05-21-2018 07:59 AM - edited 02-21-2020 07:47 AM
Hello all,
We are looking to migrate clients from ASA5505s to something newer. We initially tried Cisco RV320/340 but this does not seem to be a stable platform and these firewalls have their share of issues and shortcomings.
We are getting ready to test Meraki MX64s and understand that the IPSEC site to site and client to site is supported.
One issue with the RV340 that we tested was connecting to client to site VPN and then using resources on the other side of a site to site VPN. This is accomplished on the ASA by using the same-security-traffic command however there was no equivalent on the RV340
see post below
Note it is not possible by just using split tunneling.
Does anyone know whether Meraki MX64 supports functionality equivalent to same-security-traffic command
Thanks!
05-22-2018 01:05 AM
The Meraki MX has no configuration for "same-security-traffic", it is allowed by default. The most important shortcoming is the lack of AnyConnect-support on the MX. You can use the build-in VPN-Clients of the operating-systems, but that is not as comfortable as it was with ASA/AnyConnect.
05-22-2018 01:31 AM - edited 05-22-2018 01:33 AM
I know that it is not what you are asking, but I would upgrade to an ASA 5506-X/5508-X with Firepower Services, depending on traffic and throughput needed.
You get all the functionality you need for site-to-site and user (AnyConnect) VPNs and you also get one of the top IPS solutions in the market!
05-23-2018 01:34 AM
05-23-2018 02:38 AM
I have a couple of both devices running and there is one major difference:
IPS on the MX is a simple switch-on with the choice of Security/Balanced/Connectivity IPS rulesets. You don't really tune your IPS, but if there are false positives you can adapt the IPS to it. With that, the management of the IPS is very easy.
When using the ASA for IPS, I today would install it with the FTD image where you configure it with a local management-server (FMC). The system is highly tunable but that can become quite challenging to configure. A real good feature is that this tuning can be done in an automated way (for the brave admins).
Conclusion: If you have limited IPS-knowledge and/or limited time to tune the IPS, then the MX could give you a better solution. If you are willing to invest time and knowledge, you can get more security from the Firepower IPS.
05-23-2018 03:39 AM
05-23-2018 04:00 AM
Reporting is quite powerful on both solutions. In Meraki MX, the reports are not as customizable as in FMC, but again easier to prepare. FMC has extensive reporting capabilities, but more special reports are sometimes not that easy to build.
05-23-2018 04:58 AM
Hey Florin,
I think @Karsten Iwen basically replied to what you were asking! In my opinion, if you want real enterprise perimeter firewall with detailed customized IPS (knowing SNORT can help) and reporting, definitely the ASA 55xx-X with Firepower is the way to go. It will definitely though not be as easy to setup and run as would be the Meraki MX.
05-23-2018 05:34 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: