Home > Security Appliances > Site-to-site VPN > Configuring Cisco ASA for Site-to-site VPN with MX Series Appliances using the Command Line Interface

Configuring Cisco ASA for Site-to-site VPN with MX Series Appliances using the Command Line Interface

Table of contents

This article will outline the process for configuring a Site-to-site VPN between a MX Security Appliance and a Cisco ASA using the command line interface on the Cisco ASA.


Note: We strongly recommend running ASA 8.3 or above, as there is a possibility the tunnel will tear down prematurely on earlier versions.


The diagram below will be used in this configuration scenario:




The following ASA commands can be run to establish a site-to-site VPN tunnel with a Meraki MX appliance.

Note: These commands reference the default isakmp/ipsec parameters used by the MX. If the MX is configured to use a custom ipsec policy, be sure to update these commands accordingly.

These commands may differ based on IOS version.

1.     Configure ISKAMP Policy (Phase 1)

crypto isakmp policy 1

         authentication pre-share

         encryption 3des

         hash sha

         group 2

         lifetime 28800


2.     Configure IPsec Transform set

crypto ipsec transform-set Meraki_Transform_Set esp-aes-256 esp-sha-hmac


3.     Create an access list matching the addresses to communicate over the VPN tunnel

access-list 90 permit ip


4.     Exclude the VPN traffic from being natted

nat 0 access-list 90


5.     Define a crypto map referencing to step 2, 3 and the outside interface of the MX

# Note that only static crypto maps are supported at this time.

crypto map ASAtoMX 20 match address 90

crypto map ASAtoMX 20 set transform-set Meraki_Transform_Set

crypto map ASAtoMX 20 set peer


6.     Set the data lifetime to unlimited

crypto map ASAtoMX 20 set security-association lifetime kilobytes unlimited


7.     Apply the crypto map to the outside interface

crypto map ASAtoMX interface outside


8.     Configure the tunnel group and the pre-shared key. The Tunnel Group Name will be your outside IP address.

Tunnel-group type ipsec-l2l

Tunnel-group ipsec-attributes

            pre-shared-key Meraki123


Once the MX and the ASA appliance are successfully configured, the networks configured for VPN access will be able to access each other's resources.  To initiate the VPN Tunnel, it will be necessary to force one packet to traverse the VPN. This can be completed by initiating a ping across the tunnel.

Last modified



This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 1411

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community