If you need to create a site-to-site VPN between an ASA and Meraki Security Appliance, it’s fairly quick. I recommend using the CLI on the ASA for the configuration.
ASA CLI Configuration Steps:
Step 1: Configure ISAKMP Policy (Phase 1)
Step 2: Configure IPsec Transform set
Step 3: Create an access list matching the addresses to communicate over the VPN tunnel
Step 4: Exclude the VPN traffic from being natted
Step 5: Define a crypto map referencing to step 2, 3 and the outside interface of the MX. Only static crypto maps are supported.
crypto map name number set transform-set transform_set_name
crypto map name number set peer peer ip
Step 6: Set the data lifetime to unlimited
Step 7: Apply the crypto map to the outside interface
Step 8: Configure the tunnel group and the pre-shared key.
Tunnel-group peer ip ipsec-attributes
pre-shared-key preshared key
Meraki-Side Configuration Steps:
On the Meraki side of the configuration, it will all be done by using the Meraki dashboard. Navigate to Security & SD-WAN > Configure > Site-to-Site VPN and you will see the following list of options:
- If ‘Hub’ type is selected this will be your exit hub.
- If ‘Spoke’ type is selected, the MX will send all site-to-site traffic to its configured VPN hubs.
- VPN subnet translation
- NAT traversal
- Remote VPN participants
- Can choose to advertise remote routes
- Non-Meraki VPN peers
- Site-to-site outbound firewall
- Site-to-site inbound firewall
Alison Wallick, Network Support Engineer