Meraki/Cisco SSL VPN question

Tim Lewis
Tim Lewis used Ask the Experts™
on
I am installing a new Meraki firewall in our organization.  I would like to be able to keep the ability to have SSL VPN that we currently have on our Cisco ASA firewall.  Would anyone have any knowledge of what I would need to do in order to put the Cisco ASA behind the Meraki, open ports on the meraki to point to the ASA so I can still use it for client VPN access only.  Meraki would handle everything but the VPN.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Pete LongTechnical Consultant

Commented:
The ASA would need its own public IP (or TCP 443 forwarding to it).
Then on your LAN Switch you will need a route for the AnyConnect IP Pool for routing it to the ASA not the Meraki.

P
Jody LemoineNetwork Architect

Commented:
The nice thing about SSL VPN is that it works well with private addresses and forwarding. You can set the ASA up with only a private IPv4 address behind the Meraki MX unit and forward 80/tcp (for HTTP redirection and hotspot detection), 443/tcp (for SSL/TLS VPN mode) and 443/udp (for DTLS VPN mode) to the ASA and you should be good to go. I've done this with a number of customers who have moved to Meraki, but wanted to keep their AnyConnect headends running on ASA or ISR devices.
Tim LewisNetwork Manager

Author

Commented:
Do I only need to connect the Inside port on the ASA to the network and just NAT the external IP to that Inside IP of the ASA on the Meraki?  In addition to the ports of course.   I think this would be a much better solution for us then switching to the Meraki VPN.
Network Architect
Commented:
Exactly. On the Meraki MX make sure that the VPN is enabled on the inside interface, that you have a default route pointing back to the MX, and that you have intra-interface traffic permitted. NAT the above ports to the ASA's inside address and you should be good to go.

@PeteLong's point about the VPN pool is important, too. Make sure there's a route on the MX pointing back to that pool and the ASA's inside interface, or return traffic to your clients isn't going to work well. Alternately, you can source the pool on the same subnet as the inside interface.
Tim LewisNetwork Manager

Author

Commented:
awesome.  Thank you for the help.   I will try it out once we do the Meraki cut over.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial