Link to home
Start Free TrialLog in
Avatar of Tim Lewis
Tim LewisFlag for United States of America

asked on

Meraki/Cisco SSL VPN question

I am installing a new Meraki firewall in our organization.  I would like to be able to keep the ability to have SSL VPN that we currently have on our Cisco ASA firewall.  Would anyone have any knowledge of what I would need to do in order to put the Cisco ASA behind the Meraki, open ports on the meraki to point to the ASA so I can still use it for client VPN access only.  Meraki would handle everything but the VPN.
Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image

The ASA would need its own public IP (or TCP 443 forwarding to it).
Then on your LAN Switch you will need a route for the AnyConnect IP Pool for routing it to the ASA not the Meraki.

The nice thing about SSL VPN is that it works well with private addresses and forwarding. You can set the ASA up with only a private IPv4 address behind the Meraki MX unit and forward 80/tcp (for HTTP redirection and hotspot detection), 443/tcp (for SSL/TLS VPN mode) and 443/udp (for DTLS VPN mode) to the ASA and you should be good to go. I've done this with a number of customers who have moved to Meraki, but wanted to keep their AnyConnect headends running on ASA or ISR devices.
Avatar of Tim Lewis


Do I only need to connect the Inside port on the ASA to the network and just NAT the external IP to that Inside IP of the ASA on the Meraki?  In addition to the ports of course.   I think this would be a much better solution for us then switching to the Meraki VPN.
Avatar of Jody Lemoine
Jody Lemoine
Flag of Canada image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
awesome.  Thank you for the help.   I will try it out once we do the Meraki cut over.