AUTO VPN talk to 3rd party LAN ASA

Senan_Rogers
Getting noticed

AUTO VPN talk to 3rd party LAN ASA

Hello Team,

 

I need your Advice on best Practice on how to make the two Remote VPN  LAN  in MX 64  to talk with the INSIDE  LAN  in ASA 5520. If I connect the LAN in MX 100 to the INSIDE LAN  in ASA?  As shown below:-

 

 My Question is :-  What is the Configuration needed in the MX 100  to make the two Remote VPN  LAN  in MX 64  to talk with the INSIDE  LAN  in ASA 5520.?  Keep in mind VPN ( auto VPN  ) between Remote 1 and Remote 2 and MX 100  are okay and working. 

Test copy 1.JPG

13 REPLIES 13
MRCUR
Kind of a big deal

Does the ASA have routes to the remote VPN subnets via the MX100? 

MRCUR | CMNO #12

My Question is How to connect LAN in MX 100 to the INSIDE ASA 5520 So the two Remote VPN LAN in MX 64 talk with the INSIDE LAN in ASA 5520.? Keep in mind VPN ( auto VPN ) between Remote 1 and Remote 2 and MX 100 are okay and working.
MRCUR
Kind of a big deal

Yes, @MilesMeraki & I are trying to help answer that. 

MRCUR | CMNO #12
MilesMeraki
Head in the Cloud

Where's the MX within this Topology? How/Where is it connected to the ASA?

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)

Please refer to the diagram

If you check the diagram, you will see the MX . My Question is How to connect LAN in MX 100 to the INSIDE ASA 5520 So the two Remote VPN LAN in MX 64 talk with the INSIDE LAN in ASA 5520.? Keep in mind VPN ( auto VPN ) between Remote 1 and Remote 2 and MX 100 are okay and working.

Hey @Senan_Rogers, If you're asking how to connect for best practice, I'd chuck it behind the ASA in a DMZ VLAN if the sole purpose of the MX just for Auto-VPN/VPN concentration. Have a read of this guide which will provide some more information on MX's in Concentration mode - https://documentation.meraki.com/MX-Z/Deployment_Guides/VPN_Concentrator_Deployment_Guide.

 

If not in VPN Concentration mode, will the MX be replacing the ASA?

 

 

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)

I think what you are suggesting would work provided that the break out of the ASA is the same as the MX100 currently has.

@MilesMeraki I understand that he's asking how to connect it to a LAN port on the MX100 and configure correctly. 

@ITzhak
You get it, this is exactly what I was asking.

Is it possible to consolidate your EVPL and your (MX) WAN? Or do you need to keep the two breakouts?

@ITzhak
We need to keep the two breakouts.

Yes, still if the MX100 is just being used as a VPN concentrator it can be connected via the LAN interface of the ASA and put into to VPN concentration mode and act as the HUB for the Auto-VPN. The Secondary WAN (Internet) can be connected to the ASA as a secondary WAN interface for internet connectivity.

 

If the MX is to be acting as a NAT/Internet firewall with the ASA it'll need to be placed behind the ASA with some form of Layer 3 switch between the ASA/MX which will have routing enabled to route only specific routes over the EVPL connection and all other traffic to the MX for the Internet/Auto VPN. 

 

You'll also have to configure the LAN VLANs on the MX for them to be advertised over the Auto-VPN connection and configure a static route for the LAN VLAN's on the MX to point to the layer 3 device. 

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels