Deploy a Network Tunnel in Cisco Secure Access with Meraki MX

Network tunnels in Cisco Secure Access leverage IPsec IKEv2 protocols to create secure connections between your network infrastructure and Cisco's data centers. These tunnels serve as protected pathways that handle traffic routing for both internet access and private resources across your organization. They support multiple access methods simultaneously, including VPN connections, branch-to-branch communication, and Zero Trust Access implementations through both client and browser interfaces.

Deploying network tunnels to the Secure Access cloud effectively extends your network security perimeter without requiring significant additional infrastructure. This creates a hybrid environment where cloud-based security services work in concert with on-premises equipment, providing consistent protection regardless of where users or applications reside. For organizations with distributed workforces or multiple physical locations, this approach simplifies the security architecture while enhancing overall protection.

Cisco Secure Access supports a number of devices for setting up IPsec Tunnels, including Catalyst SD-WAN, ISR-G2, ASA, and FTD appliances. In this blog post, we'll look at establishing tunnels using the Meraki MX platform.

There are several advantages to using Meraki MX for tunnel implementation. A key benefit is its integration with the broader Meraki dashboard. This allows for centralized management of security policies, network configuration, and monitoring capabilities across distributed environments. Administrators can quickly identify performance issues, security events, or configuration problems without switching between multiple management interfaces. The Meraki MX platform offers a streamlined approach to establishing these tunnels, requiring minimal configuration while delivering enterprise-grade security.

Deploy a Network Tunnel in CSA

1. In CSA, navigate to Connect > Essentials > Network Connections > Network Tunnel Groups.
   
   
2. Add a new network tunnel group.
   
   
   
3. Select a name and region for your tunnel.  For Device Type, select Meraki MX.
   
   
   
4. Create a Tunnel ID and Passphrase.
   
   
   
5. NOTE: for routing, you must select static routing.  Enter the IP Address range(s) that you'd like to use.  In this example, I created a new VLAN in Meraki MX to use exclusively for traffic to CSA.
   

Deploy a Network Tunnel in Meraki

1. Navigate to Organization > Monitor > Overview.
   
   
2. Select the Network you intend to use, and add a meaningful tag.  I am using the name of the tunnel I configured in Cisco Secure Access.
   
   
   
3. Next select your network, and navigate to Security & SD-WAN > Configure > Site-to-site VPN.
   
   
4. For Type, select Hub (Mesh).
   
   
   
5. Under VPN settings, enable the VLAN(s) you want to use for the tunnel.  NOTE: You can create a new VLAN in the Addressing & VLAN menu.
   
   
   
6. Finally, in the Non-Meraki VPN peer section, click Add a peer.
   
   
   
7. Name your peer and select IKEv2.
   
   
   
8. NOTE: Meraki MX does not support stateful failover to a secondary tunnel.  Enter the IP address and tunnel identity associated with the primary data center.  Also, enter the passphrase you configured in CSA.
   
   
   
9. For routing, select Static. Under subnets, if you want to use SIA and SPA, then use 0.0.0.0/0.  If you only want to use RAVPN, then enter all subnets used by the CSA infrastructure.  This includes 100.64.0.0/10 and VPN User and Management IP Pools configured in CSA.
   
   
   
10. For availability, enter the network tag created earlier.
    
    
    
11. Under IPsec policy, use the Umbrella preset.
    
    
    
12. Finally, click Add and Save!

Verification

1. In Cisco Secure Access, the tunnel group from will move from Disconnected status to Warning.  It can take a couple of minutes.  NOTE:  The network tunnel group will never move from a Warning status to Connected status because there is no secondary tunnel connected.  The primary should should be connected.
   
   
   
2. In Meraki, use the ping tool from an enabled VLAN.
   

Conclusion

I hope that by following these straightforward configuration steps, you can successfully implement secure IPsec tunnels between Meraki MX devices and Cisco Secure Access, creating a powerful hybrid security architecture that extends protection across distributed environments while maintaining centralized management capabilities.

Please reach out if you have any questions or comments!