Meraki

Community

Trying to create from MX68CW-WW with 4G connection VPN Site to Site to Cisco ASA 5510

AndrejRistovsk
Here to help
‎Aug 22 2019 1:14 AM
‎Aug 22 2019 1:14 AM

Trying to create from MX68CW-WW with 4G connection VPN Site to Site to Cisco ASA 5510

Hi there.

 

I am working on a exciting project that involves migration of 11 Cisco ASA firewalls (from 5505 to 5515).

Some of the sites are in Spoke--Hub topology. All 11 Cisco ASA firewalls are going to be replaced with Meraki MX appliance.

 

Now i have build a physical LAB environment with real Cisco ASA 5505 and 5510 equipment + first Meraki MX device and are trying to accomplish the following

 

- On site 1 i have Cisco ASA5510 with public IP from the ISP for the outside interface. On the inside interface i have 172.168.5.0/24 subnet

- On site 2 i have Cisco ASA5505 with public IP from the IPS for the outside interface. On the inside interface i have 172.168.20.0/24 subnet.

 

Between both site 1 and site 2 there is an IPsec tunnel established and it works just fine.

 

Now i am trying to simulate physical switching on site 2 from cisco asa to Meraki MX68CW-WW. On the Meraki MX68CW-WW i have only 4G internet connection for now.

 

I have been following the guide for creating a VPN site to site guide with help of this link https://documentation.meraki.com/MX/Site-to-site_VPN/MX_to_Cisco_ASA_Site-to-site_VPN_Setup

however my question is if Meraki MX can establish a VPN site to site connection with ASA via 4G?

 

Any advise is appreciated.

0 Kudos
3 Replies 3
MarcP
Kind of a big deal
‎Aug 22 2019 1:21 AM
‎Aug 22 2019 1:21 AM

Should work, yes.

Creating a non-meraki VPN.

Shouldn´t be a problem with 4G ((dynamic Public IP), which I think makes you thinking about it).

meraki just needs an internetconnection and thats it.

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 22 2019 2:04 PM
‎Aug 22 2019 2:04 PM

This will be horribly complicated - so don't do it.

 

You will need at a minimum dynamic dns peer support to handle the dynamic IP addresses being given out on the 4G, and I don't think the 5505's and 5510's can run newer enough ASA software to get this feature.

You could consider using a wildcard VPN on the ASA, but with other VPNs and having such old ASA's you are probably in for a world of hurt.

 

I recommend a change of attack.  Instead stand the network up side by side.

Hopefully there is some "main" site.  Install an ASA there - side by side with the ASA - instead of replacing the ASA.

 

Then as you cut each branch over from ASA to MX simply update the routing table on the main site to route the traffic to route that specific subnet via the main branch MX.

0 Kudos
In response to PhilipDAth
MarcP
Kind of a big deal
‎Aug 22 2019 11:32 PM
‎Aug 22 2019 11:32 PM

@PhilipDAth wrote:

 

You will need at a minimum dynamic dns peer support to handle the dynamic IP addresses being given out on the 4G, and I don't think the 5505's and 5510's can run newer enough ASA software to get this feature.

You could consider using a wildcard VPN on the ASA, but with other VPNs and having such old ASA's you are probably in for a world of hurt.

 

Can you explain this to me?

If the ASA has got a static IP, what I just thought and use and do a Dial-Up IPSec VPN from MX to ASA this shouldn´t be a problem...

I am with you on the old firmware of the ASA´s but shouldn´t it work anyway?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.