If you need to create a site-to-site VPN between an ASA and Meraki Security Appliance, it’s fairly quick. I recommend using the CLI on the ASA for the configuration.
ASA CLI Configuration Steps:
Step 1: Configure ISAKMP Policy (Phase 1)
encryption encryption
hash hashtype
group group#
lifetime seconds
Step 2: Configure IPsec Transform set
Step 3: Create an access list matching the addresses to communicate over the VPN tunnel
Step 4: Exclude the VPN traffic from being natted
Step 5: Define a crypto map referencing to step 2, 3 and the outside interface of the MX. Only static crypto maps are supported.
crypto map name number set transform-set transform_set_name
crypto map name number set peer peer ip
Step 6: Set the data lifetime to unlimited
Step 7: Apply the crypto map to the outside interface
Step 8: Configure the tunnel group and the pre-shared key.
Tunnel-group peer ip ipsec-attributes
pre-shared-key preshared key
Meraki-Side Configuration Steps:
On the Meraki side of the configuration, it will all be done by using the Meraki dashboard. Navigate to Security & SD-WAN > Configure > Site-to-Site VPN and you will see the following list of options:
Site-to-site VPN
- Type
- Off
- Hub
- Spoke
- Hubs
- If ‘Hub’ type is selected this will be your exit hub.
- If ‘Spoke’ type is selected, the MX will send all site-to-site traffic to its configured VPN hubs.
VPN Settings
- VPN subnet translation
- NAT traversal
- Remote VPN participants
OSPF Settings
- Can choose to advertise remote routes
Organization-wide Settings
- Non-Meraki VPN peers
- Site-to-site outbound firewall
- Site-to-site inbound firewall
Alison Wallick, Network Support Engineer
