topic ASAV In Azure in Network Security

ASAV In Azure

amaresh_22jan — Fri, 21 Feb 2020 15:34:21 GMT

Hi All,

Need to configure site to site VPN in ASAV HA in azure.It will helpful if anyone can share the doc.

Rightnow HA is working fine in ASAV.

Re: ASAV In Azure

Mohammed al Baqari — Wed, 28 Mar 2018 09:57:07 GMT

What is stopping your here. VPN in ASAv same as VPN in ASA appliance.

Re: ASAV In Azure

amaresh_22jan — Wed, 28 Mar 2018 11:04:39 GMT

Thanks for your response.

Since there are two Firewall , What will be the peer IP ?

Do I require to configure on both the firewall.

Re: ASAV In Azure

Mohammed al Baqari — Wed, 28 Mar 2018 18:35:36 GMT

No. ASA Failover will maintain same IP on active firewall

Re: ASAV In Azure

amaresh_22jan — Thu, 29 Mar 2018 06:00:40 GMT

Thanks for the update.

As of now both the firewall (Active and standby ) has the public IP.

On which IP the VPN needs to configured.

Re: ASAV In Azure

Mohammed al Baqari — Fri, 30 Mar 2018 02:37:20 GMT

On the other end, you should point to the active asa IP. This IP will be
retained whether the active unit is primary or secondary

Re: ASAV In Azure

amaresh_22jan — Fri, 30 Mar 2018 09:22:53 GMT

I have gone through some doc it clearly indicates the config of primary doesn't get sync to secondary .

So is it required to carry out the config on both the firewall.

Re: ASAV In Azure

Mohammed al Baqari — Fri, 30 Mar 2018 09:51:07 GMT

That's isn't correct. I have two ASAv active in front of me now and config
synced. Can you share the link to the doc

Re: ASAV In Azure

amaresh_22jan — Fri, 30 Mar 2018 13:22:15 GMT

Before You Begin
• Configure these settings in the system execution space in single context mode.
• Configure these settings on both the primary and secondary units. There is no synching of configuration
from the primary unit to the secondary unit.
• Have your Azure environment information available, including your Azure Subscription ID and Azure
authentication credentials for the Service Principal.
Procedure

Re: ASAV In Azure

amaresh_22jan — Mon, 02 Apr 2018 07:24:27 GMT

Hi ,

Request to validate the Doc .Let me know whether the doc is correct one.

Re: ASAV In Azure

Shocksmith — Mon, 06 Aug 2018 18:05:15 GMT

Old thread I know, but the peer IP will be the Front End load balancer IP. Create load balancer rules for ports UDP/500 IKE and 4500/NAT-T. The traffic will then be delivered to the active ASA. I have this configuration working. Use port 44441 for the health probe for the rules, if you have configured the load balancer probe as follows:

failover cloud port probe 44441 interface management

With reference to the syncing of configurations, I don't think this is possible in Azure as the IP configurations are different on each device for the different ASAv interfaces.

Re: ASAV In Azure

abushayeed.anwarali — Mon, 17 Dec 2018 05:56:09 GMT

Smith,

As of now we are using Secondary IP concept to configure multiple Public IP address for various purposes. In case of Active ASAv goes down we are migrating the public IP to back up. This would be very helpful if you share us with the Config for the load balancer concept.

Could you please let us know are you using the Azure External load balancer (ELB)?

In case if we are going to use the ELB whether can we move all the Public IP address to the ELB and point out to the Management Interfaces of ASAv HA.?

Please share the working Config with us

Re: ASAV In Azure

Shocksmith — Mon, 17 Dec 2018 10:03:08 GMT

We are using the ASAv in an HA configuration with an Azure Load Balancer. My solution is on this thread:

https://community.cisco.com/t5/firewalls/static-nat-in-azure-asav/td-p/3360353

Re: ASAV In Azure

abushayeed.anwarali — Mon, 17 Dec 2018 10:30:52 GMT

Thank you very much for your reply.

I have few questions.

Did you mapped any public IP to the Management Interface of both ASAv. And for General Internet access (PAT over interface) how did you configure it.

Is it also through Azure load balancer or you had assigned the public IP to the Management interface

Re: ASAV In Azure

Shocksmith — Mon, 17 Dec 2018 11:00:21 GMT

We added a new frontend IP on the Azure load balancer, and then created a load balanced rule that translates the incoming port on the new public IP on the load balancer e.g. SSL 443 to a port of our choosing on the backend pool (the 2 HA ASAvs) e.g. 6555. We then set up nat through the management interface for the internal server on each ASAv in the HA Pair:

object network internal-web-server

host internal_IP_of_web_server

nat (inside,management) static interface service tcp https 6555

The traffic then comes into the new LB IP on port 443 gets translated to port 6555 on the management interface of the active ASAv in the pair which then translates it back to port 443 on the internal web server. In this way you can have multiple public IP addresses on the azure load balancer each routing back through to different internal hosts behind the ASAvs via different ports.

This allows you to use different public IPs on the Azure Load balancer for different internal hosts behind the ASAvs. There is no way that I have found to NAT multiple public IPs directly to the Management interface. This is because the health probes are not supported on secondary IP addresses assigned to the ASAv NICs through the Azure load balancer according the the Cisco documentation. We tried this and it didn't work. It is a shame this is the case. Instead we came up with the workaround above.

Re: ASAV In Azure

abushayeed.anwarali — Mon, 17 Dec 2018 11:11:38 GMT

Did you try the PAT concept using the Azure load Balancer and ASAv or did you have any idea of that

Re: ASAV In Azure

abushayeed.anwarali — Mon, 17 Dec 2018 11:13:53 GMT

Did you tried or configured PAT concept between ASAv and Azure Load Balancer. If yes please share your idea on that too.