Cisco ASA VPN Static to Dynamic IP (DHCP)

KB ID 0001683

Problem

I had a call with a client last week, they are in one of my employer’s DCs, and their servers are behind a vASA. They had purchased some Meraki MX devices for their IT team who were working remotely (during the Covid-19 lockdown), and were struggling. Normally we would just suggest AnyConnect, but these guys were building new machines for  their clients, and needed access directly to the domain from their home networks to facilitate this. So a Site-to-Site VPN was the ‘best fit’ for them.

But being home internet connections they were on DHCP for their public IP addresses. If we were all Meraki, then Meraki Auto VPN would have them up and running in no time. Conversely if they were all ‘proper’ Cisco we would be OK. In fact if they had static IP’s at home we would be OK.

So how to setup a site-to-site VPN ‘into’ a Cisco ASA with a static IP,  from another firewall with a dynamically assigned (DHCP) public IP?

I tested this firstly using a Cisco ASA at the ‘remote/dynamic’ end, then tested with a Meraki MX Device. But the methodology can be applied to any ISAKMP/IPSEC capable firewall with a dynamically assigned public IP that you want to establish a VPN into an ASA with a static IP address.

Solution

Step 1: Investigate Your Remote Device

Do your homework on the remote device, find out what it supports for VPN connectivity, you will need to answer the following questions;

  • IKE Version: Does it use/support IKEv1 or IKEv2 (or both) Set the ASA config accordingly
  • Phase 1 Encryption: What does it support? DES <- Don’t Use this if you can avoid it! 3DES, AES, AES-128, AES-192, AES-256 etc.
  • Phase 1 Hashing: What does it support? MD5, SHA/SHA1, SHA256 etc.
  • Phase 1 Diffie Hellman Group (for IKEv1): Group 1,2,5,14 etc.
  • Lifetime: {in seconds}
  • Pseudorandom function (for IKEv2): MD5, SHA1 or SHA256
  • Phase 2 (IPSEC) Encryption: 3DES, AES, AES-128, AES-192, AES-256 etc.
  • Phase 2 (IPSEC) Hashing: MD5, SHA1 or SHA254
  • Phase 2 PFS: Off or DH1, DH2, DH5, or DH14 etc.
  • Subnet on the remote site: Make sure it does not overlap with your central site, (or anyone else who will also be ‘dynamically’ connecting*).
  • Pre-Shared-Key: MAKE SURE this is long/complicated and hard to guess. 

*Note This may mean your remote sites may need to change their subnets so they don’t overlap!

Step 1 Configure the ‘Central’ ASA

I’ve covered IKEv1 VPNs and IKEv2 VPNs elsewhere on the site, feel free to go and see what what the following configuration is doing. For my Meraki Tunnel I’m going to use IKEv1, Phase 1 (3DES, SHA, Diffie Hellman Group 2, and a Lifetime of 86400 Seconds,) and Phase 2 (3DES, SHA and no PFS). Note: Some would consider this weak, but it’s the default setting on the remote device so lets keep it simple. In production you can slowly make phase1/2 more secure to your liking once you know it’s working.

Change the values in Red;

WARNING: If you already have a crypto map in use then change the keyword CRYPTO-MAP (below) to match yours. (Or all your VPNs will suddenly stop working!) Issue the command show run crypto map, if you’re unsure.

[box]

!
object network OBJ-MainSite
subnet 192.168.100.0 255.255.255.0
object network OBJ-RemoteSite-01
subnet 192.168.1.0 255.255.255.0
!
nat (inside,outside) source static OBJ-MainSite OBJ-MainSite destination static OBJ-RemoteSite-01 OBJ-RemoteSite-01 no-proxy-arp route-lookup
!
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
crypto ikev1 enable outside
!
crypto ipsec ikev1 transform-set TS-IPSEC-VPN esp-3des esp-sha-hmac
!
crypto dynamic-map DYNAMIC-CRYPTO-MAP 65535 set ikev1 transform-set TS-IPSEC-VPN
crypto dynamic-map DYNAMIC-CRYPTO-MAP 65535 set reverse-route
crypto map CRYPTO-MAP 65535 ipsec-isakmp dynamic DYNAMIC-CRYPTO-MAP
crypto map CRYPTO-MAP interface outside
!
tunnel-group DefaultL2LGroup ipsec-attributes
 ikev1 pre-shared-key V3ryL0ng&H@rd2Gue55
!

