Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Route all traffic behind ASA 5505 over VPN with Meraki MX60

Posted on 2015-01-25
Medium Priority
Last Modified: 2015-02-16
I have setup a Site to Site VPN between Cisco ASA 8.2 and Meraki MX60. The VPN is working fine.

My Remote Office is using ASA 5505 and I want to route all traffic over VPN tunnel towards Meraki.

I have tried different settings, but failed to figure out how to make it work.

Thank you for assisting me.

Here is the ASA config.
ASA Version 8.2(2)
hostname ASA
enable password XXX encrypted
passwd 2XXX encrypted
name net_192.168.21.0 description A_Office Inside Subnet
name net_192.168.22.0 description SH VPN Client Subnet
name net_192.168.40.0 description B_Office Inside Subnet
name net_192.168.41.0 description B_Office Inside Subnet
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address AA.BB.197.114
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
object-group network B_Office-network
 network-object net_192.168.40.0
 network-object net_192.168.41.0
object-group network A_office-network
 network-object net_192.168.21.0
 network-object net_192.168.22.0
access-list acl_inside extended permit ip any any
access-list acl_inside extended permit icmp any any
access-list acl_outside extended permit icmp any any
access-list outside_1_cryptomap extended permit ip net_192.168.21.0 net_192.168.40.0
access-list inside_nat0_outbound extended permit ip object-group A_office-network any
access-list inside_nat0_outbound extended permit ip net_192.168.21.0 net_192.168.41.0
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm location net_192.168.22.0 inside
asdm location net_192.168.40.0 inside
asdm location net_192.168.41.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
access-group acl_inside in interface inside
access-group acl_outside in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer AA.BB.49.252
crypto map outside_map 1 set transform-set ESP-AES-128-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 30
 authentication pre-share
 encryption aes
 hash md5
 group 5
 lifetime 28800
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
username cisco password ABC encrypted
tunnel-group AA.BB.49.252 type ipsec-l2l
tunnel-group AA.BB.49.252 ipsec-attributes
 pre-shared-key abcdef
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context
: end

Open in new window

Question by:Miftaul
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

MarcusSjogren earned 1500 total points
ID: 40570298

I don't know the commands by head, but what you must do on the Cisco ASA is this:

1. Change the crypto map from src=ASANetwork, dst=MerakiNetwork to this: src=ASANetwork dst=any
2. Change the NAT-table and create an exempt-rule with src=ASANetwork dst=any and make sure its at the top of the rules.

I am not used to the Meraki, but the reasonable configuration would be to do the same on this end.
1. Change the crypto map from src=MerakiNetwork, dst=ASALocalNetwork to this: src=Any dst=ASANetwork
2. Change the NAT-table and create a exempt-rule with src=any dst=ASANetwork and make sure its at the top of the rules for this VPN
3. Add a dynamic NAT-rule where src=ASANetwork dst=any to allow NAT to public IP when accessing Internet.
4. Depending on your configuration, you might need to make an exemption-rule and place it before the dynamic NAT-rule  to get the local addresses able to communicate. E.g src=MerakiNetwork dst=ASANetwork so that it doesn't NAT this traffic. If this would have been a Cisco ASA it would have not been an issue, because it works with Interfaces/VLANs as well, but I'm not sure about the Meraki.
LVL 11

Author Closing Comment

ID: 40612008
Meraki Support says, pointing default route over VPN is only supported if both end is Meraki device. Its will not work between Meraki and ASA.

Awarding points to MarcusSjogren for his guidance.

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Make the most of your online learning experience.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question