Is it possible to configure Auto VPN for Z1 teleworker gateway with Non-Meraki Firewall Device(Cisco ASA) or Non-Cisco Firewall Device(Palo Alto, Checkpoint or FortiGate) instead of MX Security Firewall ? My query is related to when the customer already has a security appliance at his DC so can a Non-Meraki or Non Cisco FW device be configured for Auto VPN with Z1 teleworker Gateway?
Solved! Go to solution.
@DarrenOC is absolutely right that you can form IPSec tunnels from a Z1 or Z3 to a compliant non-Meraki device, but such 'non-meraki VPN' configurations are not to be confused with AutoVPN. AutoVPN is between Meraki devices only. I mention this because AutoVPN is much simpler to configure and manage at scale and allows the use of true SD-WAN; the overlay tunnels between peers form over both uplinks and are tightly monitored, end-to-end. You can then define your preferences for which traffic flows over which uplink and fail specific applications over if performance isn't appropriate. 'Meraki devices' also includes the virtual MXs, for Azure, AWS and now Google CP and AliBaba Cloud too.
If a customer is looking to put MX in at remote branches and link back to (say) an existing ASA at their DC, I think it's probably a false economy to stick with the existing head-end device - even before you consider the benefits of SD-WAN. People often save so much time and effort in managing a full Meraki AutoVPN that it pays for the central MX. If you'd rather avoid the disruption of replacement, why not put a VPN Concentrator MX in, behind the existing firewall? https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide#Deploying_a_...
Hi @Zeeshan786 yes you can. Section on Non-Meraki VPN Peers
https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings
You can create Site-to-site VPN tunnels between a Security Appliance or a Teleworker Gateway and a Non-Meraki VPN endpoint device under the Non-Meraki VPN peers section on the Security & SD-WAN > Configure > Site-to-site VPN page. Simply click "Add a peer" and enter the following information:
Note that if an MX-Z device is configured with a default route (0.0.0.0/0) to a Non-Meraki VPN peer, traffic will not fail over to the WAN, even if the connection goes down.
@DarrenOC is absolutely right that you can form IPSec tunnels from a Z1 or Z3 to a compliant non-Meraki device, but such 'non-meraki VPN' configurations are not to be confused with AutoVPN. AutoVPN is between Meraki devices only. I mention this because AutoVPN is much simpler to configure and manage at scale and allows the use of true SD-WAN; the overlay tunnels between peers form over both uplinks and are tightly monitored, end-to-end. You can then define your preferences for which traffic flows over which uplink and fail specific applications over if performance isn't appropriate. 'Meraki devices' also includes the virtual MXs, for Azure, AWS and now Google CP and AliBaba Cloud too.
If a customer is looking to put MX in at remote branches and link back to (say) an existing ASA at their DC, I think it's probably a false economy to stick with the existing head-end device - even before you consider the benefits of SD-WAN. People often save so much time and effort in managing a full Meraki AutoVPN that it pays for the central MX. If you'd rather avoid the disruption of replacement, why not put a VPN Concentrator MX in, behind the existing firewall? https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide#Deploying_a_...