not filtering searches

Web search filtering can be enabled to encourage web searches to be relayed to Safesearch for Google, Yahoo! and Bing. When the MX sees traffic that contains a web search for these sites, it redirects the content to the Safesearch alternative for the respective site. However, any search that is made through HTTPS/SSL will not be affected by this setting. Because the content on an HTTPS/SSL page is encrypted, there is no way for the MX to inspect the traffic. More information on Web search filtering can be found in this article.

Hosted email applications are being blocked

Web search filtering can also interfere with some mail applications that go through hosted services like Office 365. If it is not essential, Web search filtering should be disabled when applications like this are having issues.

URL Blocking

Blocked URL patterns are not being blocked

Several factors can contribute to Blocked URL patterns not being blocked successfully. If this is occurring, be sure sure to consider each of the following factors:

  • Make sure the syntax for the URL pattern is correct. The more specific/lengthy a URL block entry is, the less likely it is to block the entire website. The more vague a block pattern is, the more likely it is to block the entire domain. More information on patterns for URL blocking can be found in this article.
  • Make sure that the client you are configuring is not whitelisted. Try finding the client you are testing with by navigating to Network-wide > Monitor > Clients, opening their client page, and making sure their 'Policy' is not set to 'Whitelisted.'
  • Additionally, clients can also be unintentionally whitelisted by having Group Policies applied to them. ALL Group Policy rules take priority over default network rules unless set to 'Use network default' settings.
  • To ensure that the firewall rules are being applied to the client, the policy on the Clients page can be set to 'Blocked' to test to make sure that the client is actually being blocked. If this works, then it is likely that the URL pattern block simply doesn't actually match the destination.

Whitelisted URL Patterns are not being allowed

Several factors can contribute to whitelisted URL patterns not being allowed through the firewall. If this is occurring, be sure sure to consider each of the following factors:

  • Make sure the syntax for the URL pattern is correct. The more specific/lengthy a URL whitelist entry is, the less likely it is to whitelist the intended destination. The more vague a whitelist pattern is, the more likely it is to allow the entire domain. More information on patterns for URL whitelisting can be found in this article.
  • Make sure that the client you are configuring is not blocked. Try finding the client you are testing with by navigating to Network-wide > Monitor > Clients, opening their client page, and making sure their 'Policy' is not set to 'Blocked.'
  • Additionally, clients can also be unintentionally blocked by having Group Policies applied to them. ALL Group Policy rules take priority over default network rules unless set to 'Use network default' settings.
  • Try whitelisting a client by navigating to Network-wide > Monitor > Clients, opening the client page, and setting the 'Policy' to 'Whitelisted.' If the client is still blocked, it is likely that the MX is not contributing to the issue, and an upstream firewall or ISP is blocking the traffic. This can be verified by connecting directly to the modem/upstream router, if possible.

I don't work for Cisco Meraki. I do work for a Cisco Meraki partner called IFM Ltd. I have deployed lots of Cisco Meraki networks. I work with networks with up to hundreds of sites. I don't work with any really big Cisco Meraki networks that might have thousands of sites.

The knowledge I share here does vary from what Cisco Meraki publish. The Cisco Meraki documentation will work with very large networks – but the vast majority of customers don't have networks this big. This experience I am sharing is how to build a Merai MX AutoVPN network that you can setup, walk away from, and wont need any touching. It will 'just work'.

Don't try to use the Cisco Meraki MX for all your VPN needs

There I said it. Some Cisco Meraki salesperson probably just choked.

Here is a brief synopsis telling you what to use for what purpose. If your needs are low for something that Cisco Meraki is not good at then fine, stick with an all Cisco Meraki solution. However if your needs are high for something that the Cisco Meraki MX is not strong at – don't bang your head against the wall – incorporate the required technology to do what you need.

Cisco Meraki MX

  • Excellent at VPNs between Cisco Meraki MX units with low complexity to deploy.
  • Weak at VPNs to third parties with low complexity to deploy.
  • Weak at user to site VPN support using LT2P over IPSec with low complexity to deploy.

Cisco ASA

  • Very good at VPNs between Cisco ASA's with medium complexity to deploy.
  • Good at VPNs to third parties with medium complexity to deploy.
  • Excellent at user to site VPN support using AnyConnect SSL VPN with medium complexity.

Cisco IOS/IOS-XE Router

  • Excellent at VPNs between Cisco routers using IPSEC/iWAN with medium to high complexity to deploy.
  • Excellent at VPNs to third parties with medium to high complexity to deploy.
  • Medium at user to site VPN support using AnyConnect SSL VPN with medium complexity.

Examples

Lets say you have a DC and 20 remote sites. Lets also say you also have site to site IPSec VPNs to third parties. In that case, I would recommend using Cisco Meraki MX's for your DC and all remote branches, and to add a Cisco ASA or Cisco router for the site to site VPNs. Silicon laboratories driver download. All you do is add a route in your DC Cisco Meraki MX pointing to the remote VPN destinations via the Cisco ASA/Router. All your remote sites will automatically see this and route their traffic to the DC, and out the appropriate path.

