Site to Site VPN between Meraki MX and Cisco ASA 5508

Hi all

VPN’s are always a pain in the ass when it comes to different vendors and OS. Even if both Meraki and ASA is part of the Cisco brand there is still quite a few differences in the setup and as always alot of ways to do it incorrectly.

Let’s start with the ASA end of the link. The first thing we need to do is set up the IKE profile. Meraki uses only IKEv1 so there is no need for IKEv2.

crypto ikev1 enable outside
 crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 12800

Define the networks you wan’t to have on each end of the Meraki firewall.

 object network OBJ-ASA-Site
 subnet 192.168.10.0 255.255.255.0
 object network OBJ-Meraki-Site
 subnet 192.168.1.0 255.255.255.0

Now we will make sure that the traffic that is intended for the VPN is passed trough the tunnel. In the NAT rule the traffic is originating from the interface labeled server.

access-list MERAKI-INTERESTING-TRAFFIC extended permit ip object OBJ-ASA-Site object OBJ-Meraki-Site
nat (server,outside) source static OBJ-ASA-Site OBJ-ASA-Site destination static OBJ-Meraki-Site OBJ-Meraki-Site no-proxy-arp route-lookup

We will have to let the ASA know where to terminate the tunnel. Including the preshared key. It’s important to change the preshared key and use something a bit more secure.

tunnel-group 123.123.123.123 type ipsec-l2l
 tunnel-group  123.123.123.123  ipsec-attributes
 pre-shared-key supersecret
 isakmp keepalive threshold 10 retry 2

Finally we have to put everything together and let the ASA know where to terminate the VPN tunnel.

crypto ipsec ikev1 transform-set MERAKI-TRANSFORM esp-aes-256 esp-sha-hmac
 !
 crypto map CRYPTO-MAP 1 match address MERAKI-INTERESTING-TRAFFIC
 crypto map CRYPTO-MAP 1 set peer 123.123.123.123
 crypto map CRYPTO-MAP 1 set ikev1 transform-set MERAKI-TRANSFORM
 crypto map CRYPTO-MAP interface outside

Below is all the commands in one go to make it easier for a copy/paste.

crypto ikev1 enable outside
 crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 12800
 !
 object network OBJ-ASA-Site
 subnet 192.168.10.0 255.255.255.0
 object network OBJ-Meraki-Site
 subnet 192.168.1.0 255.255.255.0
 !
 access-list MERAKI-INTERESTING-TRAFFIC extended permit ip object OBJ-ASA-Site object OBJ-Meraki-Site
 nat (server,outside) source static OBJ-ASA-Site OBJ-ASA-Site destination static OBJ-Meraki-Site OBJ-Meraki-Site no-proxy-arp route-lookup
 !
 tunnel-group 123.123.123.123 type ipsec-l2l
 tunnel-group  123.123.123.123  ipsec-attributes
 pre-shared-key supersecret
 isakmp keepalive threshold 10 retry 2
 !
 crypto ipsec ikev1 transform-set MERAKI-TRANSFORM esp-aes-256 esp-sha-hmac
 !
 crypto map CRYPTO-MAP 1 match address MERAKI-INTERESTING-TRAFFIC
 crypto map CRYPTO-MAP 1 set peer 123.123.123.123
 crypto map CRYPTO-MAP 1 set ikev1 transform-set MERAKI-TRANSFORM
 crypto map CRYPTO-MAP interface outside

Then let’s move over to the Meraki part. This part is really easy compared to the ASA part. There isn’t much configuration to do on the Meraki to get everything up and working,.

The first thing you need to do is go to Security Appliance -> Configure -> Site-to-.Site VPN. Select Hub in the options list.

Select the networks that should be routed trough the VPN. In the previous config we said that 192.168.1.0/24 should be routed from the Meraki site.

The last part would be to configure the VPN settings on the Meraki. First column you enter a name for the connection. Secondly you need to enter the IP for the ASA firewall. In the third column you decide what networks should be sent over the VPN. The same network that we defined as OBJ-ASA-Site in the ASA config. Leave the IPSec policies as Default, the connection should come up with the Default setting. At last you enter the pre shared key, press save and you should have a VPN connection.

