cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


154
Views
0
Helpful
1
Replies
Highlighted

Problem Establing VPN Cisco ASA against Azure

Hello,

We are having problems to establish a VPN L2L against Azure. We successfully up the tunnel at phase 1 and phase 2. These are the data:

Azure Network: 192.168.69.0/24

Azure Gateway: 192.168.70.0/24

Local Networks:

192.168.100.0/24

192.168.68.0/24

And this is my config on the ASA:

crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800

crypto ipsec ikev1 transform-set azure-ipsec-proposal-set esp-aes-256 esp-sha-hmac

crypto map VPNsZAL 45 match address azure-vpn-acl
crypto map VPNsZAL 45 set peer 13.94.234.139
crypto map VPNsZAL 45 set ikev1 transform-set azure-ipsec-proposal-set
crypto map VPNsZAL 45 set security-association lifetime seconds 3600
crypto map VPNsZAL 45 set security-association lifetime kilobytes 102400000

crypto map VPNsZAL interface outside

tunnel-group 13.94.234.139 type ipsec-l2l
tunnel-group 13.94.234.139 ipsec-attributes
 ikev1 pre-shared-key *****

access-list azure-vpn-acl extended permit ip object-group zal-networks object-group azure-networks

object-group network azure-networks
 network-object 192.168.69.0 255.255.255.0
 network-object 192.168.70.0 255.255.255.0
object-group network zal-networks
 network-object 192.168.100.0 255.255.255.0
 network-object 192.168.68.0 255.255.255.0

nat (inside,outside) source static zal-networks zal-networks destination static azure-networks azure-networks

S* 0.0.0.0 0.0.0.0 [1/0] via 212.31.45.1, outside
S 10.120.0.0 255.255.252.0 [1/0] via 192.168.100.1, inside
C 10.255.255.0 255.255.255.0 is directly connected, LANFAIL
L 10.255.255.1 255.255.255.255 is directly connected, LANFAIL
S 192.168.0.0 255.255.0.0 [1/0] via 192.168.100.1, inside
S 192.168.69.0 255.255.255.0 [1/0] via 13.94.234.139, outside
S 192.168.70.0 255.255.255.0 [1/0] via 13.94.234.139, outside

I have to create the routes to azure networks case we have 192.168.0.0/16 route through inside and that overlaps the tunnel ranges of Azure.

Isee that, the ACL matches traffic:

access-list azure-vpn-acl line 1 extended permit ip object-group zal-networks object-group azure-networks (hitcnt=710) 0xb6e5e4b5
  access-list azure-vpn-acl line 1 extended permit ip 192.168.100.0 255.255.255.0 192.168.69.0 255.255.255.0 (hitcnt=710) 0xbe330afa
  access-list azure-vpn-acl line 1 extended permit ip 192.168.68.0 255.255.255.0 192.168.69.0 255.255.255.0 (hitcnt=702) 0xd22c02dd
  access-list azure-vpn-acl line 1 extended permit ip 192.168.100.0 255.255.255.0 192.168.70.0 255.255.255.0 (hitcnt=72) 0xc9e149b2
  access-list azure-vpn-acl line 1 extended permit ip 192.168.68.0 255.255.255.0 192.168.70.0 255.255.255.0 (hitcnt=664) 0x4003880a

And from the debug of the icmp trace when i did tests. I saw Azure Virtual Networks reaching me:

ICMP echo request from outside:192.168.69.0 to inside:192.168.68.0 ID=1 seq=20777 len=4
ICMP echo request from outside:192.168.69.0 to inside:192.168.100.0 ID=1 seq=20778 len=4
ICMP echo request from inside:192.168.69.0 to inside:192.168.68.0 ID=1 seq=20777 len=4
ICMP echo request from inside:192.168.69.0 to inside:192.168.68.0 ID=1 seq=20777 len=4
ICMP echo request from outside:192.168.70.0 to inside:192.168.68.0 ID=1 seq=20779 len=4
ICMP echo request from outside:192.168.70.0 to inside:192.168.100.0 ID=1 seq=20780 len=4
ICMP echo request from inside:192.168.69.0 to inside:192.168.68.0 ID=1 seq=20777 len=4
ICMP echo request from inside:192.168.70.0 to inside:192.168.68.0 ID=1 seq=20779 len=4

The weird thing is, the first packets from Azure come from outside and after that goes through inside and then, I always see the virtual networks of azure coming from inside...

