![configuring cisco asa 5505 configuring cisco asa 5505](https://www.packettracernetwork.com/images/labs/lab16-networkdiagram.png)
The Tunnel Group Name will be your outside IP address.Verify your configuration and make sure you can ping all the connected devices from the Cisco ASA. Configure the tunnel group and the pre-shared key. Apply the crypto map to the outside interfaceĨ. # Note that only static crypto maps are supported at this timeĬrypto map ASAtoMX 20 set transform-set Meraki_Transform_setĬrypto map ASAtoMX 20 set security-association lifetime kilobytes unlimitedħ. Define a crypto map referencing to step 2, 3 and the outside interface of the MX Exclude the VPN traffic from being nattedĥ. These commands may differ based on IOS version.Ĭrypto ipsec transform-set Meraki_Transform_Set esp-aes-256 esp-sha-hmacģ.
![configuring cisco asa 5505 configuring cisco asa 5505](http://manualsdump.com/images/backgrounds/121341/bg16f.png)
#Configuring cisco asa 5505 update
If the MX is configured to use a custom ipsec policy, be sure to update these commands accordingly. Note: These commands reference the default isakmp/ipsec parameters used by the MX. The following link from Cisco can be used as a reference: An Introduction to IP Security (IPSec) Encryption If you have additional subnets or want to allow certain protocols across the VPN tunnel you may need to tweak your cyrpto map or firewall settings on your ASA accordingly. With the settings saved to the ASA it will attempt to establish a IPsec VPN tunnel with the MX once client traffic attempts to access the remote subnet. Click Finish to apply the IPsec VPN settings to the Cisco ASA. On the sixth and final screen you will be presented with a summary of the configuration selections you made in the last five steps. The checkbox for exempting the inside network from NAT should remain checked.
#Configuring cisco asa 5505 series
In the text box labeled Remote Networks type in the private subnet of the MX series in CIDR notation. You can select from a list of objects by clicking on the text box to be displayed a drop-down menu or you can manually type in the subnet in CIDR notation. The ASA creates an object called 'inside-network' that is analogous to the subnet residing on the LAN ports of the ASA, this should be selected for the text box labeled Local Network. The fifth screen asks you to specify the subnets that will be shared out over the VPN tunnel.
![configuring cisco asa 5505 configuring cisco asa 5505](http://manualsdump.com/images/backgrounds/121341/bg4e3.png)
Select the Next button to be brought to the next step. If the Meraki side VPN configuration is left as default settings, please ensure that the box for PFS or Perfect Forwarding Secrecy is unchecked. Additionally, the MX can accept either SHA1 or MD5 as the authentication hashing algorithm. The MX security appliance can accept any of the following Encryption algorithms: 3DES, AES-128, AES-192, and AES-256. The fourth screen asks you to configure the Phase 2 negotiation parameters for the IPsec rules. Click Next once you have selected these options from their subsequent drop-down menus. The MX requires the 3rd party VPN peer to have 3DES selected for the encryption algorithm, SHA1 has the authentication algorithm, and number 2 specified for the Diffie-Hellman group. The third screen asks you to specify the encryption and hashing algorithms used by the Phase 1 IKE policy. The Tunnel Group Name will be automatically filled in for you based upon the peer IP address. Select the radio button for 'Pre-shared key' under Authentication Method and exactly as it appears on the MX under Security & SD-WAN > Configure > Site-to-site VPN > Organization-wide settings > Non-Meraki VPN peers > Preshared secret. Therefore if you have the primary uplink configured as WAN 1 then you must use WAN 1's Public IP address. Please note that this must be the IP address of the primary interface specified on the MX under Security & SD-WAN > Monitor > Appliance status > Uplink > Configuration > General. On the second screen, you need to enter the public IP address of the MX security appliance in the text box labeled Peer IP address. Select Site-to-Site and leave the VPN tunnel interface as outside then click the 'Next' button. On the first screen, you will be prompted to select the type of VPN. The easiest way to configure the VPN tunnel is by logging onto your Cisco ASA via the ASDM GUI and utilizing the IPsec Wizard found under Wizards > IPsec VPN Wizard. Note: The following screenshots should be used as a guide as your wizard may vary depending on the version of ASDM which is being used.