cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Popup Hotspot Using ISR 1000 with WiFi/LTE for Teleworkers and Micro Branchesr
1627
Views
0
Helpful
1
Replies
Highlighted
Beginner

What is the correct CLI command to enable Meraki AP Cloud access?

Meraki suggests the following access to allow communication between the AP and the cloud. What is the correct syntax to put these rules in place on a Cisco ASA 5520 using CLI?

2015-02-27_08_04_18-Firewall_info_-_Meraki_Dashboard_-_Meraki_Corp_-_wireless.png

Everyone's tags (2)
1 REPLY 1
Highlighted
Beginner

Re: What is the correct CLI command to enable Meraki AP Cloud access?

Hi rmiller,

prerequisites for the following cli commands are the following:

- ASA sw version is 8.3 or later;

- NAT  to allow internet access for AP Subnet is already configured;

- An ACL is already applied to FW interface facing AP Subnet LAN and you know it's name.

 

So first we define network object groups that will be part of your ACL:

  object network Meraki_Cloud_Subnet1
subnet 108.161.147.0 255.255.255.0
object network Meraki_Cloud_Subnet2
subnet 199.231.78.0 255.255.255.0
object network Meraki_Cloud_Subnet3
subnet 17.0.0.0 255.0.0.0
object network Meraki_Cloud_Host1
host 64.156.192.245
object network Meraki_Cloud_Host2
host 64.62.142.12
object-group network Meraki_Cloud
network-object object 108.161.147.0
network-object object 199.231.78.0
network-object object 64.156.192.245
network-object object 64.62.142.12

Then we define service object groups:

object-group service Meraki_udp udp
port-object eq 1812
port-object eq 7351
port-object eq 9350
object-group service Meraki_tcp1 tcp
port-object eq 993
port-object eq 7734
port-object eq 7752
port-object range 60000 61000
object-group service Meraki_tcp2 tcp
port-object eq 5223
port-object range 2195-2196
object-group service Meraki_tcp3 tcp
port-object eq 80
port-object eq 443
port-object range 5228-5230

 

And finally we'll write the ACL:

access-list [ACL NAME] remark VPN Registry and Meraki Cloud communication, 802.1X with meraki radius
access-list [ACL NAME] extended permit udp [AP-SUBNET] [AP-MASK] object-group Meraki_Cloud object-group Meraki_udp
access-list [ACL NAME] remark Bck config downloads,Bck firmware downloads, Throughput tests tool and RDP
access-list [ACL NAME] extended permit tcp [AP-SUBNET] [AP-MASK] object-group Meraki_Cloud object-group Meraki_tcp1
access-list [ACL NAME] remark iOS system manager communication
access-list [ACL NAME] extended permit tcp [AP-SUBNET] [AP-MASK] object Meraki_Cloud_Subnet3 object-group Meraki_tcp2
access-list [ACL NAME] remark Systems Manager agent communication, Android Systems Manager communication
access-list [ACL NAME] extended permit tcp [AP-SUBNET] [AP-MASK] any object-group Meraki_tcp3

 

Just replace [ACL NAME] with the name of the ACL applied to the interface facing AP LAN and [AP-SUBNET][AP-MASK] with the Access Points Subnet/mask.

Hope this helps,

Regards

 

 

CreatePlease to create content
Content for Community-Ad