Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 829
  • Last Modified:

Route all traffic behind ASA 5505 over VPN with Meraki MX60

I have setup a Site to Site VPN between Cisco ASA 8.2 and Meraki MX60. The VPN is working fine.

My Remote Office is using ASA 5505 and I want to route all traffic over VPN tunnel towards Meraki.

I have tried different settings, but failed to figure out how to make it work.

Thank you for assisting me.

Here is the ASA config.
ASA Version 8.2(2)
hostname ASA
enable password XXX encrypted
passwd 2XXX encrypted
name net_192.168.21.0 description A_Office Inside Subnet
name net_192.168.22.0 description SH VPN Client Subnet
name net_192.168.40.0 description B_Office Inside Subnet
name net_192.168.41.0 description B_Office Inside Subnet
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address AA.BB.197.114
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
object-group network B_Office-network
 network-object net_192.168.40.0
 network-object net_192.168.41.0
object-group network A_office-network
 network-object net_192.168.21.0
 network-object net_192.168.22.0
access-list acl_inside extended permit ip any any
access-list acl_inside extended permit icmp any any
access-list acl_outside extended permit icmp any any
access-list outside_1_cryptomap extended permit ip net_192.168.21.0 net_192.168.40.0
access-list inside_nat0_outbound extended permit ip object-group A_office-network any
access-list inside_nat0_outbound extended permit ip net_192.168.21.0 net_192.168.41.0
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm location net_192.168.22.0 inside
asdm location net_192.168.40.0 inside
asdm location net_192.168.41.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
access-group acl_inside in interface inside
access-group acl_outside in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer AA.BB.49.252
crypto map outside_map 1 set transform-set ESP-AES-128-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 30
 authentication pre-share
 encryption aes
 hash md5
 group 5
 lifetime 28800
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
username cisco password ABC encrypted
tunnel-group AA.BB.49.252 type ipsec-l2l
tunnel-group AA.BB.49.252 ipsec-attributes
 pre-shared-key abcdef
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context
: end

Open in new window

1 Solution

I don't know the commands by head, but what you must do on the Cisco ASA is this:

1. Change the crypto map from src=ASANetwork, dst=MerakiNetwork to this: src=ASANetwork dst=any
2. Change the NAT-table and create an exempt-rule with src=ASANetwork dst=any and make sure its at the top of the rules.

I am not used to the Meraki, but the reasonable configuration would be to do the same on this end.
1. Change the crypto map from src=MerakiNetwork, dst=ASALocalNetwork to this: src=Any dst=ASANetwork
2. Change the NAT-table and create a exempt-rule with src=any dst=ASANetwork and make sure its at the top of the rules for this VPN
3. Add a dynamic NAT-rule where src=ASANetwork dst=any to allow NAT to public IP when accessing Internet.
4. Depending on your configuration, you might need to make an exemption-rule and place it before the dynamic NAT-rule  to get the local addresses able to communicate. E.g src=MerakiNetwork dst=ASANetwork so that it doesn't NAT this traffic. If this would have been a Cisco ASA it would have not been an issue, because it works with Interfaces/VLANs as well, but I'm not sure about the Meraki.
MiftaulAuthor Commented:
Meraki Support says, pointing default route over VPN is only supported if both end is Meraki device. Its will not work between Meraki and ASA.

Awarding points to MarcusSjogren for his guidance.

Featured Post

Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now