After several years in IT, I had never once tried to setup an IPSec tunnel on my own. I know enough to be dangerous within ASDM, but I cannot say the same from the command line. When deploying ASAs in the past, we had hired a consultant to do the configuration for us since none of us are Cisco proficient. I started reading up on this before we got the Meraki gear to prepare for what was coming. Then we'd replace the ASA 5510 with the MX84 and connect all sites again. The plan was to take care of the spoke sites first, get all of the ASA 5505s replaced with MX64s, and connect them back to HQ's 5510 using IPSec. This post is a little bit about the implementation and some hurdles we needed to jump to get the different gear working for site-to-site VPN capabilities to work as expected. We got a MX84 for HQ and MX64s for the remote sites. Should we look to next generation Cisco ASA gear to replace our aging (and soon out of life) 5505s and 5510, look at a different type of product for a firewall, or look at UTMs as a viable option? Our network has been a hub and spoke for a while now with a 5510 at HQ and 5-6 other ASA 5505s out in the wild.Īfter much research and deliberation, we landed on Meraki MX gear.
Then another site in our area needed to be connected back to HQ, presenting a firewall decision. Tunnel-group 80.65.70.We lit up a new site earlier this year with Charter fiber and needed to connect it back to HQ. No threat-detection statistics tcp-intercept Snmp-server enable traps snmp authentication linkup linkdown coldstartĬrypto ipsec transform-set myset esp-3des esp-sha-hmacĬrypto ipsec security-association lifetime seconds 28800Ĭrypto ipsec security-association lifetime kilobytes 4608000Ĭrypto map outside_map 20 match address 100Ĭrypto map outside_map 20 set peer 80.65.66.100Ĭrypto map outside_map 20 set transform-set mysetĬrypto map outside_map 20 set phase1-mode aggressive Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absoluteĭynamic-access-policy-record DfltAccessPolicy
Icmp unreachable rate-limit 5 burst-size 5Īccess-group outside_access_in in interface outsideĪccess-group inside_access_in in interface inside