Skip to main content
Cisco Meraki

Cisco+ Secure Connect - Quick Start

  1. Last updated
  2. Save as PDF

Screen Shot 2022-06-02 at 4.45.02 PM.png

Prerequisites 

Requirement

Details
Private DNS server IP addresses Servers used to resolve private application names
Corporate domain name Domains that must be resolved to access private applications 
Client IP address pools North America and Europe have 4 data centers each. Each region specified must have a complete set (4) contiguous private address pools. These pools cannot overlap with existing internal addresses/subnets in use on the internal customer network. One region is required, a second region is optional
Any subnets that require tunnel bypass You may want to direct specific traffic, such as DNS, to bypass (route outside of) the tunnel 
Datacenter VPN termination device ( only if configuring other than Meraki ) The physical or software device on the data center side of the VPN connection. Any IKEv2 compatible device is supported, however, configuration details will vary.  Physical device example: Router or Firewall. Software Example: AWS Virtual Private Gateway for Site to Site IPSec.
Customer-premises equipment (CPE) device Public IP* The internet-routable IP address for the device's external interface 
Tunnel IKEv2 pre-shared key The PSK is needed configure the CPE device with the IPSec tunnel. 

*public IP only required for devices that do not support IKEv2 email identities. 

Onboarding 

In order to begin, you'll first need to tie Cisco Meraki and Cisco Umbrella management together for a seamless experience.  For further instructions, see Cisco+ Secure Connect Onboarding

Remote Access Setup (Get Started) 

  1. Get Started with Secure Connect from the main homepage and click - Set up Remote Access

popup.png

Figure 1: Get Started with Secure Connect Pop-Up 

Alternately, Navigate to Secure Connect -> Configure ->Remote Access Setup to begin the setup process

  1. This "checklist" guides you through the main remote access configuration tasks.  As each task is completed, the progress bar advances. These tasks can be done in any order, however, the steps below begins at  top of this checklist at Setup Remote Access Service

setup.png

Figure 2: Remote Access Get Started Checklist

Set Up Remote Access Service  

Purpose: Setup the network configuration, traffic steering, AnyConnect settings and, Datacenter regions. 

  1. Click Set Up Remote Access Service. To set up remote access see : Remote Access Service Setup

Set Up Secure Access Tunnels

  1.  Click Set Up Secure Access Tunnels.  For integration with Meraki see- Meraki SD-WAN Branch Integration Deployment Guide                                             For integration with Non-Meraki Setting Up Secure Access Tunnels ( Non- Meraki )

Configure SAML 

  1. To Configure Meraki Cloud Auth, See this Meraki Cloud Auth
  2. If Configuring a third party Identity provider, Click Add SAML

  3. Click ADD in the upper right hand corner of the screen 

SAMLadd.png
Figure 3: Begin SAML configuration

  1. Follow the wizard to configure a SAML IDP.   For more information, please see our SAML Guides

  2. In the upper right-hand corner of the screen, click Return to Cisco Plus Secure Connect 

secureconnectbutton.png
Figure 4: Return to Secure Connect

Provision Users and Groups  

Provision users and groups from your selected SAML IDP for use in Umbrella policies and for user identification in reports 

  1. Select your identity provider and follow the integration instructions referenced here: https://docs.umbrella.com/umbrella-user-guide/docs/introduction-4

  2. Follow the instructions to complete provisioning 

  3. Once provisioning is complete, you will see the list of users and groups downloaded from the identity provider.  

 
Figure 5: Active Directory Provisioning Example 

 

  1. In the upper right-hand corner of the screen, click Return to Cisco Plus Secure Connect 

secureconnectbutton.png
Figure 6: Return to Secure Connect

AnyConnect Client  

  1. Ensure the AnyConnect client device is running 4.10.X or later 

  2. Note one of the remote access location’s FQDN from Deployments > Configuration > Remote Access 

  3. After a client connects for the first time it will download all available locations 

  4. Add the FQDN as a new VPN connection in the AnyConnect client 

  5. Only use the FQDNs.  Using an IP address will not work 

     

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    1. Cisco Plus
    2. Cisco+
    3. SASE
    4. Secure Connect