cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Non-Meraki VPN network reachability

SOLVED
Highlighted
Here to help

Non-Meraki VPN network reachability

Hi Guys,

 

Currently my setup looks something like this: Edge-MX >>> AutoVPN <<< Main-MX >>> IPSEC <<< ASA

 

The MX at the main site has a VPN peer configured with the ASA and have networks exchanged between them. The Edge and Main sites MX devices uses Meraki AutoVPN for connection between some internal networks.

 

My question is: How do I configure my devices so that the Edge site can access the networks through the ASA VPN peer. Do I need to configure the edge-MX to peer with the ASA as well? Would I just need to setup a static route pointing to the ASA networks using the main-MX as the next-hop?

 

I feel like this should be quite simple but I'm scratching my head about it.

 

 

Thank you!

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Kind of a big deal

Re: Non-Meraki VPN network reachability

You can't.  Each edge MX will also require a non-Meraki VPN to the ASA.

View solution in original post

2 REPLIES 2
Highlighted
Kind of a big deal

Re: Non-Meraki VPN network reachability

You can't.  Each edge MX will also require a non-Meraki VPN to the ASA.

View solution in original post

Highlighted
Getting noticed

Re: Non-Meraki VPN network reachability

One option you could look at, is using a secondary MX at your hub site (Main-MX location) to manage the ASA VPN link. That way, you can add a static route onto the Main-MX pointing to the VPN MX and that will allow you to publish the remote ASA subnets into SD-WAN. There's a great example walk through of this by Aaron Willette 

https://www.willette.works/merging-meraki-vpns/

 

We use this approach to bring in a couple of third party locations that need to reach services on site but are not part of our Meraki deployment.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.