https://community.cisco.com/t5/network-security/asa-to-cisco-meraki-mx64-migration/m-p/3386789#M957341 <P>The Meraki MX has no configuration for "same-security-traffic", it is allowed by default.&nbsp;The most important shortcoming is the lack of AnyConnect-support on the&nbsp;MX. You can use the build-in VPN-Clients of the operating-systems, but that is not as comfortable as it was with ASA/AnyConnect.</P> Tue, 22 May 2018 08:05:46 GMT Karsten Iwen 2018-05-22T08:05:46Z https://community.cisco.com/t5/network-security/asa-to-cisco-meraki-mx64-migration/m-p/3386458#M957340 <DIV class="lia-message-subject lia-component-message-view-widget-subject">&nbsp;</DIV> <DIV class="lia-message-body lia-component-body-signature-highlight-escalation" id="messageBodySimpleDisplay"> <DIV class="lia-message-body-content"> <P>Hello all,</P> <P>We are looking to migrate clients from ASA5505s to something newer.&nbsp; We initially tried Cisco RV320/340 but this does not seem to be a stable platform and these firewalls have their share of issues and shortcomings. &nbsp;</P> <P>We are getting ready to test Meraki MX64s and understand that the IPSEC site to site and client to site is supported. &nbsp;</P> <P>One issue with the RV340 that we tested was connecting to client to site VPN and then using resources on the other side of a site to site VPN.&nbsp; This is accomplished on the ASA by using <SPAN>the same-security-traffic command however there was no equivalent on the RV340</SPAN></P> <P>&nbsp;see post below</P> <P><A href="https://supportforums.cisco.com/t5/small-business-routers/rv340-equivalent-to-asa-same-security-traffic-command/td-p/3385697" target="_blank">https://supportforums.cisco.com/t5/small-business-routers/rv340-equivalent-to-asa-same-security-traffic-command/td-p/3385697</A></P> <P>Note it is not possible by just using split tunneling.</P> <P>Does anyone know whether Meraki MX64 supports functionality equivalent to&nbsp;<SPAN>same-security-traffic command </SPAN><BR />Thanks!</P> <DIV>p.s. we understand that SonicWALL is an option but we have lots of clients that have multiple sites and the upgrade path would be more painful&nbsp;</DIV> </DIV> </DIV> <DIV class="lia-panel lia-panel-standard MessageTagsTaplet Chrome lia-component-message-view-widget-tags"> <DIV class="lia-decoration-border"> <DIV class="lia-decoration-border-top">&nbsp;</DIV> <DIV class="lia-decoration-border-content"> <DIV> <DIV class="lia-panel-heading-bar-wrapper"> <DIV class="lia-panel-heading-bar"><SPAN class="lia-panel-heading-bar-title">Everyone's tags <SPAN class="lia-panel-heading-bar-count">(0)</SPAN></SPAN></DIV> </DIV> </DIV> </DIV> </DIV> </DIV> Fri, 21 Feb 2020 15:47:38 GMT https://community.cisco.com/t5/network-security/asa-to-cisco-meraki-mx64-migration/m-p/3386458#M957340 TekResults 2020-02-21T15:47:38Z https://community.cisco.com/t5/network-security/asa-to-cisco-meraki-mx64-migration/m-p/3386789#M957341 <P>The Meraki MX has no configuration for "same-security-traffic", it is allowed by default.&nbsp;The most important shortcoming is the lack of AnyConnect-support on the&nbsp;MX. You can use the build-in VPN-Clients of the operating-systems, but that is not as comfortable as it was with ASA/AnyConnect.</P> Tue, 22 May 2018 08:05:46 GMT https://community.cisco.com/t5/network-security/asa-to-cisco-meraki-mx64-migration/m-p/3386789#M957341 Karsten Iwen 2018-05-22T08:05:46Z https://community.cisco.com/t5/network-security/asa-to-cisco-meraki-mx64-migration/m-p/3386799#M957342 <P>I know that it is not what you are asking, but I would upgrade to an ASA 5506-X/5508-X with Firepower Services, depending on traffic and throughput needed.</P> <P>&nbsp;</P> <P>You get all the functionality you need for site-to-site and user (AnyConnect) VPNs and you also get one of the top IPS solutions in the market!