cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3312
Views
25
Helpful
8
Replies

ASA to Cisco Meraki MX64 migration

TekResults
Level 1
Level 1
 

Hello all,

We are looking to migrate clients from ASA5505s to something newer.  We initially tried Cisco RV320/340 but this does not seem to be a stable platform and these firewalls have their share of issues and shortcomings.  

We are getting ready to test Meraki MX64s and understand that the IPSEC site to site and client to site is supported.  

One issue with the RV340 that we tested was connecting to client to site VPN and then using resources on the other side of a site to site VPN.  This is accomplished on the ASA by using the same-security-traffic command however there was no equivalent on the RV340

 see post below

https://supportforums.cisco.com/t5/small-business-routers/rv340-equivalent-to-asa-same-security-traffic-command/td-p/3385697

Note it is not possible by just using split tunneling.

Does anyone know whether Meraki MX64 supports functionality equivalent to same-security-traffic command
Thanks!

p.s. we understand that SonicWALL is an option but we have lots of clients that have multiple sites and the upgrade path would be more painful 
 
Everyone's tags (0)
8 Replies 8

The Meraki MX has no configuration for "same-security-traffic", it is allowed by default. The most important shortcoming is the lack of AnyConnect-support on the MX. You can use the build-in VPN-Clients of the operating-systems, but that is not as comfortable as it was with ASA/AnyConnect.

AlexPi
Level 1
Level 1

I know that it is not what you are asking, but I would upgrade to an ASA 5506-X/5508-X with Firepower Services, depending on traffic and throughput needed.

 

You get all the functionality you need for site-to-site and user (AnyConnect) VPNs and you also get one of the top IPS solutions in the market!

------------------------------------------------------------------
If this was helpful, please vote as helpful by clicking on the star icon below.
-------------------------------------

Hi Alex,

Did you happen to test Meraki's MX IPS functionality?
I am debating between MX100 and 5525X for setup where only IPS inspection is required (so the appliance will be deployed in bridge/transparent mode).

I have a couple of both devices running and there is one major difference:

 

IPS on the MX is a simple switch-on with the choice of Security/Balanced/Connectivity IPS rulesets. You don't really tune your IPS, but if there are false positives you can adapt the IPS to it. With that, the management of the IPS is very easy.

 

When using the ASA for IPS, I today would install it with the FTD image where you configure it with a local management-server (FMC). The system is highly tunable but that can become quite challenging to configure. A real good feature is that this tuning can be done in an automated way (for the brave admins).

 

Conclusion: If you have limited IPS-knowledge and/or limited time to tune the IPS, then the MX could give you a better solution. If you are willing to invest time and knowledge, you can get more security from the Firepower IPS.

That's good to know!
Can you share some thoughts about reporting part also? Anything special on any of the two options?

Reporting is quite powerful on both solutions. In Meraki MX, the reports are not as customizable as in FMC, but again easier to prepare. FMC has extensive reporting capabilities, but more special reports are sometimes not that easy to build.

Hey Florin,

 

I think @Karsten Iwen basically replied to what you were asking! In my opinion, if you want real enterprise perimeter firewall with detailed customized IPS (knowing SNORT can help) and reporting, definitely the ASA 55xx-X with Firepower is the way to go. It will definitely though not be as easy to setup and run as would be the Meraki MX.

------------------------------------------------------------------
If this was helpful, please vote as helpful by clicking on the star icon below.
-------------------------------------

Thanks for the input guys!
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: