ASA to MX migration, sanity check

Solved
newengineerhere
Here to help

ASA to MX migration, sanity check

Hey all, 

 

I'm migrating 4 ASA devices connected via IPSEC VPN, to Meraki MX and wanted to see if I'm missing anything in my plan. 

 

topology.jpg

I am planning on having the MX run behind the "hub" ASA as a vpn concentrator, and migrate the spokes to Meraki one at a time. My assumption is that once each spoke is migrated over to meraki and configured for AutoVPN, i'll need to add one static route to the hub ASA, for example:

 

All traffic destined to 192.168.2.0/24 (spoke) will go to 192.168.1.2 (hub MX) 


This should allow all 3 spokes, regardless of which tunnel they use, to have connectivity to each other.

 

Once all spokes have been migrated, I will decommission the hub ASA and change the hub MX to routed mode, and remove all the static routes. Do I have everything correct? Any feedback will be appreciated. Thanks

1 Accepted Solution
KarstenI
Kind of a big deal
Kind of a big deal

All in all, that should work.

If you have a spare public IP, I would put the MX in parallel to the ASA and migrate the branches. This way you don't have to change the MX when done and you can also directly use the security-features of the MX for your outgoing traffic.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

2 Replies 2
KarstenI
Kind of a big deal
Kind of a big deal

All in all, that should work.

If you have a spare public IP, I would put the MX in parallel to the ASA and migrate the branches. This way you don't have to change the MX when done and you can also directly use the security-features of the MX for your outgoing traffic.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
newengineerhere
Here to help

I thought of using the MX in parallel, but I don't have a spare public IP, unfortunately.

 

Thanks for confirming the deployment plan, much appreciated! 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels