topic Configuring site to site VPN from FTD to Azure in Network Security

Configuring site to site VPN from FTD to Azure

raulgomez101 — Fri, 21 Feb 2020 15:30:56 GMT

Hi,

I am familiar with ASA but not with FTD. I have setup a policy-based (IKEv1) tunnel with Azure but now I want to set up a Route-Based tunnel with Azure.

By mistake or luck, I ordered an ASA-5506-FTD-K9 firewall. I wondered if somebody has managed to create a S2S tunnel between this device and Azure.

Now, regular tunnels are policy based and easy to configure. Route based, require a custom config on the Azure side. It requires to enable Traffic Selectors:

Set-AzureRmVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection6 -UsePolicyBasedTrafficSelectors $True

I am using the ASA configuration as guidance from the URL:

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-3rdparty-device-config-cisco-asa

But I am wondering if you have managed to make this work for your company. Any help could be appreciated.

Thanks,

Re: Configuring site to site VPN from FTD to Azure

Francesco Molino — Thu, 15 Mar 2018 04:10:42 GMT

Hi

On your asa and/or FTD it's standard L2L vpn not route base based on documentation.
I never did with azure but lot of vpn with AWS. They're working good. With azure is the same.

The configuration on FMC is straight. With FDM (local ftd management), it's straight but did only once. All my customers are taking FMC (cheap for 2 FTD) because you have limitations with FDM.

You have a wizard that you can follow and you'll be able to create your ikev2 policies during wizard.
Or you can create it manually going to object management and create your ikev2 policies.

Re: Configuring site to site VPN from FTD to Azure

raulgomez101 — Fri, 16 Mar 2018 16:48:25 GMT

Thank you Francesco. I opened a TAC Case and the Engineer told me the trick is in the Azure part. If I set the TrafficSelectors option I could use policy-based configurations with a route-based gateway.

I will do a couple of test and I will update this discussion with my results.

Thanks for replying.

Re: Configuring site to site VPN from FTD to Azure

Francesco Molino — Sun, 18 Mar 2018 04:06:17 GMT

Ok thanks

Re: Configuring site to site VPN from FTD to Azure

raulgomez101 — Fri, 11 May 2018 18:49:52 GMT

Just wanted to provide an update.

Similar to Francesco, I created a IKEv1 tunnel to one of my branch offices but not directly to Azure. I think it will be possible. I don't see why not. The only caveats is that you need to customize your local gateway in Azure with powershell scripts.

To customize the local gateway, you need to use the UsePolicyBasedTrafficSelectors $True.

FMC was out of the question for me because the Firewall is located in the branch office, and it's not a good idea to manage your Firewall using the outside interface.

I find this FTD firewalls lacking of several features. I hit a bug and couldn't even manage the Firewall using the inside interface via the VPN Tunnel.

But yes, it is possible to create an IKEv2 Tunnel to Azure using the FTD and customizing the Azure gateway via powershell.

Thanks,

Re: Configuring site to site VPN from FTD to Azure

Francesco Molino — Fri, 11 May 2018 20:31:32 GMT

Thanks for the update.