Re: Cisco ASA and Cisco Meraki in the Same Network

it@belterra.ca · ‎10-17-2018

How do I configure Cisco ASA to communicate with Meraki and vice versa. Our servers are currently connected to Meraki and would like computers connected to ASA to communicate with the servers as well.

We are trying to replace Meraki with Cisco ASA and we would like to have the Cisco ASA works side-by-side with Meraki until the migration. Is this possible?

Seb Rupik · ‎10-18-2018

Hi there,

If you are trying to complete a phased migration between firewalls then the best approach is to put the ASA ‘inline’. Ie, client devices hit the ASA interfaces first and the processed traffic is then sent onwards to the Meraki. Keep inI mind this is for testing the packet filtering only, no other firewall functions (e, NAT , VPN) could be tested in this topology.

Putting it inline allows you to test your firewall ACLs against the existing ones on the Meraki. Interface IP addresses will not reflect the end state of the ASA. In theory you should see no dropped packets on the Meraki for the security-zones which you are testing. It is a good idea to start with a permit ip any any and slowly add the rules to the ASA.

You may be limited by the number of security-zones you can test concurrently due to lack of interfaces on the ASA.

Testing of NAT and VPN would require the ASA to be placed upstream of the Meraki and for those functions to be disabled on it too.

Once you have tested each firewall component, put the ASA ‘alongside’ the Meraki and during an outage windows adjust routing to send traffic to the ASA.

Cheers,

Seb.

it@belterra.ca · ‎10-18-2018

Hi Seb,

Thanks for your reply. I already connected the ASA side by side with Meraki using a managed switch. Now, I would like to have the computers connected to ASA and computers connected to Meraki communicate. Is it possible to do a VPN tunnel in this case between the ASA and Meraki in the same network or should I just ask the company managing our Meraki to allow ASA to pass throught the Meraki network?

Seb Rupik · ‎10-18-2018

Do the ASA and Meraki share any subnets? If so you could connect the interfaces to a switch. This would give your devices two gateways to choose from.

If both devices are routing different 'inside' subnets for devices then create a Layer3 link between the firewalls, run a IGP across the link and advertise their local subnets.

cheers,

Seb.

it@belterra.ca · ‎10-18-2018

ASA and Meraki's outside interface are on the same subnet but they have two different internal subnets.

Seb Rupik · ‎10-18-2018

Do you have NAT configured on the ASA and Meraki outside interfaces? If so, you will need to connect the devices via a point-to-point link and run an IGP on that.

If you are not running NAT, then you could peer the devices via their outside interfaces as this would not require a mass of NAT translation to make the inside subnets accessible.

cheers,

Seb.

it@belterra.ca · ‎10-18-2018

Yes I have NAT on the Cisco ASA as it has a VPN tunnel running connecting to a remote site. The Meraki is also connected to the same remote site.

Seb Rupik · ‎10-19-2018

Then a layer3 peer link between the firewalls on their 'inside' would be the best option.

Let us know how the configuration goes.