Most of our customers still have an ASA for Anyconnect and site-to-sites to non-Meraki peers. OpenVPN is pretty ubiquitous and has some ova templates available for ESXi. I'm trying to determine if it's possible to configure a Meraki MX model firewall the following. Announcing Cisco AnyConnect VPN with Meraki MX. Link to the article.https://documentation.meraki.com/MX/AnyConnectontheMXAppliance.

How many of you during a maintenance activity are fallen in the fatal question “How can I export all Access Control Policy that are configured on my Cisco FMC?”
Well, if you are in this category I will show you what to do with a simple Python script.

• Meraki Support Paradigm. All customers have an explicit support owner at all times. Normally this is a Cisco Meraki support team member; however, during pre-sales product it could be a Cisco Meraki Systems Engineer, VAR, or other field sales resource.
• If you would like to test AnyConnect on the MX, it is on the Client VPN page on dashboard. Meraki is providing the AnyConnect Plus licenses during the public beta. We expect AnyConnect to go GA this summer when MX 16.X becomes GA. For an overview, installation guide, and FAQs please visit this link.

Unfortunately on FMC you can not download Access Control Policy in a CSV file and the only way is to write an Excel file. Obviously you can export the Access Control Policy in .sfo file format. Even thought it’s not easy to read, it is useful in order to re-import it on another FMC.

Meraki Mx Anyconnect Windows

So, with this precondition I integrated an existing Python script that can do all of that in a couple of minutes, avoiding a long Excel work.

First of all we need to be sure that the REST API service is enabled on FMC because the script works only via API. A tip is creating a new user with REST API permission otherwise your admin user will be disconnected each time that the script runs.
FMC is able to manage only a single session per user so a API session is considered as a second one.

Generate an authentication token

We need to generate a new authentication token so we need to create a new POST request. We have to specify Basic Auth in the header and insert our username and password.

Our token is valid only for 30 minute, after this period we need to refresh it via another API call.

In the response Headerswe have to find the following information “X-auth-access-token” and “DOMAIN_UUID”:

Save these two info in a variable and you can proceed with the next API call.

Retrieve Control Access Policy from FMC

The last thing is replacing {domainUUID} with our DOMAIN_UUID. Once done we are ready to launch our GET.

https://<management_center_IP_or_name>/api/fmc_config/v1/domain/{domainUUID}/policy/accesspolicies

And the result should be something like this…

In the response that it’s a Json we need to save “items”.”id” for the access control policy that we want to analyze.

Meraki Mx Anyconnect

Retrieve rules

With “items”.”id” we can proceed with the next REST API call.
We need to add in our header a key for “X-auth-access-token” with the value received in our first POST request and substitute {containerUUID} with our “items”.”id” value.

With the last GET we will receive a Json with all the rules configured inside our Access Control Policy and we need to perform the last step.
Execute another GET specifying the {ruleUUID} that is our “items”.”id” of the last GET and you will receive a Json with all the info about your rules.

Meraki Vpn Device

Meraki Mx Anyconnect Download

To export all the rules contained in an Access Control Policy you should use a couple of for cycle in your Python script: one for the number of rules contained in an Access Control Policy and another one nested for each rules to display the details of the single rule.

Create the CSV

Now in the response.json() we have all the info to create our CSV file. A tip for this step is to map the fixed fields like “rule_id”, “name”, “enabled” and to manage all other fields as exception.

Meraki Client Vpn Configuration

Meraki Ssl Vpn

I hope that this post about how to Access Control Policy from Cisco FMC was cool and stay tuned on ITornAgeek for new posts!!!