MX to Cisco ASA Site-to-Site VPN Setup

Here’s a step-by-step guide to Site-to-Site VPN setup between a Cisco Meraki MX security appliance and a Cisco ASA firewall.

Prerequisites

• Cisco Meraki MX device with admin access to the Meraki Dashboard.
• Cisco ASA firewall with CLI or ASDM access.
• Static public IP addresses (or DDNS for Meraki MX) on both ends of the VPN.
• IKE Phase 1 and Phase 2 parameters (encryption, hashing, authentication).

Cisco Meraki MX to Cisco ASA Site-to-site VPN Setup: Step-by-Step Guide

Step 1: Configure Site-to-Site VPN on Cisco Meraki MX

1.1. Login to Meraki Dashboard

• Go to https://dashboard.meraki.com and log in with your credentials.

1.2. Navigate to Security & SD-WAN

• Select the network where your MX device is located.
• From the left-hand menu, go to Security & SD-WAN > Site-to-site VPN.

1.3. Configure the VPN Settings

• In the VPN Type, select Hub (Mesh) or Spoke (Hub-and-Spoke) depending on your network design.
• In the Non-Meraki VPN peers section, add a new peer:
  • Name: Give a meaningful name (e.g., Cisco ASA Site).
  • Public IP: Enter the public IP address of the Cisco ASA.
  • Private subnets: Specify the subnets behind the ASA you want to reach via the VPN (e.g., 192.168.10.0/24).
  • Secret: Enter the pre-shared key (PSK) that will be used to authenticate with the Cisco ASA.
  • IPsec Policies: You can leave this as Default or customize the encryption and hashing algorithms to match those on the ASA.
  • Availability: Specify which MX appliances or networks should use this VPN connection.

1.4. Configure Meraki Subnets for VPN

• Scroll down to the Local Network section.
• Choose which subnets in the Meraki network will be included in the VPN.
• For each subnet, toggle Use VPN to enable it.

1.5. Save Settings

• Once the configuration is complete, click Save to apply the changes.

Related: Configuring Cisco ASA Transparent Mode

Step 2: Configure Site-to-Site VPN on Cisco ASA

2.1. Login to Cisco ASA

• Access the ASA using CLI or ASDM.

2.2. Define IKEv1 Phase 1 Policies

• Configure the IKEv1 Phase 1 parameters (encryption, hashing, lifetime) to match the settings on the Meraki MX.

crypto ikev1 policy 10

   authentication pre-share

   encryption aes

   hash sha

   group 2

   lifetime 86400

2.3. Define the Pre-shared Key for the VPN

• Set the pre-shared key to be the same as the one you defined on the Meraki MX.

tunnel-group <Meraki MX Public IP> type ipsec-l2l

tunnel-group <Meraki MX Public IP> ipsec-attributes

   ikev1 pre-shared-key <your-pre-shared-key>

2.4. Define IKEv1 Phase 2 Parameters

• Specify the encryption and integrity algorithms for IPsec (Phase 2).

crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac

2.5. Create the Crypto Map

• Define the crypto map that ties the peer IP and the transform set together.

crypto map outside_map 10 match address VPN_ACL

crypto map outside_map 10 set peer <Meraki MX Public IP>

crypto map outside_map 10 set ikev1 transform-set MY_TRANSFORM_SET

crypto map outside_map interface outside

2.6. Define Access List for Traffic to Encrypt

• Create an ACL to specify the traffic that should be encrypted (subnets on both sides).

access-list VPN_ACL extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

• This example assumes 192.168.10.0/24 is the subnet behind the ASA, and 192.168.20.0/24 is the subnet behind the Meraki MX.

2.7. Enable NAT Exemption

• Ensure the traffic between the two networks is not NATed.

nat (inside,outside) source static 192.168.10.0 192.168.10.0 destination static 192.168.20.0 192.168.20.0

2.8. Apply the Configuration

• After configuring the VPN, apply the changes to the ASA.

write memory

Step 3: Verify the VPN Status

3.1. Check the VPN Status in Meraki Dashboard

• In the Meraki Dashboard, go to Security & SD-WAN > Monitor > VPN Status.
• Check if the Non-Meraki peer is up and the tunnel is active.

3.2. Check VPN Status on the Cisco ASA

• Use the following CLI commands to verify the tunnel status:

show crypto ikev1 sa

show crypto ipsec sa

• These commands will show if the IKE and IPsec tunnels are established.

3.3. Test Connectivity

• From a device behind the Meraki MX, attempt to ping a device behind the Cisco ASA and vice versa.
• Ensure that traffic is flowing through the VPN.

Troubleshooting Tips

• Mismatched Phase 1 or Phase 2 Settings: If the VPN fails to establish, check that the encryption, hashing, and DH group settings match on both the MX and ASA.
• Firewall Rules: Ensure that the firewalls on both sides allow the necessary traffic (UDP 500, UDP 4500 for IPsec).
• NAT Exemption: Verify that NAT exemption is configured correctly, as NAT can cause VPN traffic to fail.

Conclusion

By following these steps, you should be able to successfully configure a Site-to-Site VPN between a Cisco Meraki MX and a Cisco ASA firewall. Once the VPN is set up, both networks can securely exchange traffic over the encrypted tunnel.

ABOUT THE AUTHOR

Rashmi Bhardwaj

Founder of AAR TECHNOSOLUTIONS, Rashmi is an evangelist for IT and technology. With more than 12 years in the IT ecosystem, she has been supporting multi domain functions across IT & consultancy services, in addition to Technical content making.

You can learn more about her on her linkedin profile – Rashmi Bhardwaj