Does Teleworker Gateway Z1 gets configured(Auto VPN) with Non-Meraki Firewall Device(Cisco ASA)

SOLVED
Zeeshan786
Conversationalist

Does Teleworker Gateway Z1 gets configured(Auto VPN) with Non-Meraki Firewall Device(Cisco ASA)

Is it possible to configure Auto VPN for Z1 teleworker gateway with Non-Meraki Firewall Device(Cisco ASA) or Non-Cisco Firewall Device(Palo Alto, Checkpoint or FortiGate) instead of MX Security Firewall ? My query is related to when the customer already has a security appliance at his DC so can a Non-Meraki or Non Cisco FW device be configured for Auto VPN with Z1 teleworker Gateway?

1 ACCEPTED SOLUTION

@DarrenOC is absolutely right that you can form IPSec tunnels from a Z1 or Z3 to a compliant non-Meraki device, but such 'non-meraki VPN' configurations are not to be confused with AutoVPN.    AutoVPN is between Meraki devices only.   I mention this because AutoVPN is much simpler to configure and manage at scale and allows the use of true SD-WAN;   the overlay tunnels between peers form over both uplinks and are tightly monitored, end-to-end.  You can then define your preferences for which traffic flows over which uplink and fail specific applications over if performance isn't appropriate.   'Meraki devices' also includes the virtual MXs, for Azure, AWS and now Google CP and AliBaba Cloud too.
If a customer is looking to put MX in at remote branches and link back to (say) an existing ASA at their DC, I think it's probably a false economy to stick with the existing head-end device - even before you consider the benefits of SD-WAN.   People often save so much time and effort in managing a full Meraki AutoVPN that it pays for the central MX.  If you'd rather avoid the disruption of replacement, why not put a VPN Concentrator MX in, behind the existing firewall?  https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide#Deploying_a_...

View solution in original post

3 REPLIES 3
DarrenOC
Kind of a big deal
Kind of a big deal

Hi @Zeeshan786  yes you can.  Section on Non-Meraki VPN Peers

 

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings

 

Non-Meraki VPN peers

You can create Site-to-site VPN tunnels between a Security Appliance or a Teleworker Gateway and a Non-Meraki VPN endpoint device under the Non-Meraki VPN peers section on the Security & SD-WAN > Configure > Site-to-site VPN page. Simply click "Add a peer" and enter the following information:

  • A name for the remote device or VPN tunnel.
  • What IKE version to use (IKEv1 or IKEv2)*
  • The public IP address of the remote device.
  • The Remote ID of the remote peer. This is an optional configuration and can be configured to the remote peer’s UserFQDN (e.g. user@domain.com), FQDN (e.g. www.example.com) or IPv4 address as needed.
    • Which of these values you use is dependent upon your remote device. Please consult its documentation to learn what values it is capable of specifying as its remote ID, and how to configure them (e.g. crypto isakmp identity for ASA firewalls)
  • The subnets behind the third-party device that you wish to connect to over the VPN. 0.0.0.0/0 can also be specified to define a default route to this peer.
    • Note that if an MX-Z device is configured with a default route (0.0.0.0/0) to a Non-Meraki VPN peer, traffic will not fail over to the WAN, even if the connection goes down.

  • The IPsec policy to use.
  • The preshared secret key (PSK).
  • Availability settings to determine which appliances in your Dashboard Organization will connect to the peer.

 

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

@DarrenOC is absolutely right that you can form IPSec tunnels from a Z1 or Z3 to a compliant non-Meraki device, but such 'non-meraki VPN' configurations are not to be confused with AutoVPN.    AutoVPN is between Meraki devices only.   I mention this because AutoVPN is much simpler to configure and manage at scale and allows the use of true SD-WAN;   the overlay tunnels between peers form over both uplinks and are tightly monitored, end-to-end.  You can then define your preferences for which traffic flows over which uplink and fail specific applications over if performance isn't appropriate.   'Meraki devices' also includes the virtual MXs, for Azure, AWS and now Google CP and AliBaba Cloud too.
If a customer is looking to put MX in at remote branches and link back to (say) an existing ASA at their DC, I think it's probably a false economy to stick with the existing head-end device - even before you consider the benefits of SD-WAN.   People often save so much time and effort in managing a full Meraki AutoVPN that it pays for the central MX.  If you'd rather avoid the disruption of replacement, why not put a VPN Concentrator MX in, behind the existing firewall?  https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide#Deploying_a_...

Thanks for the help @GreenMan . Your explanation really clears my query. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels