Meraki/Cisco SSL VPN question

I am installing a new Meraki firewall in our organization.  I would like to be able to keep the ability to have SSL VPN that we currently have on our Cisco ASA firewall.  Would anyone have any knowledge of what I would need to do in order to put the Cisco ASA behind the Meraki, open ports on the meraki to point to the ASA so I can still use it for client VPN access only.  Meraki would handle everything but the VPN.
LVL 1
Tim LewisNetwork ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
The ASA would need its own public IP (or TCP 443 forwarding to it).
Then on your LAN Switch you will need a route for the AnyConnect IP Pool for routing it to the ASA not the Meraki.

P
Jody LemoineNetwork ArchitectCommented:
The nice thing about SSL VPN is that it works well with private addresses and forwarding. You can set the ASA up with only a private IPv4 address behind the Meraki MX unit and forward 80/tcp (for HTTP redirection and hotspot detection), 443/tcp (for SSL/TLS VPN mode) and 443/udp (for DTLS VPN mode) to the ASA and you should be good to go. I've done this with a number of customers who have moved to Meraki, but wanted to keep their AnyConnect headends running on ASA or ISR devices.
Tim LewisNetwork ManagerAuthor Commented:
Do I only need to connect the Inside port on the ASA to the network and just NAT the external IP to that Inside IP of the ASA on the Meraki?  In addition to the ports of course.   I think this would be a much better solution for us then switching to the Meraki VPN.
Jody LemoineNetwork ArchitectCommented:
Exactly. On the Meraki MX make sure that the VPN is enabled on the inside interface, that you have a default route pointing back to the MX, and that you have intra-interface traffic permitted. NAT the above ports to the ASA's inside address and you should be good to go.

@PeteLong's point about the VPN pool is important, too. Make sure there's a route on the MX pointing back to that pool and the ASA's inside interface, or return traffic to your clients isn't going to work well. Alternately, you can source the pool on the same subnet as the inside interface.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Tim LewisNetwork ManagerAuthor Commented:
awesome.  Thank you for the help.   I will try it out once we do the Meraki cut over.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.