Meraki

Community

Refresh ISR4431 x MX105 Meraki and Cisco ASA x Firepower

Solved
JAlmeida
Here to help
‎Sep 10 2024 10:25 AM
‎Sep 10 2024 10:25 AM

Refresh ISR4431 x MX105 Meraki and Cisco ASA x Firepower

I need help designing a migration topology.
We currently have two sites here at the company, one in Rio de Janeiro and the other in São Paulo.

We have an ISR4431 receiving the ISP links.

There is an L2L tunnel between the RJ and SP ISRs for our internal communication.

In front of the ISR we have an ASA5555 with the Outside coming from the 4431 and the Inside for the internal networks.

Now my company has purchased an MX105 and a Firepower 1150.

 

I would like to know if this type of configuration is possible and if it is a good practice with:

Link >> MX105 >> FRP1150 >> 9300

The idea would be for the MX105 RJ to receive the ISP links, establish the Site-to-Site VPN with the MX105 SP, and be the Firepower gateway/outside.

 

Is there any document that can help me corroborate this architecture?

Labels:
0 Kudos
1 Accepted Solution
In response to JAlmeida
cmr
Kind of a big deal
Kind of a big deal
‎Sep 11 2024 6:10 AM
‎Sep 11 2024 6:10 AM

In which case I'd definitely go with my suggested topology.  The MXs could be installed with the existing equipment in place and once the VPN has been set up and the traffic redirected, that function could be removed from the 4431s and you could get on with the ASA to FirePower migration.

If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

0 Kudos
10 Replies 10
cmr
Kind of a big deal
Kind of a big deal
‎Sep 10 2024 11:16 AM
‎Sep 10 2024 11:16 AM

@JAlmeida I would possibly have the topology as ISP-FP-9300 with MX in single ended mode doing site to site VPN.  How many MXs and FirePowers do you have for each site?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
JAlmeida
Here to help
‎Sep 10 2024 12:42 PM
‎Sep 10 2024 12:42 PM

Thank you for your quick response.
In the topology drawing, they are:
2 MX in each location
2 FRP in each location.

But observing, in fact, the MX would only be for P2P with dmvpn.

0 Kudos
In response to JAlmeida
cmr
Kind of a big deal
Kind of a big deal
‎Sep 10 2024 2:07 PM
‎Sep 10 2024 2:07 PM

Indeed it would and you would only need the enterprise license.  Was there a reason to want the MX outside the FRP?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
JAlmeida
Here to help
‎Sep 11 2024 5:55 AM
‎Sep 11 2024 5:55 AM

Hey, I just joined the project, and the MX will replace the Router 4431 that has this function: LAN-to-LAN VPN for connectivity between both branches.

Its function will be this.

Connectivity between the RJ x SP branches

In response to JAlmeida
cmr
Kind of a big deal
Kind of a big deal
‎Sep 11 2024 6:10 AM
‎Sep 11 2024 6:10 AM

In which case I'd definitely go with my suggested topology.  The MXs could be installed with the existing equipment in place and once the VPN has been set up and the traffic redirected, that function could be removed from the 4431s and you could get on with the ASA to FirePower migration.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
JAlmeida
Here to help
‎Sep 11 2024 6:48 AM
‎Sep 11 2024 6:48 AM

Perfect! I'll analyze the settings and do that.
MX only for communication between Branches and internal networks
Perfect, the dmvpn configuration doesn't seem complex in MX, I'll look into it here.

FPR1150 for the VPN with the client and with our external network.

By the way, MX for P2P needs a dedicated link in each MX, right?

Thanks for the support.

In response to JAlmeida
cmr
Kind of a big deal
Kind of a big deal
‎Sep 11 2024 7:35 AM
‎Sep 11 2024 7:35 AM

In WAN concentrator mode, port 1 of each MX will plug into the LAN, probably the C9300 in your case.  Plug one in on each site and create two separate RJ and SP networks in the dashboard.  Add the MXs to the respective networks and wait until they show up live.  You might need to allow access through the ASAs, the ports and IPs are on the ? menu at the top right of the dashboard.  Once the MXs show online add the other two by clicking the 'Configurr Warm Spare' button on the 'Appliance Status' page and following the prompts.  You'll need a total of 2-3 IP addresses on the LAN subnet that you use at each site.  I'd always choose the vIP option that uses 3 addresses.  Now you can plug in the secondary MX at each site.  Next, enable the VPN from the 'Site-to-site VPN' page and add the locks networks that you want to advertise.  Finally change your LAN routing to point to the MX for the other site's LAN(s).

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
cmr
Kind of a big deal
Kind of a big deal
‎Sep 11 2024 7:36 AM
‎Sep 11 2024 7:36 AM

Apologies, I should have used some formatting, but hopefully it's understandable!?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
JAlmeida
Here to help
‎Sep 11 2024 7:47 AM
‎Sep 11 2024 7:47 AM

Yes! Thank you for the clarification.

The project included 2 MXs and 2 FRPs and some Catalist 9300s.

However, only the FRPs arrived from one unit.

Currently my network is 1x1 (1 ASA and 1 4431) in each unit.

I think I will propose this type of migration a priori.

Placing an MX in each branch, creating the VPN, connecting the LANs and then proceeding with the network configurations.

In response to JAlmeida
cmr
Kind of a big deal
Kind of a big deal
‎Sep 11 2024 7:58 AM
‎Sep 11 2024 7:58 AM

Perfect plan 👍  If the other FRPs arrive before you have finished the MX set up then you could install them in pair from the outset. 

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.