[/box]

Step 3: Configure the Remote (DHCP) Firewall

If the remote end was going to be another Cisco ASA, here’s the config;

[box]

object network OBJ-MainSite
 subnet 192.168.1.0 255.255.255.0 
object network OBJ-RemoteSite
 subnet 192.168.100.0 255.255.255.0 
! 
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-RemoteSite object OBJ-MainSite 
nat (inside,outside) source static OBJ-RemoteSite OBJ-RemoteSite destination static OBJ-MainSite OBJ-MainSite no-proxy-arp route-lookup 
!
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
crypto ikev1 enable outside
!
crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-3des esp-sha-hmac
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC 
crypto map CRYPTO-MAP 1 set peer 203.0.113.1 
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM 
crypto map CRYPTO-MAP interface outside
!
tunnel-group 203.0.113.1 type ipsec-l2l
tunnel-group 203.0.113.1 ipsec-attributes
pre-shared-key V3ryL0ng&H@rd2Gue55
isakmp keepalive threshold 10 retry 2

[/box]

Note For IKEv2 sample ASA Configs, Click Here

However if the remote end was going to be a Meraki Device.

Log into the Meraki Portal, and select your ‘customer’ (if you have more than one) > Security & SD WAN > Site-to-Site VPN.

Type: Hub > Scroll down.

Non-Meraki VPN Peers > Add a peer.

  • Name: Give it a sensible name.
  • IKE Version: IKEv1 (Note some versions don’t support IKEv2).
  • Public IP :Of the ASA.
  • Private Subnets: The subnet(s) behind the ASA.
  • Availability: ‘All Networks’ Unless you want to filter it.
  • Save.

Note: Should you wish to change any phase1/phase2 settings, click the link that says ‘Default‘ under IPSec policies.

 

Related Articles, References, Credits, or External Links

Special thanks to Paul White for putting me on the right road, and to Andrew Dorrian for taking the time to test the Meraki VPN config for me.

Meraki Block Page http://wired.meraki.com:8090 ‘Not Found’

KB ID 0001365

Problem

If you have a Meraki Security device and have enabled ‘Content Filtering’, instead of a nice ‘block-page’ informing you why you are being blocked you may see this;

http://wired.meraki.com:8090

This is happening because your Corporate DNS is resolving ‘wired.meraki.com’ to 54.241.7.184, which you can also see if you look at the URL you are trying to connect to it on port 8090. A quick nmap of that IP will tell you port 8090 is not open,  (only port 80 and port 443 are).

This is happening because if you were to use your Meraki Device for DNS forward lookups, it would ‘DNS Doctor’ the return DSN packet and insert its own IP address in there instead. That’s fine but most corporate networks don’t want to use their Meraki devices for DNS forward lookups. 

The easiest way to resolve the problem, is with your own corporate DNS servers.

Solution

First you need the inside IP of your Meraki device(s). You can get these from the Meraki Dashboard (Security Devices > Addressing and VLANS). If you browse to that IP, you should se something similar to below;

Armed with that information, go to one of your DNS Servers, and create a new forward lookup zone.

Next > Primary zone > Next > To all DNS Servers… > Next.

Zone Name = wired.meraki.com > Next > Allow only Secure… > Next > Finish.

In the newly created zone, create a ‘New Host (A or AAAA) record.

Enter the Inside IP or your MX device (only) > Add Host > Repeat for each Meraki device, if you have more than one.

Now you will receive a slightly more friendly blocked page.

Related Articles, References, Credits, or External Links

NA

Meraki To Cisco ASA 5500 Site to Site VPN

KB ID 0001255 

Problem

This was surprisingly easier than I was expecting! Special thanks to  Steve for letting me loose on his test network for the Meraki end of the tunnel. Here I’m using an MX 64 Security appliance, and a Cisco ASA 5510.