Advertisements

Playing with the Meraki API

Lately I have started playing with the Meraki API. The API gives us the possibility to tweak and manage whatever you want to do on the Meraki devices.

To begin with you need to get the API code from the Meraki Dashboard. You can get the API code if you click on your username in the upper right corner and then proceed to My Profile. In that window you can enable and generate API keys for your scripts.

The first script you should use is the code below. This should give you a list of organizations that you have access to with the user account you generated the API key with. Normally you only have 1 organization but many might have several organizations in the list.

curl --request GET -L \
  --url https://api.meraki.com/api/v0/organizations \
  --header 'X-Cisco-Meraki-API-Key: <API key>'

This could create the follwoing output:

[{"id":"692333","name":"Organization 1"},{"id":"293843","name":"Organization 2"},{"id":"551234","name":"Organization 3"},{"id":"123476","name":"Organization 4"}]

At this point you can choose what organisation you want to create the API for. You need to take the ID and add it to the end of the URL. If I want to towrk with organization 3 I would use 551234 as the ID. After the ID you need to add networks to list the networks for the organization. I ahve added an example below:

curl --request GET -L \
  --url https://api.meraki.com/api/v0/organizations/551234/networks \
  --header 'X-Cisco-Meraki-API-Key: <API key>'

From that you should get the following output:

[{"id":"L_662029145123456789","organizationId":"551234","name":"Site 1","timeZone":"Europe/Oslo","tags":null,"type":"combined","disableMyMerakiCom":false,"disableRemoteStatusPage":true}]

You now have all the information needed to start playing around with API’s on Meraki. Meraki got alot of documentation showing what you can do. You can find the documentation here.

As an example on what you can do I can show you how to enable and disable an SSID on a network. In the Meraki documentation for SSID’s you find the various settings that you can configure. In this example I only want to change the enabled or disabled settings for the SSID. In the data-binary setting you switch between false and true to swap between disabled and enabled setting for the SSID.

curl -L -H 'X-Cisco-Meraki-API-Key: <API key>' 
  -X PUT -H 'Content-Type: application/json' 
  --data-binary '{"enabled":true}' 'https://api.meraki.com/api/v0/organizations/551234/networks/L_662029145123456789/ssids/1'

Limit device traffic to only one MX uplink

Hi all

The Meraki MX devices gives you an easy way of automaticly use 2 uplinks. It works seamlessly but it’s hard to do some configuration that is possible on other Cisco devices.

One of those is to deny specific devices to connect over only 1 of the uplinks. Let’s say that WAN 1 is a fiber connection. You got enogh capacity to send and receive all kind of traffic. WAN 2 on the other hand is a sattelite connection. The 2 big drawbacks with sattelite is latency and speed. Sometimes even the cost per MB transferred. Often the guaranteed bandwith on a satelite connection could be as low as 64 kb/s. It’s not much bandwith for other devices then.
wanmeraki

Then the big question is, how do you limit the connection to only use WAN 1. This could be a device that sync data every hour and would generate traffic or a whole subnet with guest wifi users. You don’t want these devices use your costly satelite connection. You do most likely need it for business critical applications.

I spent a few good hours trying to find a solution to this. I asked help from Meraki and various forums. I always got told that traffic shaping should help etc. But the only thing it does is giving me the preferred uplink, it never blocks the traffic from going online if the other WAN connection is down.

The solution I came up with was to turn off NAT when you use the interface that should be blocked. All the devices behind the Meraki that should be blocked does need to be in a seperate VLAN. In version 15 you can exclude specific VLAN from the NAT policy on the uplinks. The traffic will then stop since there is no return route for the traffic (as long as youo don’t add a static route).

So in the above example we want VLAN 20 to only have access over WAN 1 and not WAN 2. You start by finding the network you want to do the change on in the Meraki Dashboard. Then go to Security & SD-WAN and Adressing and VLAN’s on the left side. In the bottom of the page you have NAT exceptions where you can choose to disable NAT on the different uplinks. In my screenshot I have excepted Crew network from the NAT policy. With this config the devices on Crew VLAN can’t use WAN 2/Uplink 2.
NAT meraki