We have ASA 5545X across three different offices . Remote users connect using Cisco Anyconnect to ASAs. We also have site to site tunnels between business partners that terminate on ASA. We have started to set up home offices for users and provided them Z3s which do a site to site VPN from Z3 to ASA. We are looking to set up Meraki MX in our office so we can use the Auto VPN feature to set up a site to site tunnel between Z3 and MX, but do not want to remove ASA and make minimal changes since we have site to site tunnels from other sites and business partners. Is it possible to accomplish the above requirement ?
@MKS1 : Have a look on the below document may help you
https://documentation.meraki.com/MX/Site-to-site_VPN/MX_to_Cisco_ASA_Site-to-site_VPN_Setup
Hi,
We have the following set up already
Can we do the above ?
Sure. Just set up an MX at the HQ to be the AutoVPN hub and let Meraki magic do the rest. If you configure AutoVPN for your workforce, the Z3s will use it.
The only question is: Do your remote users need access to your business partners? If so, your hub MX will need to route those networks over your existing ASA.
@MKS1, should work fine. If you’re just going to use this to connect the Z3 using AutoVPN then I’d probably put the MX in as a one-armed VPN concentrator behind the ASA. As @CptnCrnch said, the Meraki magic will get the MX and the Z3 to connect. The Meraki magic is documented, but it should work without issue in this setup.
@MKS1 the suggestions above will work. We have been running pretty much the exact same setup as you want for the last couple of years. The only difference being we have two HA pairs of firewalls terminating client and 3rd party site to site VPNs with the MX pair in single armed mode behind.
One of the edge pairs are ASAs and when connecting the MXs it just worked once we allowed the prescribed ports out to allow connection to the Meraki cloud.