Lets say you have 10 staff that require remote user to site VPN requirements. They only need simple access to an application in your DC. You will be fine using a Cisco Meraki MX.

Lets say you have 50 staff that require a user to site VPN. They need access to applications in your DC. They also need some of their web traffic to go directly to cloud providers and some to come to the DC and then back out to the Internet using a DC IP address because you use remote services that are locked down by IP address. The staff also need to access a service at a partner over a remote site to site VPN, and due to overlapping IP address space they have to have some of their traffic source NAT'ed prior to accessing those services. Don't even think about using the Cisco Meraki MX to terminate these user to site connections! While you might use Cisco Meraki MX for everything else, put in a Cisco ASA to handle these complex VPN requirements.

Lets say your company is going through a merger, acquisition or break up. Temporary links are needing to be setup. There might be overlapping address space requiring both source and destination NATing of VPN traffic inline. A complex mix of dynamic routing protocols might be needed, with all sorts of route re-distribution rules and prefix filtering. Don't even think about trying to use a Cisco Meraki MX to do this. Put in a Cisco router. The rest of your world can use Cisco Meraki kit to get to this router, and then use this router to do all the nasty things.

Cisco Meraki Vpn Setup

VPN Platform Summary

So in short, don't be blinded into thinking it all has to be 'one way'. Choose the best tool for the job. If you don't its going to come back and haunt you.

Use configuration templates if you have more than a handful of sites

If you have, say, a dozen sites you can just go ahead and create the networks in the Cisco Meraki portal. You could also create a 'template' network and copy that each time you want to make a new network.

The bummer with both of these approaches is that if you want to make a change after deploying the networks you have to go into each network and make that change. It can be error prone relying on a human to makes lots of repetitive changes that are the same.

Once you get above 20 sites you definitely want to change over to using 'Configuration Templates' under 'Organisation'. You then create a new network and bind it to this template. At the network level you loose most of the configuration options. You can configure IP addresses and the like, but not that much else. All the configuration is contained in the configuration template.

The super powerful thing about 'Configuration Templates' is that if you change them then every site gets the change - usually within 60s. So if for example, you decided you wanted to block a type of content everywhere you just do it in the configuration template, click save, and within a minute every site in you organization using the template will start blocking it.

If you have 100 sites to modify this is a god send!

Cisco Meraki Ssl Vpn Server

Avoid NAT at the Cisco Meraki MX Hubs

First lets consider PAT. That is when a device establishes an outbound connection from a private IP address to the Internet. The Internet gateway device will creating a PAT mapping to allow the return traffic.

The problem is, not all devices do this well for UDP, which is what gets used when you use AutoVPN through NAT. UDP is connectionless, so the Internet gateway can not tell for sure when the flow has finished.

Some Internet gateways impose a maximum UDP PAT time and then they delete the PAT entry. This is the most problematic, because it will break all the AutoVPN connections when it happens. The connections will get rebuilt and the system will self recover, but to the end user it will look like AutoVPN is intermittently flakey.

Some Internet gateways impose a maximum idle time and then delete the PAT entry. If this idle time is too aggressive AutoVPN sessions will keep getting broken when they have no traffic flowing for short periods of time.

So the moral of the story is if you want rock solid connections to your Cisco Meraki MX hubs always put the public IP address directly on the hub.

If you can't do this, then the next best option is to create a 1:1 NAT and allow all inbound traffic to the Cisco Meraki MX. Remember, the Cisco Meraki MX is itself a firewall. It doesn't need some other device to protect it.

The last and least desirable solution is to do a specific port forward to the Cisco Meraki MX units. Under 'Security Appliance/Site to Site VPN' enable 'Manual: Port Forwarding' and enter in the public IP address and port you will forward. If you are running active/warm spare MX units then you must enabled virtual uplink IP's ('Security Appliance/Addressing & VLANS',scroll down to 'Warm Spare' section and change 'Uplink IPs' to 'Use virtual uplink IPs') and point the port to that virtual uplink IP address.

Ssl

Avoid putting the Cisco Meraki MX hubs behind other statefull firewalls

I just finished explaining why you should avoid using NAT systems because of the inability to detect the end of a UDP conversation and how some systems terminate the UDP connections at in-appropriate times.

Statefull firewalls do exactly the same thing and have exactly the same issue.

One again, the Cisco Meraki MX is a firewall. Trust it to do its job. Connect it directly to the Internet where possible.

Avoid 'on a stick' mode (or VPN concentrator mode)

As soon as you enable 'on a stick' mode you loose the ability to:

  • Use VPN flow preferences. Flow preferences lets you do things like fail over when packet loss reaches (say) 10% or when latency exceeds 500ms – rather than waiting for a full on circuit failure. VPN flow preferences also help isolation faults quickly by being able to substantially and quickly move traffic from one network to another for testing.
  • Use a backup WAN circuit. You are betting everything on the existing Internet system you have.

