Solved

Route all traffic behind ASA 5505 over VPN with Meraki MX60

Posted on 2015-01-25
2
553 Views
Last Modified: 2015-02-16
I have setup a Site to Site VPN between Cisco ASA 8.2 and Meraki MX60. The VPN is working fine.

My Remote Office is using ASA 5505 and I want to route all traffic over VPN tunnel towards Meraki.

I have tried different settings, but failed to figure out how to make it work.

Thank you for assisting me.

Here is the ASA config.
!
ASA Version 8.2(2)
!
hostname ASA
enable password XXX encrypted
passwd 2XXX encrypted
names
name 192.168.21.0 net_192.168.21.0 description A_Office Inside Subnet
name 192.168.22.0 net_192.168.22.0 description SH VPN Client Subnet
name 192.168.40.0 net_192.168.40.0 description B_Office Inside Subnet
name 192.168.41.0 net_192.168.41.0 description B_Office Inside Subnet
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.21.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address AA.BB.197.114 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object-group network B_Office-network
 network-object net_192.168.40.0 255.255.255.0
 network-object net_192.168.41.0 255.255.255.0
object-group network A_office-network
 network-object net_192.168.21.0 255.255.255.0
 network-object net_192.168.22.0 255.255.255.0
access-list acl_inside extended permit ip any any
access-list acl_inside extended permit icmp any any
access-list acl_outside extended permit icmp any any
access-list outside_1_cryptomap extended permit ip net_192.168.21.0 255.255.255.0 net_192.168.40.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group A_office-network any
access-list inside_nat0_outbound extended permit ip net_192.168.21.0 255.255.255.0 net_192.168.41.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm location net_192.168.22.0 255.255.255.0 inside
asdm location net_192.168.40.0 255.255.255.0 inside
asdm location net_192.168.41.0 255.255.255.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group acl_inside in interface inside
access-group acl_outside in interface outside
route outside 0.0.0.0 0.0.0.0 58.246.197.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer AA.BB.49.252
crypto map outside_map 1 set transform-set ESP-AES-128-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 30
 authentication pre-share
 encryption aes
 hash md5
 group 5
 lifetime 28800
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 anyconnect-essentials
group-policy DfltGrpPolicy attributes
username cisco password ABC encrypted
tunnel-group AA.BB.49.252 type ipsec-l2l
tunnel-group AA.BB.49.252 ipsec-attributes
 pre-shared-key abcdef
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5608c0ac90fb86536a6da5b68ccc66dc
: end

Open in new window

0
Comment
Question by:Miftaul
2 Comments
 
LVL 4

Accepted Solution

by:
MarcusSjogren earned 500 total points
Comment Utility
Hi,

I don't know the commands by head, but what you must do on the Cisco ASA is this:

1. Change the crypto map from src=ASANetwork, dst=MerakiNetwork to this: src=ASANetwork dst=any
2. Change the NAT-table and create an exempt-rule with src=ASANetwork dst=any and make sure its at the top of the rules.

I am not used to the Meraki, but the reasonable configuration would be to do the same on this end.
1. Change the crypto map from src=MerakiNetwork, dst=ASALocalNetwork to this: src=Any dst=ASANetwork
2. Change the NAT-table and create a exempt-rule with src=any dst=ASANetwork and make sure its at the top of the rules for this VPN
3. Add a dynamic NAT-rule where src=ASANetwork dst=any to allow NAT to public IP when accessing Internet.
4. Depending on your configuration, you might need to make an exemption-rule and place it before the dynamic NAT-rule  to get the local addresses able to communicate. E.g src=MerakiNetwork dst=ASANetwork so that it doesn't NAT this traffic. If this would have been a Cisco ASA it would have not been an issue, because it works with Interfaces/VLANs as well, but I'm not sure about the Meraki.
0
 
LVL 11

Author Closing Comment

by:Miftaul
Comment Utility
Meraki Support says, pointing default route over VPN is only supported if both end is Meraki device. Its will not work between Meraki and ASA.

Awarding points to MarcusSjogren for his guidance.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
SSL RA VPN 7 72
Windows 7 Share with XP 22 57
Cisco Sup720 Migrate to Sup2T 5 33
EIGRP Full Mesh 2 28
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now