Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3999
Views
25
Helpful
8
Replies

ASA to Cisco Meraki MX64 migration

TekResults
Level 1
Level 1

‎05-21-2018 07:59 AM - edited ‎02-21-2020 07:47 AM

 

Hello all,

We are looking to migrate clients from ASA5505s to something newer.  We initially tried Cisco RV320/340 but this does not seem to be a stable platform and these firewalls have their share of issues and shortcomings.  

We are getting ready to test Meraki MX64s and understand that the IPSEC site to site and client to site is supported.  

One issue with the RV340 that we tested was connecting to client to site VPN and then using resources on the other side of a site to site VPN.  This is accomplished on the ASA by using the same-security-traffic command however there was no equivalent on the RV340

 see post below

https://supportforums.cisco.com/t5/small-business-routers/rv340-equivalent-to-asa-same-security-traffic-command/td-p/3385697

Note it is not possible by just using split tunneling.

Does anyone know whether Meraki MX64 supports functionality equivalent to same-security-traffic command
Thanks!

p.s. we understand that SonicWALL is an option but we have lots of clients that have multiple sites and the upgrade path would be more painful 
 
Everyone's tags (0)
Labels:
0 Helpful
8 Replies 8

Karsten Iwen
VIP
VIP

‎05-22-2018 01:05 AM

The Meraki MX has no configuration for "same-security-traffic", it is allowed by default. The most important shortcoming is the lack of AnyConnect-support on the MX. You can use the build-in VPN-Clients of the operating-systems, but that is not as comfortable as it was with ASA/AnyConnect.

AlexPi
Level 1
Level 1

‎05-22-2018 01:31 AM - edited ‎05-22-2018 01:33 AM

I know that it is not what you are asking, but I would upgrade to an ASA 5506-X/5508-X with Firepower Services, depending on traffic and throughput needed.

 

You get all the functionality you need for site-to-site and user (AnyConnect) VPNs and you also get one of the top IPS solutions in the market!

------------------------------------------------------------------
If this was helpful, please vote as helpful by clicking on the star icon below.
-------------------------------------
0 Helpful

Florin Barhala
Level 6
Level 6
In response to AlexPi

‎05-23-2018 01:34 AM

Hi Alex,

Did you happen to test Meraki's MX IPS functionality?
I am debating between MX100 and 5525X for setup where only IPS inspection is required (so the appliance will be deployed in bridge/transparent mode).
0 Helpful

Karsten Iwen
VIP
VIP
In response to Florin Barhala

‎05-23-2018 02:38 AM

I have a couple of both devices running and there is one major difference:

 

IPS on the MX is a simple switch-on with the choice of Security/Balanced/Connectivity IPS rulesets. You don't really tune your IPS, but if there are false positives you can adapt the IPS to it. With that, the management of the IPS is very easy.

 

When using the ASA for IPS, I today would install it with the FTD image where you configure it with a local management-server (FMC). The system is highly tunable but that can become quite challenging to configure. A real good feature is that this tuning can be done in an automated way (for the brave admins).

 

Conclusion: If you have limited IPS-knowledge and/or limited time to tune the IPS, then the MX could give you a better solution. If you are willing to invest time and knowledge, you can get more security from the Firepower IPS.

Florin Barhala
Level 6
Level 6
In response to Karsten Iwen

‎05-23-2018 03:39 AM

That's good to know!
Can you share some thoughts about reporting part also? Anything special on any of the two options?
0 Helpful

Karsten Iwen
VIP
VIP
In response to Florin Barhala

‎05-23-2018 04:00 AM

Reporting is quite powerful on both solutions. In Meraki MX, the reports are not as customizable as in FMC, but again easier to prepare. FMC has extensive reporting capabilities, but more special reports are sometimes not that easy to build.

AlexPi
Level 1
Level 1
In response to Florin Barhala

‎05-23-2018 04:58 AM

Hey Florin,

 

I think @Karsten Iwen basically replied to what you were asking! In my opinion, if you want real enterprise perimeter firewall with detailed customized IPS (knowing SNORT can help) and reporting, definitely the ASA 55xx-X with Firepower is the way to go. It will definitely though not be as easy to setup and run as would be the Meraki MX.

------------------------------------------------------------------
If this was helpful, please vote as helpful by clicking on the star icon below.
-------------------------------------

Florin Barhala
Level 6
Level 6
In response to AlexPi

‎05-23-2018 05:34 AM

Thanks for the input guys!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card