Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Refresh ISR4431 x MX105 Meraki and Cisco ASA x Firepower

Solved
JAlmeida
Conversationalist
Tuesday
Tuesday

Refresh ISR4431 x MX105 Meraki and Cisco ASA x Firepower

I need help designing a migration topology.
We currently have two sites here at the company, one in Rio de Janeiro and the other in São Paulo.

We have an ISR4431 receiving the ISP links.

There is an L2L tunnel between the RJ and SP ISRs for our internal communication.

In front of the ISR we have an ASA5555 with the Outside coming from the 4431 and the Inside for the internal networks.

Now my company has purchased an MX105 and a Firepower 1150.

 

I would like to know if this type of configuration is possible and if it is a good practice with:

Link >> MX105 >> FRP1150 >> 9300

The idea would be for the MX105 RJ to receive the ISP links, establish the Site-to-Site VPN with the MX105 SP, and be the Firepower gateway/outside.

 

Is there any document that can help me corroborate this architecture?

Labels:
0 Kudos
Subscribe
1 Accepted Solution
In response to JAlmeida
cmr
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

In which case I'd definitely go with my suggested topology.  The MXs could be installed with the existing equipment in place and once the VPN has been set up and the traffic redirected, that function could be removed from the 4431s and you could get on with the ASA to FirePower migration.

View solution in original post

0 Kudos
Subscribe
10 Replies 10
cmr
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

@JAlmeida I would possibly have the topology as ISP-FP-9300 with MX in single ended mode doing site to site VPN.  How many MXs and FirePowers do you have for each site?

0 Kudos
Subscribe
In response to cmr
JAlmeida
Conversationalist
Tuesday
Tuesday

Thank you for your quick response.
In the topology drawing, they are:
2 MX in each location
2 FRP in each location.

But observing, in fact, the MX would only be for P2P with dmvpn.

0 Kudos
Subscribe
In response to JAlmeida
cmr
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

Indeed it would and you would only need the enterprise license.  Was there a reason to want the MX outside the FRP?

0 Kudos
Subscribe
In response to cmr
JAlmeida
Conversationalist
Wednesday
Wednesday

Hey, I just joined the project, and the MX will replace the Router 4431 that has this function: LAN-to-LAN VPN for connectivity between both branches.

Its function will be this.

Connectivity between the RJ x SP branches

Subscribe
In response to JAlmeida
cmr
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

In which case I'd definitely go with my suggested topology.  The MXs could be installed with the existing equipment in place and once the VPN has been set up and the traffic redirected, that function could be removed from the 4431s and you could get on with the ASA to FirePower migration.

0 Kudos
Subscribe
In response to cmr
JAlmeida
Conversationalist
Wednesday
Wednesday

Perfect! I'll analyze the settings and do that.
MX only for communication between Branches and internal networks
Perfect, the dmvpn configuration doesn't seem complex in MX, I'll look into it here.

FPR1150 for the VPN with the client and with our external network.

By the way, MX for P2P needs a dedicated link in each MX, right?

Thanks for the support.

Subscribe
In response to JAlmeida
cmr
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

In WAN concentrator mode, port 1 of each MX will plug into the LAN, probably the C9300 in your case.  Plug one in on each site and create two separate RJ and SP networks in the dashboard.  Add the MXs to the respective networks and wait until they show up live.  You might need to allow access through the ASAs, the ports and IPs are on the ? menu at the top right of the dashboard.  Once the MXs show online add the other two by clicking the 'Configurr Warm Spare' button on the 'Appliance Status' page and following the prompts.  You'll need a total of 2-3 IP addresses on the LAN subnet that you use at each site.  I'd always choose the vIP option that uses 3 addresses.  Now you can plug in the secondary MX at each site.  Next, enable the VPN from the 'Site-to-site VPN' page and add the locks networks that you want to advertise.  Finally change your LAN routing to point to the MX for the other site's LAN(s).

0 Kudos
Subscribe
In response to cmr
cmr
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

Apologies, I should have used some formatting, but hopefully it's understandable!?

0 Kudos
Subscribe
In response to cmr
JAlmeida
Conversationalist
Wednesday
Wednesday

Yes! Thank you for the clarification.

The project included 2 MXs and 2 FRPs and some Catalist 9300s.

However, only the FRPs arrived from one unit.

Currently my network is 1x1 (1 ASA and 1 4431) in each unit.

I think I will propose this type of migration a priori.

Placing an MX in each branch, creating the VPN, connecting the LANs and then proceeding with the network configurations.

Subscribe
In response to JAlmeida
cmr
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

Perfect plan 👍  If the other FRPs arrive before you have finished the MX set up then you could install them in pair from the outset. 

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.