MX to ASA site to site

SOLVED
leadtheway
Building a reputation

MX to ASA site to site

Having an issue with a meraki and an ASA site to site.  When i first built tunnel it showed up, both green on meraki and showing MM_active in the crypto sa on the ASA.  But Still can't talk to devices behind the asa.  And periodically when I check asa vpn status it shows red, but when i try to ping something behind the asa i get 100% loss but the tunnel will then show green.  Not sure if its an issue with meraki and using summarized subnets or something else.  Anyone have experience with this?

 

Capture2.PNG

1 ACCEPTED SOLUTION
Nash
Kind of a big deal

Your interesting subnets on the ASA need to exactly match the interesting subnets on the MX. If you need to restrict access across the tunnel, use the VPN firewall rules. Please note that you can only set VPN firewall rules for outbound traffic.

 

You might find https://documentation.meraki.com/MX/Site-to-site_VPN/MX_to_Cisco_ASA_Site-to-site_VPN_Setup interesting.

 

That "no tunnel, ping 100% loss, then tunnel comes up" could be the tunnel dying due to lack of traffic. You send traffic, tunnel comes up. What's the status on the ASA when the tunnel shows as down on the MX side?

View solution in original post

13 REPLIES 13
Nash
Kind of a big deal

Your interesting subnets on the ASA need to exactly match the interesting subnets on the MX. If you need to restrict access across the tunnel, use the VPN firewall rules. Please note that you can only set VPN firewall rules for outbound traffic.

 

You might find https://documentation.meraki.com/MX/Site-to-site_VPN/MX_to_Cisco_ASA_Site-to-site_VPN_Setup interesting.

 

That "no tunnel, ping 100% loss, then tunnel comes up" could be the tunnel dying due to lack of traffic. You send traffic, tunnel comes up. What's the status on the ASA when the tunnel shows as down on the MX side?

leadtheway
Building a reputation

Yes this is the doc I used.  Currently there are a bunch of asa to asa site to sites so there was already an object group created for the asa subsets but they are summarized in a /15.   Like the 10.0.0.0/15 actually has 10.0.3.0/24 and 10.0.4.0/24.

Is routing setup correctly? As in, the devices behind the MX have the MX as next hop for the subnet at the other end of the tunnel or as the default gateway? Inversely on the ASA?

leadtheway
Building a reputation

the meraki is the DFGW for all the subnets of the meraki side.  The meraki should make those uplink decisions correct?  I'm trying to test right from the meraki mx pinging a host behind asa

with Meraki AutoVPN, routing would be set up automatically for you. Here, you‘ll have to do it manually.

 

The question is: have you set up a static route on both ASA as well as MX pointing towards themselves for the connected subnets?

leadtheway
Building a reputation

Oh, so on the mx, those subnets should have static routes?  heres the routing tableCapture.PNG

Yes the ASA is the default for its connected subnets. I could post that config if it would help

How does the ASA reach the prefixes behind the MX? Could you post a „show route SUBNETBEHINDMX“?

leadtheway
Building a reputation

hmm says subnet not in table.,..i did see that the ASA subnets GW is a catalyst 4500. 

What happens if you configure the ASA to route the subnet(s) behind the MX to the MX?

leadtheway
Building a reputation

It looks like i can't even ping the next hop that is the mx...like 10.60.0.1

 

 

You don't need an explicit route for VPN on ASA. The access list and crypto map take care of that when properly configured.

You do need to setup an access list that permits VPN traffic inbound/outbound, or whitelist all VPN traffic. You can do so on ASDM -- this is the option on the site-to-site vpn tab labeled "Bypass interface access lists for inbound VPN sessions".

I used the wizard for the site to site in adsm...would it do it for me?

leadtheway
Building a reputation

i can see ACls and crypto map in the asa with a source of the asa subnets and destination of the MX subnets with ip service set to permit.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels