Meraki

Community

ASA Migration and choosing WAN IP for S2S

BillMcC
Here to help
‎May 29 2025 6:15 AM
‎May 29 2025 6:15 AM

ASA Migration and choosing WAN IP for S2S

Good morning all. I am about to migrate my existing MX100 firewalls over to MX105's. Along with this I will be moving all of my old site to site vpn's from an ASA. The ASA site to sites have  a different WAN Address than the Meraki's are using. I have a /28 block from our provider and all firewalls are using ip's from the same circuit. 

 

To ease the pain in migration I have all of the specs for the site to site migration except for the fact the remote side expects to see a specific wan ip. Some of these are connections to the state and systems I would have to track down a ton of information on. 

 

To the point. Is it possible to choose the wan ip on the MX105 that a specific site to site will use? I am afraid you guys are going to say no. But considering the weakness in Meraki's ability to route across VPN's I would not be surprised lol. 

 

Thanks!

0 Kudos
4 Replies 4
Mloraditch
Kind of a big deal
Kind of a big deal
‎May 29 2025 6:27 AM
‎May 29 2025 6:27 AM

No that is not possible. The MX will only use the actual WAN IP or the HA IP (if you have that setup) of  the active primary WAN for 3rd party VPNs.

 

 

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
BillMcC
Here to help
‎May 29 2025 7:18 AM
‎May 29 2025 7:18 AM

Thanks Matthew! 

 

I have 5 VPN's to find out who the admins are for them lol. 

 

 

In response to BillMcC
Mloraditch
Kind of a big deal
Kind of a big deal
‎May 29 2025 10:07 AM
‎May 29 2025 10:07 AM

You can also just move that IP to your MXs? Could be easier to update any whitelists vs the VPNs

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 29 2025 12:49 PM
‎May 29 2025 12:49 PM

Going sideways, the MX is not so strong with regard to non-Meraki site-to-site VPNs.

 

Have you thought about keeping the ASA for just these VPNs (no public IP change then), or moving them to something like StrongSwan running as a VM on an existing compute (I use StrongSwan a lot, it is free and very powerful).

There is also the virtual ASA option (such as the Cisco vASA 10).  The virtual option is going to be around for a long time yet.  If you want to go newer, there are also the virtual Firepower units, and the baby Firepower units (which can also run ASA - just copy and paste config) like the Firepower 1010.

 

https://www.cisco.com/c/en/us/products/collateral/security/adaptive-security-virtual-appliance-asav/...

 

https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw-virtual/threat-defense-vir...

 

https://www.cisco.com/site/us/en/products/security/firewalls/firepower-1000-series/index.html

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.