Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
549
Views
0
Helpful
1
Replies

Cisco ASAv in Azzure

London12345
Level 1
Level 1

‎08-26-2017 08:57 AM - edited ‎02-21-2020 06:14 AM

Hi

I am trying to setup an IPSec VPN from ASAv in Azzure to on-premises firewall(ASA5515).

I am pasting the relevant configuration from ASAv here

 

object network OBJ-AZURE-LONDON-247
 subnet 10.247.2.0 255.255.254.0
object network OBJ-LON-ONPREM

 subnet 10.144.0.0 255.255.0.0

 

access-list OUTSIDE_cryptomap extended permit ip object OBJ-AZURE-LONDON-247 object OBJ-LON-ONPREM

crypto ipsec ikev2 ipsec-proposal IKEV2-IPSEC-ESP-AES256-SHA512

crypto map VPN-MAP 1 match address OUTSIDE_cryptomap
crypto map VPN-MAP 1 set peer 185.122.16.254
crypto map VPN-MAP interface management

group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol ikev2

tunnel-group 1 type ipsec-l2l
tunnel-group 1 general-attributes
 default-group-policy GroupPolicy1
tunnel-group 1 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

 

The LAN on the Azzure side is a VNET which I have peered with the VNET of the ASA-VM.

My understanding is that the public IP of ASAv NIC0  will be translated to the private IP on which the IPSec tunnel will be created so I haven't configured any IP's on the ASA manually.

fidasr-asav# show ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Management0/0            management             10.0.0.4        255.255.255.248 DHCP
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Management0/0            management             10.0.0.4        255.255.255.248 DHCP
fidasr-asav#


Not only I am not able to bring the tunnel up but I am not able to ping from ASAv to a VM which is located in another VNET.
fidasr-asav# show route
Gateway of last resort is 10.0.0.1 to network 0.0.0.0
S*       0.0.0.0 0.0.0.0 [1/0] via 10.0.0.1, management
C        10.0.0.0 255.255.255.248 is directly connected, management
L        10.0.0.4 255.255.255.255 is directly connected, management

So I am sure I am missing something on Azzure routing side during deployment of ASAv.




 

 

 

Labels:
0 Helpful
1 Reply 1

London12345
Level 1
Level 1

‎08-26-2017 03:26 PM

I am actually able to ping the ASAv's internal IP from the VM now since I have created the peering in both VNETs.

BUt I am still stuck with establishing IPSec VPN. Both sides are saying:

 Initial exchange failed

This suggests the two firewalls are not able to talk to each other.

Is there any special configuration on the management interface required so it can start to accept IPSec packets from internet?

 

Please help.

thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card