Solved: Cisco ASA to Azure VPN Issues - PolicyBased

Clthompson03 · ‎02-02-2017

Hello,

I'm more from the Microsoft Azure side of the fence. I understand that Cisco ASA only supports Policy-Based VPN tunnels so Azure has to use the less functional gateway to have a Site-to-Site VPN to an on-prem ASA.

This causes huge compatibility issues on features in Azure without being able to use a Route-Based VPN gateway. Is there a Cisco appliance that is an 'upgraded version' of the Cisco ASA that has the same functionality but supports this?

I saw Cisco ASR and ISR, but these are functionally different than an ASA to my understanding?

Thanks!

Philip D'Ath · ‎02-02-2017

It may be easier to put a Cisco router in beside your firewall if you need greater capabilities.

If you need less than about 150Mb/s of throughput a Cisco 897 is quite a cheap option. You would need to position the Cisco ISR router (such as the 897) so that it has a public IP address on its outside interface (unless you like to have a lot of grief). Sometimes it is easier to just run in a separate Internet connection to the 897.

http://www.cisco.com/c/en/us/products/collateral/routers/800-series-routers/data_sheet_c78-519930.html

In version 9.7 of the ASA software (which is bleeding edge new) support for VTI tunnels has been added. This may solve your problem - but head my warning - this is bleeding edge new code.

Search for the text "VTI" at this URL to find out more.

http://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html

The ASA VPN module is enhanced with a new logical interface called Virtual Tunnel Interface (VTI), used to represent a VPN tunnel to a peer. This supports route based VPN with IPsec profiles attached to each end of the tunnel. Using VTI does away with the need to configure static crypto map access lists and map them to interfaces.

View solution in original post

Philip D'Ath · ‎02-02-2017

It may be easier to put a Cisco router in beside your firewall if you need greater capabilities.

If you need less than about 150Mb/s of throughput a Cisco 897 is quite a cheap option. You would need to position the Cisco ISR router (such as the 897) so that it has a public IP address on its outside interface (unless you like to have a lot of grief). Sometimes it is easier to just run in a separate Internet connection to the 897.

http://www.cisco.com/c/en/us/products/collateral/routers/800-series-routers/data_sheet_c78-519930.html

In version 9.7 of the ASA software (which is bleeding edge new) support for VTI tunnels has been added. This may solve your problem - but head my warning - this is bleeding edge new code.

Search for the text "VTI" at this URL to find out more.

http://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html

The ASA VPN module is enhanced with a new logical interface called Virtual Tunnel Interface (VTI), used to represent a VPN tunnel to a peer. This supports route based VPN with IPsec profiles attached to each end of the tunnel. Using VTI does away with the need to configure static crypto map access lists and map them to interfaces.

Clthompson03 · ‎02-07-2017

Thanks! This was very helpful!!

Marius Gunnerud · ‎02-02-2017

There is no issue setting up site to site VPN between Azure and ASA. A client of mine has one set up and there is no issues with it. I believe that Azure also puts out an ASA config script once you configure the Azure side of the VPN.

Petenetlive.com has a good walkthrough on setting this up.

http://www.petenetlive.com/KB/Article/0001166

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Philip D'Ath · ‎02-02-2017

Azure offers two modes of building VPNs. One they called "routed" which uses a tunnel (which you can only build to a router) and the other they call "policy based" which is a standard IPSec VPN (which you use to ASAs).

The issue is when you choose the policy based option in Azure it disables lots of networking options on the Azure side.

carlos.perez1 · ‎02-11-2019

Hello Experts
Someone has configured VPN with azure based on Route Based from an ASA 5525x, I'm running a version 9.6 on the ASA,
I have applied the configuration based on the guides I found with Route Based, raise Phase 1 but Phase 2 does not raise,

I appreciate your comments.

Regards

Jonathan Schultz · ‎03-01-2019

I had the same issue with route based. No Phase 2. Couldn't get IKE v2 either.

carlos.perez1 · ‎04-03-2019

Already exhausting all my options of troubleshooting I had to climb with cisco the problem of why it did not raise Phase 2 if all the configuration was fine.
I commented that in the version I had working on the ASA 5525x in version 9.6 does not support Route Based, I explain that you have to do an upgrade to version 9.8.

Once the upgrade was done, I worked without problems, I raise Phase 1 and Phase 2 of the vpn that I have with Azure.

I hope it helps everyone!

Regards.

Carlos P

shanethegeekdaou · ‎12-08-2023

For someone who may stumble across this community post like it did here is what I had to do to get an Azure VPN Gateway setup with a Site2Site IPSec tunnel to an ASA Appliance.

Setup your Azure Virtual Network Gateway. When setting up the IKE policies make sure you have the ASA side of the connection dictate the appropriate IPSec Integrity, PFS, group types ect as Azure will likely support more options than what ASA will support depending on the ASA firmware level.

Remember to have your Local Network Gateway defined. The LNG defines the network on remote end of the VPN. So in this case if you were connecting to 1.1.1.1 public IP with a private subnet range of 192.168.111.0/24 you would specify this information in the LNG resource.

Now that you have your VNG and LNG created you will setup your Site2Site connection and define your IKE policies and set your PSK. The most important thing to enable is the "Use Policy Based Traffic Selectors". This must be turned on with local and remote networks specified once more. This will allow Azure to present a valid traffic policy to the ASA which will then allow the tunnel to connect and route properly.

DualehFarah5284 · ‎05-15-2024

Hi,

I have set up a route-based VPN between Cisco ASA and Azure; both phases 1 and 2 are riased, and the tunnel is up, but my problem is that the tunnel keeps going iddle or disconnecting every couple of hours. From the Cisco ASA side, the tunnel is showing up and the Azure side is showing connected, but if I ping from Azure to my on-Prem PC, the ping timeout happens. Every time this happens, I need to reset the connection from the Azure side, and everything works again. Can someone help me or advise me if they see this kind of behavior? ASA and Azure route-based VPN

ISNetAdmin · ‎12-19-2024

I'm encountering the same issue after recently upgrading to ASA Version 9.20(3)7. I have IPSec tunnels configured between the ASA and Azure Virtual Network Gateways (VNG).

Before the upgrade, the IPSec tunnels were established successfully and remained online. Even if the tunnel went idle, a network request would rebuild the IPSec tunnel without any issues. However, since the upgrade, while the route-based VNG tunnel builds successfully with the ASA, the IPSec tunnel no longer rebuilds after idle time or stops passing traffic altogether until a reset is performed on the Azure side.

I'm looking for a solution to this problem. Any suggestions?

shanethegeekdaou · ‎12-20-2024

For the ASA it needs to be a policy based VPN connection and not route based. Make sure you have a Local Network Gateway device on the Azure side configured with the Public WAN IP and private subnet ranges of the ASA side of the network defined. I am using SKU VPNGW2AZ. It is important to turn on Use Custom Traffic Selectors and define local and remote address ranges. For my IKEv2 settings I am using Custom option not default. IKE Phase 1 AES256 , SHA1, DHGROUP2 and for IKE Phase 2 AES256, SHA256, PFS2 and of course these settings and defined networks/subnets/ranges need to be available and matching exactly on the ASA side policy.