Solved

Route all traffic behind ASA 5505 over VPN with Meraki MX60

Posted on 2015-01-25
2
574 Views
Last Modified: 2015-02-16
I have setup a Site to Site VPN between Cisco ASA 8.2 and Meraki MX60. The VPN is working fine.

My Remote Office is using ASA 5505 and I want to route all traffic over VPN tunnel towards Meraki.

I have tried different settings, but failed to figure out how to make it work.

Thank you for assisting me.

Here is the ASA config.
!
ASA Version 8.2(2)
!
hostname ASA
enable password XXX encrypted
passwd 2XXX encrypted
names
name 192.168.21.0 net_192.168.21.0 description A_Office Inside Subnet
name 192.168.22.0 net_192.168.22.0 description SH VPN Client Subnet
name 192.168.40.0 net_192.168.40.0 description B_Office Inside Subnet
name 192.168.41.0 net_192.168.41.0 description B_Office Inside Subnet
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.21.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address AA.BB.197.114 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object-group network B_Office-network
 network-object net_192.168.40.0 255.255.255.0
 network-object net_192.168.41.0 255.255.255.0
object-group network A_office-network
 network-object net_192.168.21.0 255.255.255.0
 network-object net_192.168.22.0 255.255.255.0
access-list acl_inside extended permit ip any any
access-list acl_inside extended permit icmp any any
access-list acl_outside extended permit icmp any any
access-list outside_1_cryptomap extended permit ip net_192.168.21.0 255.255.255.0 net_192.168.40.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group A_office-network any
access-list inside_nat0_outbound extended permit ip net_192.168.21.0 255.255.255.0 net_192.168.41.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm location net_192.168.22.0 255.255.255.0 inside
asdm location net_192.168.40.0 255.255.255.0 inside
asdm location net_192.168.41.0 255.255.255.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group acl_inside in interface inside
access-group acl_outside in interface outside
route outside 0.0.0.0 0.0.0.0 58.246.197.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer AA.BB.49.252
crypto map outside_map 1 set transform-set ESP-AES-128-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 30
 authentication pre-share
 encryption aes
 hash md5
 group 5
 lifetime 28800
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 anyconnect-essentials
group-policy DfltGrpPolicy attributes
username cisco password ABC encrypted
tunnel-group AA.BB.49.252 type ipsec-l2l
tunnel-group AA.BB.49.252 ipsec-attributes
 pre-shared-key abcdef
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5608c0ac90fb86536a6da5b68ccc66dc
: end

Open in new window

0
Comment
Question by:Miftaul
2 Comments
 
LVL 4

Accepted Solution

by:
MarcusSjogren earned 500 total points
ID: 40570298
Hi,

I don't know the commands by head, but what you must do on the Cisco ASA is this:

1. Change the crypto map from src=ASANetwork, dst=MerakiNetwork to this: src=ASANetwork dst=any
2. Change the NAT-table and create an exempt-rule with src=ASANetwork dst=any and make sure its at the top of the rules.

I am not used to the Meraki, but the reasonable configuration would be to do the same on this end.
1. Change the crypto map from src=MerakiNetwork, dst=ASALocalNetwork to this: src=Any dst=ASANetwork
2. Change the NAT-table and create a exempt-rule with src=any dst=ASANetwork and make sure its at the top of the rules for this VPN
3. Add a dynamic NAT-rule where src=ASANetwork dst=any to allow NAT to public IP when accessing Internet.
4. Depending on your configuration, you might need to make an exemption-rule and place it before the dynamic NAT-rule  to get the local addresses able to communicate. E.g src=MerakiNetwork dst=ASANetwork so that it doesn't NAT this traffic. If this would have been a Cisco ASA it would have not been an issue, because it works with Interfaces/VLANs as well, but I'm not sure about the Meraki.
0
 
LVL 11

Author Closing Comment

by:Miftaul
ID: 40612008
Meraki Support says, pointing default route over VPN is only supported if both end is Meraki device. Its will not work between Meraki and ASA.

Awarding points to MarcusSjogren for his guidance.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

30 Experts available now in Live!

Get 1:1 Help Now