Note: The Meraki device will need a static IP.

Solution

Configuring Meraki MX Device for VPN to a Cisco ASA

From your Meraki dashboard > Security Appliance > Site To Site VPN.

If you have no VPNs setup then you will need to select ‘Hub’, then scroll down to ‘Non-Meraki VPN Peers’ > Add a peer.

Give the tunnel a name > Public IP is the address of the ASA > Private Subnets is the network(s) behind the ASA > Preshare secret is a shared key you will enter on the ASA (below). Above select all the networks you have behind the Meraki that you want to participate in the VPN and set their ‘Use VPN’ Status to ‘Yes’

Note: If you click the IPSEC policy you will see what it wants to use for phase 1 and phase 2 of the VPN tunnel. BE AWARE: By default PFS (Perfect Forward Secrecy) is disabled. If you setup your AS VPN from within the ASDM wizard this may be enabled on the ASA. More reason to use the command line options I give you below!

If you don’t know the public IP of your Meraki device, here is where to find it (so you can use it when configuring the ASA).

Configuring Cisco ASA5500 for VPN to a Meraki MX Device

To make things simple, change the values in RED below then you can paste in the command to your Cisco ASA.

WARNING: Below I use a crypto map called CRYPTO-MAP If you already have one then CHANGE the name to match your existing one (‘show run crypto map‘ will show you). e.g. if yours is called outside_map  then change the entries below to outside_map 2.

Note: This config uses newer (post 8.3) NAT commands.

[box]

!
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 12800
!
object network OBJ-This-Site
subnet 192.168.100.0 255.255.255.0
object network OBJ-Meraki-Site
subnet 192.168.102.0 255.255.255.0
!
access-list MERAKI-INTERESTING-TRAFFIC extended permit ip object OBJ-This-Site object OBJ-Meraki-Site
nat (inside,outside) source static OBJ-This-Site OBJ-This-Site destination static OBJ-Meraki-Site OBJ-Meraki-Site no-proxy-arp route-lookup
!
tunnel-group 203.0.113.1 type ipsec-l2l
tunnel-group 203.0.113.1 ipsec-attributes
pre-shared-key 123456
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev1 transform-set MERAKI-TRANSFORM esp-aes-256 esp-sha-hmac
!
crypto map CRYPTO-MAP 1 match address MERAKI-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set peer 203.0.113.1
crypto map CRYPTO-MAP 1 set ikev1 transform-set MERAKI-TRANSFORM
crypto map CRYPTO-MAP interface outside
!

[/box]

Related Articles, References, Credits, or External Links

NA

Setting Up Meraki MDM

KB ID 0001226 

Problem

As is usually the case with Meraki this is pretty simple to setup. If you are familier with Meraki and have not deployed MDM before then stop a second. I mistakenly setup a dashboard for a client recently, (like I usually do with Meraki deployments). Then could not work out how to add the MDM component without an order number!

Meraki MDM is free (up to 100 devices) which is great, but BE WARNED, register 101 devices, and you get a bill for 101 devices not 1 device!

Solution

Go to the Meraki website, and register for mobility management, this will let you create a login and a network within the Meraki Dashboard


If you already have a Meraki dashboard you will find MDM under Network-wide > MDM.

If you want to manage Apple devices, then you need to download a certificate from Apple, (this requires you to have an Apple ID, if you don’t have one go and set one up). Download the CSR (Certificate Signing Request), and then USE THE HYPERLINK to go to Apple’s website.

Upload your .CSR file.

Download your ‘push certificate’.

Back in the MDM dashboard, enter your Apple ID  >Browse to your new push certificate, and select ‘Save’.

Note: If you registered though meraki then you will already have a network defined, (skip the next two steps). If you have an existing dashboard, you may need to create a network.

Select MDM > Create Network,

You can now add devices to the MDM network.

Related Articles, References, Credits, or External Links

NA