cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AUTO VPN talk to 3rd party LAN ASA

Highlighted
Getting noticed

AUTO VPN talk to 3rd party LAN ASA

Hello Team,

 

I need your Advice on best Practice on how to make the two Remote VPN  LAN  in MX 64  to talk with the INSIDE  LAN  in ASA 5520. If I connect the LAN in MX 100 to the INSIDE LAN  in ASA?  As shown below:-

 

 My Question is :-  What is the Configuration needed in the MX 100  to make the two Remote VPN  LAN  in MX 64  to talk with the INSIDE  LAN  in ASA 5520.?  Keep in mind VPN ( auto VPN  ) between Remote 1 and Remote 2 and MX 100  are okay and working. 

Test copy 1.JPG

13 REPLIES 13
Highlighted
Kind of a big deal

Re: AUTO VPN talk to 3rd party LAN ASA

Does the ASA have routes to the remote VPN subnets via the MX100? 

MRCUR | CMNO #12
Highlighted
Getting noticed

Re: AUTO VPN talk to 3rd party LAN ASA

My Question is How to connect LAN in MX 100 to the INSIDE ASA 5520 So the two Remote VPN LAN in MX 64 talk with the INSIDE LAN in ASA 5520.? Keep in mind VPN ( auto VPN ) between Remote 1 and Remote 2 and MX 100 are okay and working.
Highlighted
Kind of a big deal

Re: AUTO VPN talk to 3rd party LAN ASA

Yes, @WANKiller & I are trying to help answer that. 

MRCUR | CMNO #12
Highlighted
Head in the Cloud

Re: AUTO VPN talk to 3rd party LAN ASA

Where's the MX within this Topology? How/Where is it connected to the ASA?

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Highlighted
Getting noticed

Re: AUTO VPN talk to 3rd party LAN ASA

Please refer to the diagram
Highlighted
Getting noticed

Re: AUTO VPN talk to 3rd party LAN ASA

If you check the diagram, you will see the MX . My Question is How to connect LAN in MX 100 to the INSIDE ASA 5520 So the two Remote VPN LAN in MX 64 talk with the INSIDE LAN in ASA 5520.? Keep in mind VPN ( auto VPN ) between Remote 1 and Remote 2 and MX 100 are okay and working.
Highlighted
Head in the Cloud

Re: AUTO VPN talk to 3rd party LAN ASA

Hey @Senan_Rogers, If you're asking how to connect for best practice, I'd chuck it behind the ASA in a DMZ VLAN if the sole purpose of the MX just for Auto-VPN/VPN concentration. Have a read of this guide which will provide some more information on MX's in Concentration mode - https://documentation.meraki.com/MX-Z/Deployment_Guides/VPN_Concentrator_Deployment_Guide.

 

If not in VPN Concentration mode, will the MX be replacing the ASA?

 

 

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Highlighted
Getting noticed

Re: AUTO VPN talk to 3rd party LAN ASA

I think what you are suggesting would work provided that the break out of the ASA is the same as the MX100 currently has.

Highlighted
Getting noticed

Re: AUTO VPN talk to 3rd party LAN ASA

@WANKiller I understand that he's asking how to connect it to a LAN port on the MX100 and configure correctly. 

Highlighted
Getting noticed

Re: AUTO VPN talk to 3rd party LAN ASA

@ITzhak
You get it, this is exactly what I was asking.
Getting noticed

Re: AUTO VPN talk to 3rd party LAN ASA

Is it possible to consolidate your EVPL and your (MX) WAN? Or do you need to keep the two breakouts?

Highlighted
Getting noticed

Re: AUTO VPN talk to 3rd party LAN ASA

@ITzhak
We need to keep the two breakouts.
Highlighted
Head in the Cloud

Re: AUTO VPN talk to 3rd party LAN ASA

Yes, still if the MX100 is just being used as a VPN concentrator it can be connected via the LAN interface of the ASA and put into to VPN concentration mode and act as the HUB for the Auto-VPN. The Secondary WAN (Internet) can be connected to the ASA as a secondary WAN interface for internet connectivity.

 

If the MX is to be acting as a NAT/Internet firewall with the ASA it'll need to be placed behind the ASA with some form of Layer 3 switch between the ASA/MX which will have routing enabled to route only specific routes over the EVPL connection and all other traffic to the MX for the Internet/Auto VPN. 

 

You'll also have to configure the LAN VLANs on the MX for them to be advertised over the Auto-VPN connection and configure a static route for the LAN VLAN's on the MX to point to the layer 3 device. 

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.