วีดีโอ

haven’t had a chance to do a video for that. Will find time in the coming month do update that part

but a great video! ;-)

haha sorry no slang, but glad it’s useful

Glad to hear it!

@@dracocybersecurity can you do one video of how to do netflow on fdm?

As of right now CDO will delete the config on the process of adding it. FMC is the option if you only have a single FTD. If you have a HA pair. You can onboard one of the FTD and migrate the policy to CDO/CloudFMC. docs.defenseorchestrator.com/#!c-migrating-fdm-devices-managed-by-cisco-defense-orchestrator.html

docs.defenseorchestrator.com/#!about-licenses.html If after adding the Firewall license and you still cannot get it to work. Do contact the local team or open a TAC case.

You are looking at NAT using IPTables/Firewall to forward the incoming traffic to the Windows OS? If you are looking at just internet access from the Windows Server than using the NAT feature on the KVM should be fine. If you are looking at forwarding internet traffic to your window OS. Check out the following it is an example to forward RDP traffic to the Server in the KVM but you will need to change the network type . dracocybersecurity.com/configure-iptables-port-forwarding-to-nested-guest-vm-in-kvm-default-nat-virtual-bridge-ubuntu-20-04/

Thank you! Cheers!

Thank you! Cheers!

You might want open a tac case with Cisco. I have seen newer CDO instances that do not have that options.

FTD Firewall Threat Defense is the software that runs on the Firewall and FDM Firewall Device Management is the management Software for managing a single device that runs on the firewall. if you onboard using FDM it has less feature and capabilities.

Many thanks!

Glad it was helpful!

Always important to test out the capabilities in a test or staging environment or get professional service before implementing in critical system

Thanks, Meraki vMX in the cloud only function as a One-Arm VPN Concentrator. If you need VPN and Firewall capabilities in AWS. You can check out the Cisco Firewall that is available in the Cloud Market place. For your on-prem Meraki MX it is both a firewall as well as a VPN Server.

It is possible to expand the subnet to /16. You do have to determine how the existing AWS routing works as well. But if it is simple inclusion on the subnet in a single LAN then it should be fine.

Will really appreciate if you can make a video spinning two virtual MX in AWS depicting High Availability

Glad that you enjoy it. :)

For a start I will check if the SSH Server is routing the traffic through the VPN Tunnel.

Glad that it is useful :)

Yes it is possible. you just need to know that it exposes your window server directly to the internet which is not advisable. For testing you can get additional public ip address from the service provider and assign the public ip address to the windows server. In my test environment I use the bridge function to bridge the public ip to my device that I want to assign the public ip. which is usually the firewall, but u can do it for Windows or Linux as well.

For exposing your IIS to the public internet having a public IP address to bridge to IIS server might be the easiest way to do it or you can use iptables to do port forwarding. however you will need to understand how the various bridge function or DNAT and maybe SNAT depending on your setup to expose the web service. I have not done cyberpanel or even cockpit configuration. I usually do it through the command line for iptables configuration and virt-manager for bridge config.

It should work with the standard IPSec config. as long as the crypto and protocol is supported have not done with AWS but did a standard IPsec with oracle cloud before. the tricky part is getting the protocol to match and then the routing. let us know if u manage to get it working with AWS.

You may want to get an Elastic IP to use with the vMX for its Public IP so it doesn't ever change and break your IPsec tunnel.

It's not going to work for what you need. IPSEC tunnels on regular site to site can only recognize and pass traffic for one subnet to AWS from Meraki. I think this has something to do w/Meraki being policy based instead of route based site to site. You'd be much better off merging sites into the same org. Contact support for help.

For my lab environment I use iptables. using dnat to forward port 3389 to the internal windows ip address. there are a few configurations you need to do if you know iptables then it is easy. be mindful of opening up RDP directly to the internet as it opens up the server to direct attacks.

You can also check out my post on what the 2 rules might look like. dracocybersecurity.com/how-to-configure-iptables-to-port-forward-rdp-3389-to-windows-machine-in-kvm/ I use the -I XXXX 1 to insert the rule in front to the top of the nat table, but can you just use -A add depending on our config. Do not the rules in IPTABLES are executed top down.

You will probably need to use the video webpart for inline video. support.microsoft.com/en-us/office/using-videos-on-sharepoint-pages-5a0eb37c-81a8-45b7-875e-ff0515dd2e5f You can also check out microsoft stream or do some custom development for adding hashtags and comments. Have not seen out of the box capabilities for hashtags and comments for inline video.

This is leveraging on ssh protocol (port 22) to tunnel the rest of the traffic across. It is actually a very old school way of creating a tunnel for traffic that you do not want to open additional ports. These days vpn tunnels are the more common use as it is easier to manage for mutliple clients or site to site tunnels.

Thanks for the confidence, but I have not been doing any advance stuffs with Sharepoint :)

You can check these out to see if it is the issue that you are facing. lists.debian.org/debian-backports/) you can download xrdp 0.9.15-1 and xorgxrdp 1:0.2.15-1 via snapshot.debian.org/ Those package versions were still compatible with libc6 from bullseye. sudo apt install ./xorgxrdp_0.2.15-1_amd64.deb sudo apt install ./xrdp_0.9.15-1_amd64.deb

Glad it helped!

