Meraki To Cisco ASA 5500 Site to Site VPN

Advertisement

KB ID 0001255 Dtd 08/11/16

Problem

This was surprisingly easier than I was expecting! Special thanks to  Steve for letting me loose on his test network for the Meraki end of the tunnel. Here I'm using an MX 64 Security appliance, and a Cisco ASA 5510.  Meraki to Cisco Asa VPN

Solution

Configuring Meraki MX Device for VPN to a Cisco ASA

From your Meraki dashboard > Security Appliance > Site To Site VPN.

Meraki Site To Site VPN

If you have no VPNs setup then you will need to select 'Hub', then scroll down to 'Non-Meraki VPN Peers' > Add a peer.

Meraki Site To Site Peer

Give the tunnel a name > Public IP is the address of the ASA > Private Subnets is the network(s) behind the ASA > Preshare secret is a shared key you will enter on the ASA (below). Above select all the networks you have behind the Meraki that you want to participate in the VPN and set their 'Use VPN' Status to 'Yes'

Note: If you click the IPSEC policy you will see what it wants to use for phase 1 and phase 2 of the VPN tunnel. BE AWARE: By default PFS (Perfect Forward Secrecy) is disabled. If you setup your AS VPN from within the ASDM wizard this may be enabled on the ASA. More reason to use the command line options I give you below!

Meraki Site To Site Cisco ASA

If you don't know the public IP of your Meraki device, here is where to find it (so you can use it when configuring the ASA).

Meraki MX Public IP

Configuring Cisco ASA5500 for VPN to a Meraki MX Device

To make things simple, change the values in RED below then you can paste in the command to your Cisco ASA.

WARNING: Below I use a crypto map called CRYPTO-MAP If you already have one then CHANGE the name to match your existing one ('show run crypto map' will show you). e.g. if yours is called outside_map  then change the entries below to outside_map 2.

Note: This config uses newer (post 8.3) NAT commands.

!
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 12800
!
object network OBJ-This-Site
subnet 192.168.100.0 255.255.255.0
object network OBJ-Meraki-Site
subnet 192.168.102.0 255.255.255.0
!
access-list MERAKI-INTERESTING-TRAFFIC extended permit ip object OBJ-This-Site object OBJ-Meraki-Site
nat (inside,outside) source static OBJ-This-Site OBJ-This-Site destination static OBJ-Meraki-Site OBJ-Meraki-Site no-proxy-arp route-lookup
!
tunnel-group 203.0.113.1 type ipsec-l2l
tunnel-group 203.0.113.1 ipsec-attributes
pre-shared-key 123456
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev1 transform-set MERAKI-TRANSFORM esp-aes-256 esp-sha-hmac
!
crypto map CRYPTO-MAP 1 match address MERAKI-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set peer 203.0.113.1
crypto map CRYPTO-MAP 1 set ikev1 transform-set MERAKI-TRANSFORM
crypto map CRYPTO-MAP interface outside
!

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *