Hello Team,
I need your Advice on best Practice on how to make the two Remote VPN LAN in MX 64 to talk with the INSIDE LAN in ASA 5520. If I connect the LAN in MX 100 to the INSIDE LAN in ASA? As shown below:-
My Question is :- What is the Configuration needed in the MX 100 to make the two Remote VPN LAN in MX 64 to talk with the INSIDE LAN in ASA 5520.? Keep in mind VPN ( auto VPN ) between Remote 1 and Remote 2 and MX 100 are okay and working.
Does the ASA have routes to the remote VPN subnets via the MX100?
Where's the MX within this Topology? How/Where is it connected to the ASA?
Hey @Senan_Rogers, If you're asking how to connect for best practice, I'd chuck it behind the ASA in a DMZ VLAN if the sole purpose of the MX just for Auto-VPN/VPN concentration. Have a read of this guide which will provide some more information on MX's in Concentration mode - https://documentation.meraki.com/MX-Z/Deployment_Guides/VPN_Concentrator_Deployment_Guide.
If not in VPN Concentration mode, will the MX be replacing the ASA?
I think what you are suggesting would work provided that the break out of the ASA is the same as the MX100 currently has.
@MilesMeraki I understand that he's asking how to connect it to a LAN port on the MX100 and configure correctly.
Is it possible to consolidate your EVPL and your (MX) WAN? Or do you need to keep the two breakouts?
Yes, still if the MX100 is just being used as a VPN concentrator it can be connected via the LAN interface of the ASA and put into to VPN concentration mode and act as the HUB for the Auto-VPN. The Secondary WAN (Internet) can be connected to the ASA as a secondary WAN interface for internet connectivity.
If the MX is to be acting as a NAT/Internet firewall with the ASA it'll need to be placed behind the ASA with some form of Layer 3 switch between the ASA/MX which will have routing enabled to route only specific routes over the EVPL connection and all other traffic to the MX for the Internet/Auto VPN.
You'll also have to configure the LAN VLANs on the MX for them to be advertised over the Auto-VPN connection and configure a static route for the LAN VLAN's on the MX to point to the layer 3 device.