Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12483
Views
5
Helpful
9
Replies

Cisco ASA to Azure VPN Issues - PolicyBased

Go to solution
Clthompson03
Level 1
Level 1

‎02-02-2017 10:56 AM - edited ‎03-12-2019 01:52 AM

Hello,

I'm more from the Microsoft Azure side of the fence. I understand that Cisco ASA only supports Policy-Based VPN tunnels so Azure has to use the less functional gateway to have a Site-to-Site VPN to an on-prem ASA.

This causes huge compatibility issues on features in Azure without being able to use a Route-Based VPN gateway. Is there a Cisco appliance that is an 'upgraded version' of the Cisco ASA that has the same functionality but supports this?

I saw Cisco ASR and ISR, but these are functionally different than an ASA to my understanding?

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎02-02-2017 12:03 PM

It may be easier to put a Cisco router in beside your firewall if you need greater capabilities.

If you need less than about 150Mb/s of throughput a Cisco 897 is quite a cheap option.  You would need to position the Cisco ISR router (such as the 897) so that it has a public IP address on its outside interface (unless you like to have a lot of grief).  Sometimes it is easier to just run in a separate Internet connection to the 897.

http://www.cisco.com/c/en/us/products/collateral/routers/800-series-routers/data_sheet_c78-519930.html

In version 9.7 of the ASA software (which is bleeding edge new) support for VTI tunnels has been added.  This may solve your problem - but head my warning - this is bleeding edge new code.

Search for the text "VTI" at this URL to find out more.

http://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html

The ASA VPN module is enhanced with a new logical interface called Virtual Tunnel Interface (VTI), used to represent a VPN tunnel to a peer. This supports route based VPN with IPsec profiles attached to each end of the tunnel. Using VTI does away with the need to configure static crypto map access lists and map them to interfaces.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎02-02-2017 12:03 PM

It may be easier to put a Cisco router in beside your firewall if you need greater capabilities.

If you need less than about 150Mb/s of throughput a Cisco 897 is quite a cheap option.  You would need to position the Cisco ISR router (such as the 897) so that it has a public IP address on its outside interface (unless you like to have a lot of grief).  Sometimes it is easier to just run in a separate Internet connection to the 897.

http://www.cisco.com/c/en/us/products/collateral/routers/800-series-routers/data_sheet_c78-519930.html

In version 9.7 of the ASA software (which is bleeding edge new) support for VTI tunnels has been added.  This may solve your problem - but head my warning - this is bleeding edge new code.

Search for the text "VTI" at this URL to find out more.

http://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html

The ASA VPN module is enhanced with a new logical interface called Virtual Tunnel Interface (VTI), used to represent a VPN tunnel to a peer. This supports route based VPN with IPsec profiles attached to each end of the tunnel. Using VTI does away with the need to configure static crypto map access lists and map them to interfaces.

0 Helpful

Go to solution
Clthompson03
Level 1
Level 1
In response to Philip D'Ath

‎02-07-2017 01:02 PM

Thanks! This was very helpful!!

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎02-02-2017 12:19 PM

There is no issue setting up site to site VPN between Azure and ASA.  A client of mine has one set up and there is no issues with it.  I believe that Azure also puts out an ASA config script once you configure the Azure side of the VPN.

Petenetlive.com has a good walkthrough on setting this up.

http://www.petenetlive.com/KB/Article/0001166

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to Marius Gunnerud

‎02-02-2017 12:23 PM

Azure offers two modes of building VPNs.  One they called "routed" which uses a tunnel (which you can only build to a router) and the other they call "policy based" which is a standard IPSec VPN (which you use to ASAs).

The issue is when you choose the policy based option in Azure it disables lots of networking options on the Azure side.

Go to solution
carlos.perez1
Level 1
Level 1
In response to Philip D'Ath

‎02-11-2019 08:58 AM

Hello Experts
Someone has configured VPN with azure based on Route Based from an ASA 5525x, I'm running a version 9.6 on the ASA,
I have applied the configuration based on the guides I found with Route Based, raise Phase 1 but Phase 2 does not raise,

I appreciate your comments.

 

 

Regards

0 Helpful

Go to solution
Jonathan Schultz
Level 1
Level 1
In response to carlos.perez1

‎03-01-2019 03:25 PM

I had the same issue with route based. No Phase 2. Couldn't get IKE v2 either.

0 Helpful

Go to solution
carlos.perez1
Level 1
Level 1
In response to Jonathan Schultz

‎04-03-2019 09:47 AM

Already exhausting all my options of troubleshooting I had to climb with cisco the problem of why it did not raise Phase 2 if all the configuration was fine.
I commented that in the version I had working on the ASA 5525x in version 9.6 does not support Route Based, I explain that you have to do an upgrade to version 9.8.

Once the upgrade was done, I worked without problems, I raise Phase 1 and Phase 2 of the vpn that I have with Azure.

I hope it helps everyone!

 

Regards.

Carlos P

0 Helpful

Go to solution
shanethegeekdaou
Level 1
Level 1

‎12-08-2023 09:25 AM

For someone who may stumble across this community post like it did here is what I had to do to get an Azure VPN Gateway setup with a Site2Site IPSec tunnel to an ASA Appliance.

Setup your Azure Virtual Network Gateway. When setting up the IKE policies make sure you have the ASA side of the connection dictate the appropriate IPSec Integrity, PFS, group types ect as Azure will likely support more options than what ASA will support depending on the ASA firmware level.

Remember to have your Local Network Gateway defined. The LNG defines the network on remote end of the VPN. So in this case if you were connecting to 1.1.1.1 public IP with a private subnet range of 192.168.111.0/24 you would specify this information in the LNG resource.

Now that you have your VNG and LNG created you will setup your Site2Site connection and define your IKE policies and set your PSK. The most important thing to enable is the "Use Policy Based Traffic Selectors". This must be turned on with local and remote networks specified once more. This will allow Azure to present a valid traffic policy to the ASA which will then allow the tunnel to connect and route properly.

0 Helpful

Go to solution
DualehFarah5284
Level 1
Level 1

‎05-15-2024 01:57 AM

Hi,

I have set up a route-based VPN between Cisco ASA and Azure; both phases 1 and 2 are riased, and the tunnel is up, but my problem is that the tunnel keeps going iddle or disconnecting every couple of hours. From the Cisco ASA side, the tunnel is showing up and the Azure side is showing connected, but if I ping from Azure to my on-Prem PC, the ping timeout happens. Every time this happens, I need to reset the connection from the Azure side, and everything works again. Can someone help me or advise me if they see this kind of behavior? ASA and Azure route-based VPN

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card