Home > Security Appliances > Site-to-site VPN > Configuring Cisco ASA for Site-to-site VPN with MX Series Appliances using the Command Line Interface

Configuring Cisco ASA for Site-to-site VPN with MX Series Appliances using the Command Line Interface

Table of contents

This article will outline the process for configuring a Site-to-site VPN between a MX Security Appliance and a Cisco ASA using the command line interface on the Cisco ASA.

Configuration

Note: We strongly recommend running ASA 8.3 or above, as there is a possibility the tunnel will tear down prematurely on earlier versions.

 

The diagram below will be used in this configuration scenario:

eea0d3a7-615a-465a-9a45-06c39aa754a0

 

 

The following ASA commands can be run to establish a site-to-site VPN tunnel with a Meraki MX appliance.

Note: These commands reference the default isakmp/ipsec parameters used by the MX. If the MX is configured to use a custom ipsec policy, be sure to update these commands accordingly.

These commands may differ based on IOS version.

1.     Configure ISKAMP Policy (Phase 1)

crypto isakmp policy 1

         authentication pre-share

         encryption 3des

         hash sha

         group 2

         lifetime 28800

           

2.     Configure IPsec Transform set

crypto ipsec transform-set Meraki_Transform_Set esp-aes-256 esp-sha-hmac

 

3.     Create an access list matching the addresses to communicate over the VPN tunnel

access-list 90 permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0

 

4.     Exclude the VPN traffic from being natted

nat 0 access-list 90

 

5.     Define a crypto map referencing to step 2, 3 and the outside interface of the MX

# Note that only static crypto maps are supported at this time.

crypto map ASAtoMX 20 match address 90

crypto map ASAtoMX 20 set transform-set Meraki_Transform_Set

crypto map ASAtoMX 20 set peer 2.2.2.2

 

6.     Set the data lifetime to unlimited

crypto map ASAtoMX 20 set security-association lifetime kilobytes unlimited

   

7.     Apply the crypto map to the outside interface

crypto map ASAtoMX interface outside

 

8.     Configure the tunnel group and the pre-shared key. The Tunnel Group Name will be your outside IP address.

Tunnel-group 2.2.2.2 type ipsec-l2l

Tunnel-group 2.2.2.2 ipsec-attributes

            pre-shared-key Meraki123

 

Once the MX and the ASA appliance are successfully configured, the networks configured for VPN access will be able to access each other's resources.  To initiate the VPN Tunnel, it will be necessary to force one packet to traverse the VPN. This can be completed by initiating a ping across the tunnel.

You must to post a comment.
Last modified
15:26, 6 Oct 2016

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 1411

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community