cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3792
Views
0
Helpful
16
Replies

ASAV In Azure

amaresh_22jan
Level 1
Level 1

Hi All,

 

Need to configure site to site VPN in  ASAV HA  in azure.It will helpful if anyone can share the doc.

 

Rightnow  HA is working fine in ASAV. 

16 Replies 16

What is stopping your here. VPN in ASAv same as VPN in ASA appliance.

Thanks for your response.

 

Since there are two Firewall , What will be the peer IP ?

 

Do I require to configure on both the firewall.

 

 

No. ASA Failover will maintain same IP on active firewall

Thanks for the update.

 

As of now both the firewall  (Active and standby ) has the public IP.

 

On which IP the VPN needs to configured. 

On the other end, you should point to the active asa IP. This IP will be
retained whether the active unit is primary or secondary

I have gone through some doc it clearly indicates the config of primary doesn't get sync to secondary .

 

So is it required to carry out the config on both the firewall.

 

 

 

That's isn't correct. I have two ASAv active in front of me now and config
synced. Can you share the link to the doc

 

 

 

 

Before You Begin
• Configure these settings in the system execution space in single context mode.
• Configure these settings on both the primary and secondary units. There is no synching of configuration
from the primary unit to the secondary unit.
• Have your Azure environment information available, including your Azure Subscription ID and Azure
authentication credentials for the Service Principal.
Procedure

Hi ,

 

Request to validate the Doc .Let me know whether the doc is correct one. 

Old thread I know, but the peer IP will be the Front End load balancer IP. Create load balancer rules for ports UDP/500 IKE and 4500/NAT-T. The traffic will then be delivered to the active ASA. I have this configuration working. Use port 44441 for the health probe for the rules, if you have configured the load balancer probe as follows:

 

failover cloud port probe 44441 interface management

 

With reference to the syncing of configurations, I don't think this is possible in Azure as the IP configurations are different on each device for the different ASAv interfaces.

Smith,

 

As of now we are using Secondary IP concept to configure multiple Public IP address for various purposes. In case of Active ASAv goes down we are migrating the public IP to back up. This would be very helpful if you share us with the Config for the load balancer concept.

 

Could you please let us know are you using the Azure External load balancer (ELB)?

In case if we are going to use the ELB whether can we move all the Public IP address to the ELB and point out to the Management Interfaces of ASAv HA.?

Please share  the working Config with us

We are using the ASAv in an HA configuration with an Azure Load Balancer. My solution is on this thread:

 

https://community.cisco.com/t5/firewalls/static-nat-in-azure-asav/td-p/3360353

 

Thank you very much for your reply.

 

I have few questions.

Did you mapped any public IP to the Management Interface of both ASAv. And for General Internet access (PAT over interface) how did you configure it.

Is it also through Azure load balancer or you had assigned the public IP to the Management interface

We added a new frontend IP on the Azure load balancer, and then created a load balanced rule that translates the incoming port on the new public IP on the load balancer e.g. SSL 443 to a port of our choosing on the backend pool (the 2 HA ASAvs) e.g. 6555. We then set up nat through the management interface for the internal server on each ASAv in the HA Pair:

 

object network internal-web-server

host internal_IP_of_web_server

nat (inside,management) static interface service tcp https 6555

 

The traffic then comes into the new LB IP on port 443 gets translated to port 6555 on the management interface of the active ASAv in the pair which then translates it back to port 443 on the internal web server. In this way you can have multiple public IP addresses on the azure load balancer each routing back through to different internal hosts behind the ASAvs via different ports.

 

This allows you to use different public IPs on the Azure Load balancer for different internal hosts behind the ASAvs. There is no way that I have found to NAT multiple public IPs directly to the Management interface. This is because the health probes are not supported on secondary IP addresses assigned to the ASAv NICs through the Azure load balancer according the the Cisco documentation. We tried this and it didn't work. It is a shame this is the case. Instead we came up with the workaround above.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: