Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3957
Views
0
Helpful
7
Replies

Site to site VPN with ASA and Meraki Z1

burleyman
Level 8
Level 8

‎07-16-2014 01:06 PM

Has anyone setup a site to site VPN connection from an Cisco ASA to a Meraki/Cisco Z1? If so how did you configure the Cisco ASA? The Z1 will be taken to different sites so it will have different IP addresses.

 

Thanks,

Mike

Labels:
0 Helpful
7 Replies 7

nkarthikeyan
Level 7
Level 7

‎07-17-2014 12:24 AM

Hi,

 

In case of dhcp ip address on your vpn end point we can have no problems. But if you move your device to a different site, which will have a different IP addresses for your meraki firewalls..... then you have to do changes on both the ends evrytime you move as per my knowledge. In this case DNS also will not help.

 

Regards

Karthik

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to nkarthikeyan

‎07-17-2014 12:35 AM

Hi Mike,

 

You can use the following document to configure L2L VPN tunnels with dynamic IP on remote side:-
http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
The configuration remains the same on the ASA side.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

nkarthikeyan
Level 7
Level 7
In response to Dinesh Moudgil

‎07-17-2014 02:57 AM

Hi Dinesh,

 

He will be moving that device to multiple sites and he will be getting a different set of ip addresses.... do you think still the above mentioned document will help???

 

Regards

Karthik

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to nkarthikeyan

‎07-17-2014 06:07 AM

Hi Karthik,

If the device will be moved to multiple sites, the most optimum way of "getting a different set of IP address" would be dynamic assignment rather than manually entering IPs . In such a case, we can surely use the above deployment.

Regards,
Dinesh Moudgil

 

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

nkarthikeyan
Level 7
Level 7
In response to Dinesh Moudgil

‎07-17-2014 06:21 AM

Hi Dinesh,

 

Yeah i agree with your point. Thanks for that.....

But he has to have the dhcp options on the sites wherever he goes.

If he has a situation to use static ip in a case??? then what would happen???

How about the crypto acl? there your LAN segment will get change right when you move to a different site.

Will the dynamic tunnel accepts the static negotiations as well???

 

 

Regards

Karthik

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to nkarthikeyan

‎07-17-2014 09:26 AM

Hi Karthik,

If we have static IP on the remote side , it will also fall to default tunnel-group/dynamic map if no matching tunnel-group/crypto map sequence is present.

On hub, we can create multiple dynamic map entries with interesting traffic in the access-lists as shown:

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65534  ikev1 transform-set ESP-ASE-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65534  match address <access-list-name-1>     

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535  ikev1 transform-set ESP-ASE-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535  match address <access-list-name-2>

These access-lists will have the interesting traffic of the remote side lan networks and the users can access the resources across VPN.
Obviously , this wont be a scalable option but this does work well.
 
Regards,
Dinesh Moudgil

 

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

burleyman
Level 8
Level 8

‎07-17-2014 11:38 AM

Thanks for the replies. I will digest everything and let you know if I have any other questions.

 

Mike

0 Helpful
Customers Also Viewed These Support Documents