Cisco ASA Site-to-site VPN with MX Series

This article outlines configuration steps, on a Cisco ASA, to configure a site-to-site VPN tunnel with a Cisco Meraki MX
or Z1.

Notes:
We strongly recommend running ASA 8.3 or above as there is a possibility the tunnel will tear down prematurely on
earlier versions. Additionally, ASA 8.2 is end of life as well as susceptible to critical security issues.
This article details setting the ASA's phase 1 and 2 parameters to the MX default. Though custom IPsec
policies can be configured in Dashboard, it is recommended to stick to the defaults whenever possible to avoid a
potential mismatch.

Configuration
The easiest way to configure the VPN tunnel is by logging onto your Cisco ASA via the ASDM GUI and utilizing the
IPsec Wizard found under Wizards > IPsec VPN Wizard.

1
On the first screen you will be prompted to select the type of VPN. Select Site-to-Site and leave the VPN tunnel interface
as outside then click the 'Next' button.

2
On the second screen you need to enter the public IP address of the MX security appliance in the text box labeled Peer
IP address. Please note that this must be the IP address of the primary interface specified on the MX under
Monitor>Appliance status>Local status. Therefore if you have the primary uplink configured as Internet 1 then you
must use Internet 1's Public IP address.

Select the radio button for 'Pre-shared key' under Authentication Method and exactly as it appears on the MX under
Configure>Site to site VPN>Organization-wide settings>Non-Meraki VPN peers "Preshared secret". The Tunnel
Group Name will be automatically filled in for you based upon the peer IP address. Click the Next button to continue.

3
The third screen asks you to specify the encryption and hashing algorithms used by the Phase 1 IKE policy. The MX
requires the 3rd party VPN peer to have 3DES selected for the encryption algorithm, SHA1 has the authentication
algorithm, and number 2 specified for the Diffie-Hellman group. Click Next once you have selected these options from
their subsequent drop down menus.

4
The fourth screen asks you to configure the Phase 2 negotiation parameters for the IPsec rules. The MX security
appliance can accept any of the following Encryption algorithms: DES, 3DES, AES-128, AES-192 and AES-256.
Additionally the MX can accept either SHA1 or MD5 as the authentication hashing algorithm.

If the Meraki side VPN configuration is left as default settings, please ensure that the box for PFS or Perfect Forwarding
Secrecy is unchecked.

Select the Next button to be brought to the next step.

5
The fifth screen asks you to specify the subnets that will be shared out over the VPN tunnel. The ASA creates an object
called 'inside-network' that is analogous to the subnet residing on the LAN ports of the ASA, this should be selected for
the text box labeled Local Network. You can select from a list of objects by clicking on the text box to be displayed a
drop down menu or you can manually type in the subnet in CIDR notation. In the text box labeled Remote Networks type
in the private subnet of the MX series in CIDR notation. The checkbox for exempting the inside network from NAT
should remain checked. Select next to continue.

6
On the sixth and final screen you will be presented with a summary of the configuration selections you made in the last
five steps. Click Finish to apply the IPsec VPN settings to the Cisco ASA. With the settings saved to the ASA it will
attempt to establish a IPsec VPN tunnel with the MX once client traffic attempts to access the remote subnet. If you
have additional subnets or want to allow certain protocols across the VPN tunnel you may need to tweak your cyrpto
map or firewall settings on your ASA accordingly. The following link from Cisco can be used as a reference: An
Introduction to IP Security (IPSec) Encryption

Additional Resources
Troubleshooting third-party site-to-site VPN
Custom IPsec policies with site-to-site VPN