Cisco | Cisco IOS router to Meraki Appliance | site-to-site VPN with Zone based Firewalling

Lately I’m busy to configure Cisco IOS routers in combination with Remote offices where we place Meraki Appliances (like the MX64, MX65 or the Z1) When we do this we create also a VPN connection (site to site). In this setup the Main office has a Cisco IOS router.
Configuration of the Main Office. (Cisco IOS router)
IOS version which is used: c2900-universalk9-mz.SPA.155-3.M.bin
VPN Configuration:

crypto keyring VPN-Meraki
pre-shared-key address <remote office IP> key <fantastic vpn key>
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
lifetime 2880
crypto isakmp profile VPN-MY-Meraki
keyring VPN-Meraki
match identity address <remote office ip>
crypto ipsec transform-set VPN-MY-Meraki esp-aes 256 esp-sha-hmac
mode tunnel
crypto map VPN 1 ipsec-isakmp
set peer <remote office IP>
set security-association lifetime seconds 28800
set transform-set VPN-MY-Meraki
set isakmp-profile VPN-MY-Meraki
match address 101
interface <outside>
crypto map VPN
access-list 101 remark VPN Main-office-Remote-office
access-list 101 permit ip < local subnet> <remote subnet>

You need to configure the overload with the proper settings for example in my case.

ip access-list extended ACL_OUTSIDE_OVERLOAD
deny ip < local subnet> <remote subnet>

When you are using static routes to access for example a RDS environment then you need to do this with the example IOS the following.
You have to create an access-list with you going to use to bypass the route-map for the VPN and outside internet traffic.

ip access-list extended static-no-nat
deny ip any
deny ip any <remote subnet>
permit ip any any
route-map static-no-nat permit 10
match ip address static-no-nat
ip nat inside source static tcp <server host ip> 443 <outside firewall/NAT ip> 443 route-map static-no-nat extendable

The following step is more tricky in the sense you need to know what you are doing. If you make a mistake it’s possible you won’t be able to access your device remotely or locally via ssh/telnet. But in most cased there is no problem at all.
The next step is to configured the zone based firewalling. Although this can be also the first step in the progress to configured the main site. I figured out some issues when we had this running already on a device and then configured the site to site connection with the new office.
Zone based FW step 1: (All_Protocols)

class-map type inspect match-any All_Protocols
match protocol tcp
match protocol udp
match protocol icmp
match protocol http
match protocol https
match protocol dns
match protocol smtp
match protocol ntp
match protocol ipsec-msft
match protocol isakmp

Zone based FW step 2: (Remote to Local ACL)

object-group network net-MY-HQ
< local subnet>
object-group network net-REMOTE-02
< remote subnet>
ip access-list extended REMOTE-LAN-ACL
permit ip object-group net-REMOTE-02 object-group net-MY-HQ
class-map type inspect match-all REMOTE-LAN
match access-group name REMOTE-LAN-ACL

Zone based FW step 3: (Local to Remote ACL)

ip access-list extended LAN-REMOTE-ACL
permit ip object-group net-MY-HQ object-group net-REMOTE-02
class-map type inspect match-all LAN-REMOTE
match access-group name LAN-REMOTE-ACL

Zone based FW step 3: (Port forwarders configuration)

ip access-list extended FW_Portforwarding_ACL
permit tcp any host <example server host> eq smtp
class-map type inspect match-all FW_Portforwarding
match access-group name FW_Portforwarding_ACL

Zone Based FW step 4: (Activation of policies)

policy-map type inspect Trusted_to_Internet
class type inspect All_Protocols
class type inspect LAN-REMOTE
class class-default
policy-map type inspect Trusted
class class-default
policy-map type inspect FW_Portforwarding_Policy
class type inspect FW_Portforwarding
class type inspect REMOTE-LAN
class class-default
zone security Trusted
zone security Internet
zone-pair security Trusted->Internet source Trusted destination Internet
service-policy type inspect Trusted_to_Internet
zone-pair security Internet>Trusted source Internet destination Trusted
service-policy type inspect FW_Portforwarding_Policy

Zone Based FW step 5: (Activation on Interfaces)

Interface outside
zone-member security Internet
Interface Inside
zone-member security Trusted

To continue to make it possible to setup the VPN connection between the Meraki device and the Cisco IOS router. You will need to have access as organization administrator to the particular Network in the Meraki dashboard. If you don’t have this privileges then you won’t be able to make this setup.
Go to the specify network which you want to connect to the Main office
meraki-network-selectIn my case it’s a Z1 this is why you see teleworkers
Select Site-To-Site VPN
Select HUB (Mesh) if you choose Spoke then you can only connect to another Meraki device.
Select the network for VPN Usage (Use VPN)
Add a New Peer to the VPN
Select Custom by IPSec Policies. Use the settings above. And click on Update
Give the Non-Meraki VPN a name. Add the externa IP address and the private subnets of the Main office. Use the Preshared secret(key) which you have configured on the Cisco device on the Main office. Allow All networks to access the VPN
Save the configuration to the Meraki device. You will notice that the VPN connection will be available right after you have uploaded the configuration. This can take up to 2 minutes what Meraki says to you.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.