cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

ASA to MX migration, sanity check

SOLVED
Highlighted
Here to help

ASA to MX migration, sanity check

Hey all, 

 

I'm migrating 4 ASA devices connected via IPSEC VPN, to Meraki MX and wanted to see if I'm missing anything in my plan. 

 

topology.jpg

I am planning on having the MX run behind the "hub" ASA as a vpn concentrator, and migrate the spokes to Meraki one at a time. My assumption is that once each spoke is migrated over to meraki and configured for AutoVPN, i'll need to add one static route to the hub ASA, for example:

 

All traffic destined to 192.168.2.0/24 (spoke) will go to 192.168.1.2 (hub MX) 


This should allow all 3 spokes, regardless of which tunnel they use, to have connectivity to each other.

 

Once all spokes have been migrated, I will decommission the hub ASA and change the hub MX to routed mode, and remove all the static routes. Do I have everything correct? Any feedback will be appreciated. Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Building a reputation

Re: ASA to MX migration, sanity check

All in all, that should work.

If you have a spare public IP, I would put the MX in parallel to the ASA and migrate the branches. This way you don't have to change the MX when done and you can also directly use the security-features of the MX for your outgoing traffic.

View solution in original post

2 REPLIES 2
Highlighted
Building a reputation

Re: ASA to MX migration, sanity check

All in all, that should work.

If you have a spare public IP, I would put the MX in parallel to the ASA and migrate the branches. This way you don't have to change the MX when done and you can also directly use the security-features of the MX for your outgoing traffic.

View solution in original post

Highlighted
Here to help

Re: ASA to MX migration, sanity check

I thought of using the MX in parallel, but I don't have a spare public IP, unfortunately.

 

Thanks for confirming the deployment plan, much appreciated! 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.