KB ID 0001255
This was surprisingly easier than I was expecting! Special thanks to Steve for letting me loose on his test network for the Meraki end of the tunnel. Here I’m using an MX 64 Security appliance, and a Cisco ASA 5510.
Note: The Meraki device will need a static IP.
Configuring Meraki MX Device for VPN to a Cisco ASA
From your Meraki dashboard > Security Appliance > Site To Site VPN.
If you have no VPNs setup then you will need to select ‘Hub’, then scroll down to ‘Non-Meraki VPN Peers’ > Add a peer.
Give the tunnel a name > Public IP is the address of the ASA > Private Subnets is the network(s) behind the ASA > Preshare secret is a shared key you will enter on the ASA (below). Above select all the networks you have behind the Meraki that you want to participate in the VPN and set their ‘Use VPN’ Status to ‘Yes’
Note: If you click the IPSEC policy you will see what it wants to use for phase 1 and phase 2 of the VPN tunnel. BE AWARE: By default PFS (Perfect Forward Secrecy) is disabled. If you setup your AS VPN from within the ASDM wizard this may be enabled on the ASA. More reason to use the command line options I give you below!
If you don’t know the public IP of your Meraki device, here is where to find it (so you can use it when configuring the ASA).
Configuring Cisco ASA5500 for VPN to a Meraki MX Device
To make things simple, change the values in RED below then you can paste in the command to your Cisco ASA.
WARNING: Below I use a crypto map called CRYPTO-MAP If you already have one then CHANGE the name to match your existing one (‘show run crypto map‘ will show you). e.g. if yours is called outside_map then change the entries below to outside_map 2.
Note: This config uses newer (post 8.3) NAT commands.
! crypto ikev1 enable outside crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 12800 ! object network OBJ-This-Site subnet 192.168.100.0 255.255.255.0 object network OBJ-Meraki-Site subnet 192.168.102.0 255.255.255.0 ! access-list MERAKI-INTERESTING-TRAFFIC extended permit ip object OBJ-This-Site object OBJ-Meraki-Site nat (inside,outside) source static OBJ-This-Site OBJ-This-Site destination static OBJ-Meraki-Site OBJ-Meraki-Site no-proxy-arp route-lookup ! tunnel-group 203.0.113.1 type ipsec-l2l tunnel-group 203.0.113.1 ipsec-attributes pre-shared-key 123456 isakmp keepalive threshold 10 retry 2 ! crypto ipsec ikev1 transform-set MERAKI-TRANSFORM esp-aes-256 esp-sha-hmac ! crypto map CRYPTO-MAP 1 match address MERAKI-INTERESTING-TRAFFIC crypto map CRYPTO-MAP 1 set peer 203.0.113.1 crypto map CRYPTO-MAP 1 set ikev1 transform-set MERAKI-TRANSFORM crypto map CRYPTO-MAP interface outside !
Related Articles, References, Credits, or External Links