Glad it helps. And these things happens all the time :)

There are multiple reason that you are getting just a cursor. The 2 common problem might be the Graphical Desktop Environment that you installed might be causing the problem. or could be a permission issue preventing the GDE from loading properly. You might want to take a look at the xrdp logs to see if there is anything mentioned there. github.com/neutrinolabs/xrdp/issues/2064. You can check out this post to see if it solves your problem.

Yes it can support RDP, just need to make sure that the firewall allows that. For my lab setup I utilized this windows server as a AD and only allow RDP through local vpn.

I haven't had time to do the second video for this yet. Stay tune for more

Glad it was helpful!

community.meraki.com/t5/Security-SD-WAN/Azure-vMX100-transition-to-vMX-M/m-p/109509 you can check out this link seems that you have to recreate a vMX-M instance if you are on vMX 100. I would recommend to get in touch with your local Meraki team or raise a case to discuss your need.

@@dracocybersecurity Thank you so much!

Did you create the Virtual Machine in the existing subnet that you have configured during the provisioning? If you have follow closely from 14min to 23min of the video it will work. However any deviation from the standard steps then you will need to tweak the routing and route table of Azure this becomes complex for me as I am not an expert in Azure Networking, unlike Linux/AWS the Azure Routing is not easy to troubleshoot. I had issue during the video creation when I create the Subnet after the vMX creation and also creating the Virtual Machines in another subnet. I am assuming that if you are doing ping you have allowed ping on the Windows virtual machine and if you have not done any changes to the RDP of your Windows VM you have tried to RDP from your local network machine to the Windows Virtual Machine and the basic interesting traffic are not in conflict. Do let me know if you manage to get it to work :) with the basic steps. If you let me know without sharing sensitive information on how your setup looks like I can try to see if I can check out in my setup what you can do to get it to work. Or talk to your local Meraki expert. Do note that in my view Meraki is really great for its simplicity and scalability but any complex setup you will need to do your feasibility assessment base on your needs.

@@dracocybersecurity After configuring for a week now. I finally figured it out with your comment above. The drop down menu had cached old Virtual Networks and the new ones that I had created were not showing up. I opened a different browser and in the drop down my new virtual network with the correct subnet showed up. Everything works correctly. Thanks for the video. Only recomendation would be to setup a new virtual network in the video and show how it was done if anyone is new to working in azure

Great that you manage to get it to work. cache on the browsers have their way of tripping us :). thanks for the feedback on showing the creating the new virtual network. That can be daunting for people new to Azure. I am still learning subnetting and the network gateway in Azure as well. wish that there is more consistency in network deployment in the cloud providers :) I am starting to like the simplicity of Oracle Cloud in their way of networking not much advance stuffs but the basic routing and VPN are a lot easier. wondering when vMX will be extended to them. when I get time I will do a video on vMX in AWS. that is a lot easier since more Linux style VPS. if you have a chance try out the whole setup for vMX on Azure and AWS and a few locations of hardware boxes. It is amazing for simple development need and management. but cost can be a concern for testing.

@@dracocybersecurity thanks for your help and making the video. I will check out AWS

@@dracocybersecurity Hey mate waiting for video for AWS Vmx, I need to deploy this for work.

Glad I could help!

Great to hear!

Glad it helped!

Glad it helped

Hard to say but did you configure the Duo Authentication Proxy, to proxy the authentication? Seems that your vpn client is authenticating directly to the Radius instead of through the Duo Authentication proxy. The DAP configuration should be similar to how it is configure in this video, but do check what are the parameters that you need to change.

Have you figured this out James? I am having the same problem. Thanks

You need to have a valid Cisco Partner or Customer account to download the ovf. Do reach out to your country authorized distributor or partner to request for that.

I have not done any other integration with other MFA. But you should be able to integrate with other MFA.

More to come!

Thank you! Cheers!

Below are the balance 2 parts. These are basic videos to help those interested get started th-cam.com/video/f2T8ZhYyIco/w-d-xo.html Part 2/3 th-cam.com/video/RvtIhRX4Fv0/w-d-xo.html Part 3/3

Check out this link. duo.com/docs/meraki-radius Duo they have a integration diagram that explain the flow much better than I do. What i have done is the older L2TP client. They now have the integration with AnyConnect. Which in my view is more secure. Of course L2TP is free with the system. AnyConnect I believe you need to pay for the license. Talk to your local Partner / Disti to get more support on the detail if you are interested in AnyConnect integration

From what I understand currently Duo is not integrated with the cloud authentication. You would need a Radius/AD/LDAP.

Thanks for sharing

In this particular setup, you don't need to install a separate radius server, the Duo Authentication Proxy will facilitate as a Radius Server. You can check out the official document that explain more on this. duo.com/docs/radius

@@dracocybersecurity Great video. Follow up question related to the question from the OP, since we're currently using meraki cloud authentication, once I have the proxy authentication server setup on the AD server, I could then change the authentication in Meraki to RADIUS using the proxy server's address? Thanks

Yes you should be able to do that. Just make sure the necessary firewall ports are open and the routing are done properly. I presume that the AD is internal so you need to take note of those nuances.

@@dracocybersecurity Thanks for your reply Draco. Unfortunately after following your video to the teeth, as soon as I connect my vpn and asked for my sign in, it just spins then receiving an error that "the remote connection was terminated because the remote computer did not respond in a timely matter" I already set timeout from 60 to 120 secs. It seems that it's not hitting the radius server at all. Any ideas? Thanks again

same problem here. everything tests fine but as soon as i hit connect on the vpn client, it gives the above error.@@graciesager