Meraki MX and ASA

MKS1
Just browsing

Meraki MX and ASA

We have ASA 5545X across three different offices . Remote users connect using Cisco Anyconnect to ASAs. We also have site to site tunnels between business partners that terminate on ASA. We have started to set up home offices for users and provided them Z3s which do a site to site VPN from Z3 to ASA. We are looking to set up Meraki MX in our office so we can use the Auto VPN feature to set up a site to site tunnel between Z3 and MX, but do not want to remove ASA and make minimal changes since we have site to site tunnels from other sites and business partners. Is it possible to accomplish the above requirement ?

 

5 REPLIES 5
Inderdeep
Kind of a big deal
Kind of a big deal

@MKS1 : Have a look on the below document may help you 

https://documentation.meraki.com/MX/Site-to-site_VPN/MX_to_Cisco_ASA_Site-to-site_VPN_Setup

 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com

Hi,

We have the following set up already 

  • Site to Site VPN from Z3 to Cisco ASA. Issue is that since we have have ASA on one side, Auto VPN does not work. Also if public IP address of Z3 changes, we have to change the crypto settings on ASA.
  • We want  to connect MX (leaving ASA as it) in the head office so we can use Auto VPN from Z3 --> MX .
  • We do not want to remove ASA as we have site to site tunnels between business partners.

Can we do the above ?

CptnCrnch
Kind of a big deal
Kind of a big deal

Sure. Just set up an MX at the HQ to be the AutoVPN hub and let Meraki magic do the rest. If you configure AutoVPN for your workforce, the Z3s will use it.

 

The only question is: Do your remote users need access to your business partners? If so, your hub MX will need to route those networks over your existing ASA.

Bruce
Kind of a big deal

@MKS1, should work fine. If you’re just going to use this to connect the Z3 using AutoVPN then I’d probably put the MX in as a one-armed VPN concentrator behind the ASA. As @CptnCrnch said, the Meraki magic will get the MX and the Z3 to connect. The Meraki magic is documented, but it should work without issue in this setup.

cmr
Kind of a big deal
Kind of a big deal

@MKS1 the suggestions above will work.  We have been running pretty much the exact same setup as you want for the last couple of years.  The only difference being we have two HA pairs of firewalls terminating client and 3rd party site to site VPNs with the MX pair in single armed mode behind.

 

One of the edge pairs are ASAs and when connecting the MXs it just worked once we allowed the prescribed ports out to allow connection to the Meraki cloud.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels