Skip to main content

Site-to-Site VPN between Meraki and ASA Using the CLI

By September 16, 2019September 23rd, 2020Blog, Cisco, Networking
Diagram of Site-to-Site VPNs for Cisco ASA

If you need to create a site-to-site VPN between an ASA and Meraki Security Appliance, it’s fairly quick. I recommend using the CLI on the ASA for the configuration.

ASA CLI Configuration Steps:

Step 1: Configure ISAKMP Policy (Phase 1)

authentication pre-share
encryption encryption
hash hashtype
group group#
lifetime seconds

Step 2: Configure IPsec Transform set

crypto ipsec transform-set transform_set_name esp-aes-256 esp-sha-hmac

Step 3: Create an access list matching the addresses to communicate over the VPN tunnel   

access-list name permit ip local network remote network

Step 4: Exclude the VPN traffic from being natted

nat 0 access-list name

Step 5: Define a crypto map referencing to step 2, 3 and the outside interface of the MX. Only static crypto maps are supported.

crypto map name number match address ACLnumber
crypto map name number set transform-set transform_set_name
crypto map name number set peer peer ip

Step 6: Set the data lifetime to unlimited

crypto map name number set security-association lifetime kilobytes unlimited

Step 7: Apply the crypto map to the outside interface

crypto map name number interface outside

Step 8: Configure the tunnel group and the pre-shared key.

Tunnel-group peer ip type ipsec-l2l
Tunnel-group peer ip ipsec-attributes
pre-shared-key preshared key

Meraki-Side Configuration Steps:

On the Meraki side of the configuration, it will all be done by using the Meraki dashboard. Navigate to Security & SD-WAN > Configure > Site-to-Site VPN and you will see the following list of options:

Site-to-site VPN

  • Type
    • Off
    • Hub
    • Spoke
  • Hubs
    • If ‘Hub’ type is selected this will be your exit hub.
    • If ‘Spoke’ type is selected, the MX will send all site-to-site traffic to its configured VPN hubs.

VPN Settings

  • VPN subnet translation
  • NAT traversal
  • Remote VPN participants

OSPF Settings

  • Can choose to advertise remote routes

Organization-wide Settings

  • Non-Meraki VPN peers
  • Site-to-site outbound firewall
  • Site-to-site inbound firewall

Alison Wallick, Network Support Engineer

Leave a Reply