Skip to main content
Cisco Meraki

Cisco+ Secure Connect Setting Up Remote Access Service

client.png

When you launch the Configure Remote Access Service wizard, it guides you through network, traffic steering, vpn client, and data center configuration. 

The navigation menu at the top of each screen, indicates the step you are configuring. (see Figure 1)

rasservicemenu.png

Figure 1: Navigation menu for Remote Access Service configuration

Private Network Configuration

NetworkConfiguration.png

Figure 2: Network Configuration Details for Remote Access Service

  • Add the IP addresse(s) of the DNS servers.  AnyConnect clients will use these servers to resolve applications accessed through the tunnel.
  • Add a default domain for DNS resolution and additional DNS names (optional) in the respective fields.
  • Click Next 

Traffic Selection (Optional) 

Trafficsteering.png

Figure 3: Traffic Steering Configuration

When this feature, also known as split tunneling, is enabled you will be able to decide what traffic you want to encrypt and transit over the AnyConnect connection (inside the tunnel), and which traffic (if any), you want to go directly to internet resources (outside the tunnel).  With split tunneling you are effectively configuring Access Control Lists, where the traffic for hosts or subnets are defined in these ACLs.  For more details, see About Traffic Selection

Leave this feature disabled to direct ALL traffic through Secure Connect services.  Users will not have access to local resources while connected.

  •  Select Enable Traffic Steering and configure the settings that follow per your deployment needs

a)    (Optional) Check Designate Local LAN access outside secure tunnel if access to local resources, e.g. local printers,  is required while connected

b)    For Tunnel Mode, specify whether destination networks to follow should be directed inside (split include) or outside (split exclude) of the secure tunnel.  Then click Add New to add the list of desired networks.

c)    For DNS Mode, choose a mode

Default DNS- DNS resolution is subject to how the host Operating System handles DNS queries over multiple interfaces (e.g. physical interface and tunnel interface).  For example, Windows 10 supports a feature called smart multi-home name resolution.  The feature has the operating system send DNS request across all available adapters and users the fastest response.

Tunnel all DNS-ensuring all DNS is resolved over the encrypted AnyConnection connection only-if this fails to resolve, they remain unresolved

Split DNS- DNS names matching the configured "DNS Names" will be routed over the encrypted AnyConnect connection for resolution, any that do not match the configured "DNS Names" are routed via the local physical interface for the resolution

Split DNS mode is only available when "Steer traffic INSIDE the secure tunnel" is selected

  •  Click Next

Client Configuration   

Clientconfig2.png

Figure 4: VPN Client Configuration

  • (Optional) Choose to enable Auto-Connect on Start  
  •  Add a banner message that will be displayed to AnyConnect users upon connection  
  •  Configure the session timeout  
  • (Optional) Configure settings to allow Remote Desktop Protocol (RDP) for Windows and Linux devices
  • Click Next 

Assign Users and Groups

Region Selection

addregion.png
Figure 6: Data Center Configuration

Once provisioning is complete, each datacenter location will have a location specific FQDN with the following format: <system generated id>.location. sc.ciscoplus.com.  Using the above example, the 4 FQDNs generated could be:

560d.pao1.sc.ciscoplus.com
560d.nyc1.sc.ciscoplus.com
560d.lax1.sc.ciscoplus.com
560d.ash1.sc.ciscoplus.com

The VPN profiles for each location, per the above example, will appear as "Palo Alto, CA", "New York, NY", etc.  

Users may choose to connect to a specific location by selecting the location specific profile. 

Alternately, to connect to the nearest online data center, users can manually enter 560d.sc.ciscoplus.com as their connection destination.  (future Secure Connect releases will provide this option automatically).

  • Select which regions to deploy the remote access service in and enter IP addresses ranges for each location 
  • Verify the IP address ranges are correct
  • Click Provision to deploy and configure the cloud resources that will serve AnyConnect clients. 

This may take up to five minutes to complete. It is ok to start the next section while waiting. 

 Remote Access Service Provisioning is complete!!!

  • In the upper right hand corner of the screen, click Return to Cisco Plus Secure Connect 

Return.png

Figure 7: Return To Secure Connect link

  • Was this article helpful?