This article will outline the process for configuring a Site-to-site VPN between a MX Security Appliance and a Cisco ASA using the command line interface on the Cisco ASA.
Note: We strongly recommend running ASA 8.3 or above, as there is a possibility the tunnel will tear down prematurely on earlier versions.
The diagram below will be used in this configuration scenario:
The following ASA commands can be run to establish a site-to-site VPN tunnel with a Meraki MX appliance.
Note: These commands reference the default isakmp/ipsec parameters used by the MX. If the MX is configured to use a custom ipsec policy, be sure to update these commands accordingly.
These commands may differ based on IOS version.
1. Configure ISKAMP Policy (Phase 1)
crypto isakmp policy 1
2. Configure IPsec Transform set
crypto ipsec transform-set Meraki_Transform_Set esp-aes-256 esp-sha-hmac
3. Create an access list matching the addresses to communicate over the VPN tunnel
access-list 90 permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0
4. Exclude the VPN traffic from being natted
nat 0 access-list 90
5. Define a crypto map referencing to step 2, 3 and the outside interface of the MX
# Note that only static crypto maps are supported at this time.
crypto map ASAtoMX 20 match address 90
crypto map ASAtoMX 20 set transform-set Meraki_Transform_Set
crypto map ASAtoMX 20 set peer 184.108.40.206
6. Set the data lifetime to unlimited
crypto map ASAtoMX 20 set security-association lifetime kilobytes unlimited
7. Apply the crypto map to the outside interface
crypto map ASAtoMX interface outside
8. Configure the tunnel group and the pre-shared key. The Tunnel Group Name will be your outside IP address.
Tunnel-group 220.127.116.11 type ipsec-l2l
Tunnel-group 18.104.22.168 ipsec-attributes
Once the MX and the ASA appliance are successfully configured, the networks configured for VPN access will be able to access each other's resources. To initiate the VPN Tunnel, it will be necessary to force one packet to traverse the VPN. This can be completed by initiating a ping across the tunnel.