</P> Tue, 22 May 2018 08:33:22 GMT https://community.cisco.com/t5/network-security/asa-to-cisco-meraki-mx64-migration/m-p/3386799#M957342 AlexPi 2018-05-22T08:33:22Z https://community.cisco.com/t5/network-security/asa-to-cisco-meraki-mx64-migration/m-p/3387529#M957343 Hi Alex,<BR /><BR />Did you happen to test Meraki's MX IPS functionality?<BR />I am debating between MX100 and 5525X for setup where only IPS inspection is required (so the appliance will be deployed in bridge/transparent mode). Wed, 23 May 2018 08:34:34 GMT https://community.cisco.com/t5/network-security/asa-to-cisco-meraki-mx64-migration/m-p/3387529#M957343 Florin Barhala 2018-05-23T08:34:34Z https://community.cisco.com/t5/network-security/asa-to-cisco-meraki-mx64-migration/m-p/3387567#M957344 <P>I have a couple of both devices running and there is one&nbsp;major difference:</P> <P>&nbsp;</P> <P>IPS on the MX is a simple switch-on with the choice of Security/Balanced/Connectivity&nbsp;IPS&nbsp;rulesets. You don't really tune your IPS, but if there are false positives you can adapt the IPS to it. With that, the management of the IPS is very easy.</P> <P>&nbsp;</P> <P>When using the ASA for IPS, I today would install it with the FTD image&nbsp;where you configure it with a local management-server (FMC). The system is highly tunable but that&nbsp;can become quite challenging to configure. A real good feature is that this tuning can be done in an automated way (for the brave admins).</P> <P>&nbsp;</P> <P>Conclusion: If you have limited IPS-knowledge and/or limited time to tune the IPS, then the MX could give you a better solution. If you are willing to invest time and knowledge, you can get more security from the Firepower IPS.</P> Wed, 23 May 2018 09:38:07 GMT https://community.cisco.com/t5/network-security/asa-to-cisco-meraki-mx64-migration/m-p/3387567#M957344 Karsten Iwen 2018-05-23T09:38:07Z https://community.cisco.com/t5/network-security/asa-to-cisco-meraki-mx64-migration/m-p/3387602#M957345 That's good to know! <BR />Can you share some thoughts about reporting part also? Anything special on any of the two options? Wed, 23 May 2018 10:39:30 GMT https://community.cisco.com/t5/network-security/asa-to-cisco-meraki-mx64-migration/m-p/3387602#M957345 Florin Barhala 2018-05-23T10:39:30Z https://community.cisco.com/t5/network-security/asa-to-cisco-meraki-mx64-migration/m-p/3387612#M957346 <P>Reporting is quite powerful on both solutions. In Meraki MX, the reports are not as customizable as in FMC, but again easier to prepare.&nbsp;FMC has extensive reporting capabilities, but more special reports are sometimes not that easy to build.</P> Wed, 23 May 2018 11:00:29 GMT https://community.cisco.com/t5/network-security/asa-to-cisco-meraki-mx64-migration/m-p/3387612#M957346 Karsten Iwen 2018-05-23T11:00:29Z https://community.cisco.com/t5/network-security/asa-to-cisco-meraki-mx64-migration/m-p/3387636#M957347 <P>Hey Florin,</P> <P>&nbsp;</P> <P>I think&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/325766">@Karsten Iwen</a>&nbsp;basically replied to what you were asking!&nbsp;In my opinion,&nbsp;if you want real enterprise perimeter firewall with detailed customized IPS (knowing SNORT can help) and reporting, definitely the ASA 55xx-X with Firepower is the way to go. It will definitely though not be as easy to setup and run as would be the Meraki MX.</P> Wed, 23 May 2018 11:58:54 GMT https://community.cisco.com/t5/network-security/asa-to-cisco-meraki-mx64-migration/m-p/3387636#M957347 AlexPi 2018-05-23T11:58:54Z https://community.cisco.com/t5/network-security/asa-to-cisco-meraki-mx64-migration/m-p/3387663#M957348 Thanks for the input guys! Wed, 23 May 2018 12:34:24 GMT https://community.cisco.com/t5/network-security/asa-to-cisco-meraki-mx64-migration/m-p/3387663#M957348 Florin Barhala 2018-05-23T12:34:24Z