Skip to main content
Cisco Meraki

Cisco+ Secure Connect - Setting Up Remote Access Service

Screen Shot 2022-06-02 at 4.45.02 PM.png

Prerequisites  

 

Requirement

Details

Private DNS server IP addresses Servers used to resolve private application names
Corporate domain name Domains that must be resolved to access private applications 
Client IP address pools North America and Europe have 4 data centers each. Each region specified must have a complete set (4) contiguous private address pools. These pools cannot overlap with existing internal addresses/subnets in use on the internal customer network. One region is required, a second region is optional
Any subnets that require tunnel bypass You may want to direct specific traffic, such as DNS, to bypass (route outside of) the tunnel 
Datacenter gateway device The physical or software device on the data center side of the VPN connection. Any IKEv2 compatible device is supported, however, configuration details will vary.  
Customer-premises equipment (CPE) device Public IP* The internet-routable IP address for the CPE external WAN interface
Tunnel IKEv2 pre-shared key The PSK is needed configure the CPE device with the IPSec tunnel.

*public IP only required for devices that do not support IKEv2 email identities. 

Onboarding  

 

In order to begin, you'll first need to tie Cisco Meraki and Cisco Umbrella management together for a seamless experience.  For further instructions, see Cisco+ Secure Connect Onboarding

Remote Access Setup (Get Started)  

 

  1. Get Started with Secure Connect from the main homepage and click - Set up Remote Access

popup.png

Figure 1: Get Started with Secure Connect Pop-Up 

Alternately, Navigate to Secure Connect -> Configure ->Remote Access Setup to begin the setup process

  1. This "checklist" guides you through the main remote access configuration tasks.  As each task is completed, the progress bar advances. These tasks can be done in any order, however, the steps below begins at  top of this checklist at Setup Remote Access Service

setup.png

Figure 2: Remote Access Get Started Checklist

Set Up Remote Access Service   Edit section

Purpose: Setup the network configuration, traffic steering, AnyConnect settings and, Datacenter regions. 

  1. Click Set Up Remote Access Service. For further details see: Remote Access Service Setup

When you launch the Configure Remote Access Service wizard, it guides you through network, traffic steering, vpn client, and data center configuration. 

The navigation menu at the top of each screen, indicates the step you are configuring. (see Figure 1)

rasservicemenu.png

Figure 1: Navigation menu for Remote Access Service configuration

Private Network Configuration

NetworkConfiguration.png

Figure 2: Network Configuration Details for Remote Access Service

  • Add the IP addresse(s) of the DNS servers.  AnyConnect clients will use these servers to resolve applications accessed through the tunnel.
  • Add a default domain for DNS resolution and additional DNS names (optional) in the respective fields.
  • Click Next 

Traffic Selection (Optional) 

Trafficsteering.png

Figure 3: Traffic Steering Configuration

When this feature, also known as split tunneling, is enabled you will be able to decide what traffic you want to encrypt and transit over the AnyConnect connection (inside the tunnel), and which traffic (if any), you want to go directly to internet resources (outside the tunnel).  With split tunneling you are effectively configuring Access Control Lists, where the traffic for hosts or subnets are defined in these ACLs.  For more details, see About Traffic Selection

Leave this feature disabled to direct ALL traffic through Secure Connect services.  Users will not have access to local resources while connected.

  •  Select Enable Traffic Steering and configure the settings that follow per your deployment needs

a)    (Optional) Check Designate Local LAN access outside secure tunnel if access to local resources, e.g. local printers,  is required while connected

b)    For Tunnel Mode, specify whether destination networks to follow should be directed inside (split include) or outside (split exclude) of the secure tunnel.  Then click Add New to add the list of desired networks.

c)    For DNS Mode, choose a mode

Default DNS- DNS resolution is subject to how the host Operating System handles DNS queries over multiple interfaces (e.g. physical interface and tunnel interface).  For example, Windows 10 supports a feature called smart multi-home name resolution.  The feature has the operating system send DNS request across all available adapters and users the fastest response.

Tunnel all DNS-ensuring all DNS is resolved over the encrypted AnyConnection connection only-if this fails to resolve, they remain unresolved

Split DNS- DNS names matching the configured "DNS Names" will be routed over the encrypted AnyConnect connection for resolution, any that do not match the configured "DNS Names" are routed via the local physical interface for the resolution

Split DNS mode is only available when "Steer traffic INSIDE the secure tunnel" is selected

  •  Click Next

Client Configuration   

Clientconfig2.png

Figure 4: VPN Client Configuration

  • (Optional) Choose to enable Auto-Connect on Start  
  •  Add a banner message that will be displayed to AnyConnect users upon connection  
  •  Configure the session timeout  
  • (Optional) Configure settings to allow Remote Desktop Protocol (RDP) for Windows and Linux devices
  • Click Next 

Region Selection

addregion.png
Figure 6: Data Center Configuration

Once provisioning is complete, an auto-selecting URL is provided that will automatically select the closest data center to the remote endpoint. This URL is visible in the Secure Connect and Umbrella dashboard and follows the format; <system generated id>.sc.ciscoplus.com.

Alternately, location-specific URLs are provided with the following format: <system generated id>.location.sc.ciscoplus.com.  Using the above example, the 4 FQDNs generated could be:

560d.pao1.sc.ciscoplus.com
560d.nyc1.sc.ciscoplus.com
560d.lax1.sc.ciscoplus.com
560d.ash1.sc.ciscoplus.com

The VPN profiles for each location, per the above example, will appear as "Palo Alto, CA", "New York, NY", etc.  

Remote Access users may choose to connect to the auto-selecting URL or a specific location via the AnyConnect dropdown. Note the drop downs will populate after first connecting to the service. 

clipboard_e5437e7a3a970320cb2a635956a185c53.png

Figure 7: AnyConnect connection selection options

  • Select which regions to deploy the remote access service in and enter IP addresses ranges for each location 
  • Verify the IP address ranges are correct
  • Click Provision to deploy and configure the cloud resources that will serve AnyConnect clients. 

This may take up to five minutes to complete. It is ok to start the next section while waiting. 

 Remote Access Service Provisioning is complete!!!

  • In the upper right-hand corner of the screen, click Return to Cisco Plus Secure Connect 

Return.png

Figure 8: Return To Secure Connect link

 

Tunnel, SAML & Users & Group Provisioning

After completing the remote access setup steps 2-4 may already be complete depending on your situation. Figure 8 shows steps 2-4 completed. If steps 2-4 are not complete reference the following reference docs. 

clipboard_e0127abc326a47da1730871b2623e6bf9.png

Figure 8: Setup wizard step 4 Assign Users 7 Groups

Complete Steps 2-4

 

Assign Users & Groups to Remote Access

  • From the setup wizard click Assign Users & Groups to Remote Access Service. You will be launched to User & Group authorization page. 

clipboard_e70fdf01a13103143d4c45365260ad374.png

Figure 9: Assign & Users and Groups

  • Select the required users and or groups and click save to save the setting.
  • Return to Secure Connect in the upper right of the page. 
  • You will return to the Secure Connect dashboard that should be complete as show in the figure below. 

clipboard_eee713c891f2e27676fe9bae9b9399334.png

Figure 10: Complete Remote Access Wizard

  • If required you can download the Anyconnect client via the provided link and click done. 

Remote Acces Setup is now complete! Try connecting to the service and accessing private & public applications.

  • Was this article helpful?