Cisco ASA compatibility with Meraki switches and APs

SOLVED
jay_b
Getting noticed

Cisco ASA compatibility with Meraki switches and APs

Hello all,

 

Currently we have Meraki infrastructure  : MX250, meraki switches and aps.

 

We are expanding so running out of VPN connection as MX250 only provides 500 connections. That's why we are thinking to bring enterprise firewalls in house.

 

Will cisco ASA be compatible with Meraki switches and APs ?

1 ACCEPTED SOLUTION
KarstenI
Kind of a big deal
Kind of a big deal

Well, there are countless resources out there for ASA configuration. Depends on what exactly you want to move from the MX to the ASA. RA-VPN, S2S-VPN, ...

If you are not familiar with VPN-config on the ASA, I would look for a local consultant to implement that. Too many things that can be done wrong on the ASA. 

View solution in original post

9 REPLIES 9
KarstenI
Kind of a big deal
Kind of a big deal

Yes, there is no problem with this combination. Most of my customers have an ASA in addition to the MX just for VPN-connections. These ASAs are also connected to the MS switches. And the ASA also doesn't care which APs are used.

jay_b
Getting noticed

Karstenl,

 

Thank you for providing feedback. Just wondering if there is any article or solution for migration. 

KarstenI
Kind of a big deal
Kind of a big deal

Well, there are countless resources out there for ASA configuration. Depends on what exactly you want to move from the MX to the ASA. RA-VPN, S2S-VPN, ...

If you are not familiar with VPN-config on the ASA, I would look for a local consultant to implement that. Too many things that can be done wrong on the ASA. 

DarrenOC
Kind of a big deal
Kind of a big deal

Hi @jay_b , just to reiterate what @KarstenI states we have this setup across a number of sites.  MXs being used as perimeter firewall and ASAs being used for client and third party VPNs

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
jay_b
Getting noticed

@DarrenOC  Thanks for your feedback. So you have ASA inline with MX ?

KarstenI
Kind of a big deal
Kind of a big deal

I typically put them in parallel or put the inside interface of the ASA in an MX DMZ, based on the filtering needs. Both solutions work good. In general I would not place them inline as there is most of the time no real benefit of that.
Well, I have one network where the ASA (actually it is a Firepower 1010) is inline with the MX, my office network.

jay_b
Getting noticed

@KarstenI  I was thinking to put in parallel too. ASA can be used for VPN stuff and MX can be used in all other internal stuff as MX is really easy to manage. Our main reason bring in ASA is only VPN. To put in parallel i would require second IP. 

KarstenI
Kind of a big deal
Kind of a big deal

Yes, an additional IP is needed. But only one regardless of using HA or not. But I always try to have IPs on both ASAs.

If you do not have spare IPs, I would reach out to the ISP to get some more. If that is not possible you can put the outside interface of the ASA into a MX DMZ and forward UDP/443,500,4500 and TCP/443 to the ASA.

PhilipDAth
Kind of a big deal
Kind of a big deal

The physical ASA series is now almost dead.  You could use a virtual ASA such as an ASAv30 on VMWare, Hyper-V or KVM (the smaller models don't have more capacity than an MX250).

https://www.cisco.com/c/en/us/products/collateral/security/adaptive-security-virtual-appliance-asav/... 

The virtual ASAs are quite well priced.

 

Otherwise I think you'll be looking at a Firepower box.  Perhaps a Firepower 2110 or 2120 might be a good fit.

https://www.cisco.com/c/en/us/products/collateral/security/firepower-2100-series/datasheet-c78-74247... 

Note you will [almost certainly] also need a Firepower Virtual Management centre.  Note that some of the more complex client VPN connectivity options require Cisco ISE.  So you may need all three components to form a working solution in complex environments.

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/data_sheet_c78-6... 

 

Just to warn you - a Firepower solution will make your MX250 look cheap.  It will make the MX450 look cheap.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels