Meraki

Community

MX to ASA site to site

Solved
leadtheway
Building a reputation
‎Aug 23 2019 7:11 AM
‎Aug 23 2019 7:11 AM

MX to ASA site to site

Having an issue with a meraki and an ASA site to site.  When i first built tunnel it showed up, both green on meraki and showing MM_active in the crypto sa on the ASA.  But Still can't talk to devices behind the asa.  And periodically when I check asa vpn status it shows red, but when i try to ping something behind the asa i get 100% loss but the tunnel will then show green.  Not sure if its an issue with meraki and using summarized subnets or something else.  Anyone have experience with this?

 

Capture2.PNG

0 Kudos
1 Accepted Solution
Nash
Kind of a big deal
‎Aug 23 2019 8:15 AM
‎Aug 23 2019 8:15 AM

Your interesting subnets on the ASA need to exactly match the interesting subnets on the MX. If you need to restrict access across the tunnel, use the VPN firewall rules. Please note that you can only set VPN firewall rules for outbound traffic.

 

You might find https://documentation.meraki.com/MX/Site-to-site_VPN/MX_to_Cisco_ASA_Site-to-site_VPN_Setup interesting.

 

That "no tunnel, ping 100% loss, then tunnel comes up" could be the tunnel dying due to lack of traffic. You send traffic, tunnel comes up. What's the status on the ASA when the tunnel shows as down on the MX side?

Windows 10 Client VPN scripts: Makes life better!

View solution in original post

13 Replies 13
Nash
Kind of a big deal
‎Aug 23 2019 8:15 AM
‎Aug 23 2019 8:15 AM

Your interesting subnets on the ASA need to exactly match the interesting subnets on the MX. If you need to restrict access across the tunnel, use the VPN firewall rules. Please note that you can only set VPN firewall rules for outbound traffic.

 

You might find https://documentation.meraki.com/MX/Site-to-site_VPN/MX_to_Cisco_ASA_Site-to-site_VPN_Setup interesting.

 

That "no tunnel, ping 100% loss, then tunnel comes up" could be the tunnel dying due to lack of traffic. You send traffic, tunnel comes up. What's the status on the ASA when the tunnel shows as down on the MX side?

Windows 10 Client VPN scripts: Makes life better!
In response to Nash
leadtheway
Building a reputation
‎Aug 23 2019 8:25 AM
‎Aug 23 2019 8:25 AM

Yes this is the doc I used.  Currently there are a bunch of asa to asa site to sites so there was already an object group created for the asa subsets but they are summarized in a /15.   Like the 10.0.0.0/15 actually has 10.0.3.0/24 and 10.0.4.0/24.

0 Kudos
In response to leadtheway
BrechtSchamp
Kind of a big deal
‎Aug 23 2019 10:54 AM
‎Aug 23 2019 10:54 AM

Is routing setup correctly? As in, the devices behind the MX have the MX as next hop for the subnet at the other end of the tunnel or as the default gateway? Inversely on the ASA?

0 Kudos
In response to BrechtSchamp
leadtheway
Building a reputation
‎Aug 23 2019 10:58 AM
‎Aug 23 2019 10:58 AM

the meraki is the DFGW for all the subnets of the meraki side.  The meraki should make those uplink decisions correct?  I'm trying to test right from the meraki mx pinging a host behind asa

0 Kudos
In response to leadtheway
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Aug 23 2019 11:08 AM
‎Aug 23 2019 11:08 AM

with Meraki AutoVPN, routing would be set up automatically for you. Here, you‘ll have to do it manually.

 

The question is: have you set up a static route on both ASA as well as MX pointing towards themselves for the connected subnets?

0 Kudos
In response to CptnCrnch
leadtheway
Building a reputation
‎Aug 23 2019 11:12 AM
‎Aug 23 2019 11:12 AM

Oh, so on the mx, those subnets should have static routes?  heres the routing tableCapture.PNG

Yes the ASA is the default for its connected subnets. I could post that config if it would help

0 Kudos
In response to leadtheway
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Aug 23 2019 11:58 AM
‎Aug 23 2019 11:58 AM

How does the ASA reach the prefixes behind the MX? Could you post a „show route SUBNETBEHINDMX“?

0 Kudos
In response to CptnCrnch
leadtheway
Building a reputation
‎Aug 23 2019 12:01 PM
‎Aug 23 2019 12:01 PM

hmm says subnet not in table.,..i did see that the ASA subnets GW is a catalyst 4500. 

0 Kudos
In response to leadtheway
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Aug 23 2019 12:10 PM
‎Aug 23 2019 12:10 PM

What happens if you configure the ASA to route the subnet(s) behind the MX to the MX?

0 Kudos
In response to CptnCrnch
leadtheway
Building a reputation
‎Aug 23 2019 12:14 PM
‎Aug 23 2019 12:14 PM

It looks like i can't even ping the next hop that is the mx...like 10.60.0.1

 

 

0 Kudos
In response to CptnCrnch
JasonCampbell
Getting noticed
‎Aug 23 2019 12:32 PM
‎Aug 23 2019 12:32 PM

You don't need an explicit route for VPN on ASA. The access list and crypto map take care of that when properly configured.

You do need to setup an access list that permits VPN traffic inbound/outbound, or whitelist all VPN traffic. You can do so on ASDM -- this is the option on the site-to-site vpn tab labeled "Bypass interface access lists for inbound VPN sessions".
0 Kudos
In response to JasonCampbell
leadtheway
Building a reputation
‎Aug 23 2019 12:34 PM
‎Aug 23 2019 12:34 PM

I used the wizard for the site to site in adsm...would it do it for me?

0 Kudos
In response to leadtheway
leadtheway
Building a reputation
‎Aug 23 2019 12:51 PM
‎Aug 23 2019 12:51 PM

i can see ACls and crypto map in the asa with a source of the asa subnets and destination of the MX subnets with ip service set to permit.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.