I had a contact who allowed to me to connect to one of their machines on azure and do tests. We see ICMP was open so I tried to do ping to some devices on my local networks and did not work.

1   IKE Peer: 13.94.234.139
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

Crypto map tag: VPNsZAL, seq num: 45, local addr: 212.31.45.50

      access-list azure-vpn-acl extended permit ip 192.168.68.0 255.255.255.0 192.168.69.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.68.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.69.0/255.255.255.0/0/0)
      current_peer: 13.94.234.139


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 212.31.45.50/0, remote crypto endpt.: 13.94.234.139/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: F6F7BC52
      current inbound spi : 6440C427
              
    inbound esp sas:
      spi: 0x6440C427 (1681966119)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 85069824, crypto-map: VPNsZAL
         sa timing: remaining key lifetime (kB/sec): (97199999/3523)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000005
    outbound esp sas:
      spi: 0xF6F7BC52 (4143430738)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 85069824, crypto-map: VPNsZAL
         sa timing: remaining key lifetime (kB/sec): (97200000/3523)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: VPNsZAL, seq num: 45, local addr: 212.31.45.50

      access-list azure-vpn-acl extended permit ip 192.168.68.0 255.255.255.0 192.168.70.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.68.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.70.0/255.255.255.0/0/0)
      current_peer: 13.94.234.139


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 212.31.45.50/0, remote crypto endpt.: 13.94.234.139/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 548A0046
      current inbound spi : C3000B47

    inbound esp sas:
      spi: 0xC3000B47 (3271560007)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 85069824, crypto-map: VPNsZAL
         sa timing: remaining key lifetime (kB/sec): (97199999/3523)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000005
    outbound esp sas:
      spi: 0x548A0046 (1418330182)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 85069824, crypto-map: VPNsZAL
         sa timing: remaining key lifetime (kB/sec): (97200000/3523)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: VPNsZAL, seq num: 45, local addr: 212.31.45.50

      access-list azure-vpn-acl extended permit ip 192.168.100.0 255.255.255.0 192.168.69.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.69.0/255.255.255.0/0/0)
      current_peer: 13.94.234.139


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 212.31.45.50/0, remote crypto endpt.: 13.94.234.139/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: B7325432
      current inbound spi : B08B5565

    inbound esp sas:
      spi: 0xB08B5565 (2961921381)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 85069824, crypto-map: VPNsZAL
         sa timing: remaining key lifetime (kB/sec): (97199999/3522)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000005
    outbound esp sas:
      spi: 0xB7325432 (3073528882)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 85069824, crypto-map: VPNsZAL
         sa timing: remaining key lifetime (kB/sec): (97200000/3522)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: VPNsZAL, seq num: 45, local addr: 212.31.45.50

      access-list azure-vpn-acl extended permit ip 192.168.100.0 255.255.255.0 192.168.70.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.70.0/255.255.255.0/0/0)
      current_peer: 13.94.234.139
              

      #pkts encaps: 41, #pkts encrypt: 41, #pkts digest: 41
      #pkts decaps: 49, #pkts decrypt: 49, #pkts verify: 49
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 41, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 212.31.45.50/0, remote crypto endpt.: 13.94.234.139/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 52392FA2
      current inbound spi : 3EDB82DD

    inbound esp sas:
      spi: 0x3EDB82DD (1054573277)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 85069824, crypto-map: VPNsZAL
         sa timing: remaining key lifetime (kB/sec): (97199998/641)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x0007FFFF 0xFFFFFFFD
    outbound esp sas:
      spi: 0x52392FA2 (1379479458)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 85069824, crypto-map: VPNsZAL
         sa timing: remaining key lifetime (kB/sec): (97199997/640)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

I think maybe I have something bad on my side or on the part of Azure is being blocked somehow.

Thanks for the help.

Regards

1 REPLY 1

May someone help to identify

May someone help to identify if there is something wrong on the ASA side?

Thanks,

Aitor