Cisco Meraki Ssl Vpn Client

In nearly all clients I deploy the DC (or Cisco Meraki MX hubs) as if it was just another branch. You don't need to treat it specially with a complete different design to the rest of your Cisco Meraki environment.

I also almost always have the customer put in a second Internet circuit and use it as 'WAN2'. This can be a cheap Internet circuit with no or poor SLAs. It is only intended to provide a 'get out of jail' card if things go badly wrong.

I use this design for:

  • MPLS with Internet (WAN1=MPLS tail, WAN2=ISP)
  • Internet only (WAN1=ISP1, WAN2=ISP2)

The only special exception is if you are using the Amazon AWS virtual MX VPN concentrator. This only supports VPN concentrator mode, and its scope of operation is so limited that this works perfectly.

Avoid Active/Active mode (when using dual Cisco Meraki MX hubs)

As soon as you decide to use active/active mode to provide routes to the same destinations (aka server subnet) you will have to enable 'on a stick mode' because that is the only way to enable OSPF. You have to enable OSPF mode because the remote sites could be reachable via either Cisco Meraki MX hub– and you have to be able to tell your network core which Cisco Meraki MX to talk to reach specific remote sites.

Active/Active mode also requires you to purchase a licence for both units. Active/Warm spare mode only requires you to purchase a single licence. When you start buying bigger tin like the MX400's or MX600's this can be a considerable cost saving.

If you are operating in a single DC environment, there is no benefit of active/active over active/standby. So why do it?

Now there is a more complex wrinkle. Lets say you have a primary DC and a backup DR site?

If the sites are using the traditional stretched layer 2 VLAN approach, and there is layer 2 redundancy, then you should treat the two sites as if they are a single DC and use the same rules above.

If the sites have separate layer 3 subnets, then they effectively look like two completely different sites in the Cisco Meraki world. While the hubs are 'active/active' they are not 'active/active' within the same destination subnets. If there is no overlap in the DC layer IP addressing space then the remote sites will only connect to a specific hub to get to a specific subnet. You can stick with nice simple static routing.

Avoid Dynamic Routing

If you have a well designed addressing scheme, all of your remote Cisco Meraki sites should fall within a single prefix. For example, https://www.linkedin.com/redir/invalid-link-page?url=10%2e30%2e0%2e0%2F12%2e%26nbsp%3BIf you have a good IP addressing design like this you only need a single static route on your network core pointing to your Cisco Meraki MX hub. Your Cisco Meraki MX hub only needs static routes for what is in your network core.

Static routing is extremely stable, solid and robust and a very fast convergence time.

If you have dual Cisco Meraki MX hubs for redundancy and you are running them in active/warm spare NAT mode, then they will present as a single IP address for you to route to. The failover system is intrinsic in the design. It is almost impossible to make it not be an automatic fault tolerant system.

However if you did not follow my advice above, and went with 'on a stick mode' or active/active mode you have backed yourself into a corner, and will be forced to use dynamic routing to get any high availability back. So much extra complexity – for zero gain.

Ssl Vpn Uw Medicine

Frequently if you are migrating from an existing solution (such as iWAN, MPLS, etc) you need a way to transition branches across from the old to the new system. If the existing solution is advertising sites to you dynamically those routes should disappear from the routing table as you move them from the old solution to the new supernet route (discussed above) pointing at the new Cisco Meraki MX infrastructure.

Failing that, if you have up to, say, several hundred sites, I would still use static routing to force the sites across until the task is complete, and then when finished delete all the extra static routes leaving only the single supernet route.

Alas, if you have thousands of sites to migrate you are going to have to use dynamic routing during the migration. This is because it would be too error prone to rely on humans manipulating that many static routes – and it would be very hard to manage. I would still plan long term to be able to operate without static routing, but you simply have no choice and will have to use it. This will also necessitate you having to use 'on a stick mode' to begin with.

Meraki Ssl Vpn Client

MPLS and Cisco Meraki AutoVPN

You have two ways to use MPLS. One uses route tracking and the other AutoVPN.

Cisco Meraki Ssl Vpn Download

If you only have MPLS it doesn't make too much difference as there is only a single path.

If you use a backup Internet circuit (or even backup 3G/4G Internet) then don't use route tracking. It is hard to design such a system to be able to handle a complex and varied set of faults and to be able to recover. AutoVPN automatically tests the end to end path, so even if you have a failure in the middle of the MPLS service provider it will be able to detect the issue and cut over to a backup path. It also means the MPLS provider doesn't have to know anything about your internal IP addressing. All they need to give you is simple stubs for each site and you don't need any dynamic routing interaction with them.






Coments are closed