Thanks for your response.
Since there are two Firewall , What will be the peer IP ?
Do I require to configure on both the firewall.
Thanks for the update.
As of now both the firewall (Active and standby ) has the public IP.
On which IP the VPN needs to configured.
I have gone through some doc it clearly indicates the config of primary doesn't get sync to secondary .
So is it required to carry out the config on both the firewall.
Before You Begin
• Configure these settings in the system execution space in single context mode.
• Configure these settings on both the primary and secondary units. There is no synching of configuration
from the primary unit to the secondary unit.
• Have your Azure environment information available, including your Azure Subscription ID and Azure
authentication credentials for the Service Principal.
Old thread I know, but the peer IP will be the Front End load balancer IP. Create load balancer rules for ports UDP/500 IKE and 4500/NAT-T. The traffic will then be delivered to the active ASA. I have this configuration working. Use port 44441 for the health probe for the rules, if you have configured the load balancer probe as follows:
failover cloud port probe 44441 interface management
With reference to the syncing of configurations, I don't think this is possible in Azure as the IP configurations are different on each device for the different ASAv interfaces.
As of now we are using Secondary IP concept to configure multiple Public IP address for various purposes. In case of Active ASAv goes down we are migrating the public IP to back up. This would be very helpful if you share us with the Config for the load balancer concept.
Could you please let us know are you using the Azure External load balancer (ELB)?
In case if we are going to use the ELB whether can we move all the Public IP address to the ELB and point out to the Management Interfaces of ASAv HA.?
Please share the working Config with us
We are using the ASAv in an HA configuration with an Azure Load Balancer. My solution is on this thread:
Thank you very much for your reply.
I have few questions.
Did you mapped any public IP to the Management Interface of both ASAv. And for General Internet access (PAT over interface) how did you configure it.
Is it also through Azure load balancer or you had assigned the public IP to the Management interface
We added a new frontend IP on the Azure load balancer, and then created a load balanced rule that translates the incoming port on the new public IP on the load balancer e.g. SSL 443 to a port of our choosing on the backend pool (the 2 HA ASAvs) e.g. 6555. We then set up nat through the management interface for the internal server on each ASAv in the HA Pair:
object network internal-web-server
nat (inside,management) static interface service tcp https 6555
The traffic then comes into the new LB IP on port 443 gets translated to port 6555 on the management interface of the active ASAv in the pair which then translates it back to port 443 on the internal web server. In this way you can have multiple public IP addresses on the azure load balancer each routing back through to different internal hosts behind the ASAvs via different ports.
This allows you to use different public IPs on the Azure Load balancer for different internal hosts behind the ASAvs. There is no way that I have found to NAT multiple public IPs directly to the Management interface. This is because the health probes are not supported on secondary IP addresses assigned to the ASAv NICs through the Azure load balancer according the the Cisco documentation. We tried this and it didn't work. It is a shame this is the case. Instead we came up with the workaround above.