Solved: Re: Configuring site to site VPN from FTD to Azure

raulgomez101 · ‎03-14-2018

Hi,

I am familiar with ASA but not with FTD. I have setup a policy-based (IKEv1) tunnel with Azure but now I want to set up a Route-Based tunnel with Azure.

By mistake or luck, I ordered an ASA-5506-FTD-K9 firewall. I wondered if somebody has managed to create a S2S tunnel between this device and Azure.

Now, regular tunnels are policy based and easy to configure. Route based, require a custom config on the Azure side. It requires to enable Traffic Selectors:

Set-AzureRmVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection6 -UsePolicyBasedTrafficSelectors $True

I am using the ASA configuration as guidance from the URL:

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-3rdparty-device-config-cisco-asa

But I am wondering if you have managed to make this work for your company. Any help could be appreciated.

Thanks,

Francesco Molino · ‎03-14-2018

Hi

On your asa and/or FTD it's standard L2L vpn not route base based on documentation.
I never did with azure but lot of vpn with AWS. They're working good. With azure is the same.

The configuration on FMC is straight. With FDM (local ftd management), it's straight but did only once. All my customers are taking FMC (cheap for 2 FTD) because you have limitations with FDM.

You have a wizard that you can follow and you'll be able to create your ikev2 policies during wizard.
Or you can create it manually going to object management and create your ikev2 policies.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎03-14-2018

Hi

On your asa and/or FTD it's standard L2L vpn not route base based on documentation.
I never did with azure but lot of vpn with AWS. They're working good. With azure is the same.

The configuration on FMC is straight. With FDM (local ftd management), it's straight but did only once. All my customers are taking FMC (cheap for 2 FTD) because you have limitations with FDM.

You have a wizard that you can follow and you'll be able to create your ikev2 policies during wizard.
Or you can create it manually going to object management and create your ikev2 policies.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

raulgomez101 · ‎03-16-2018

Thank you Francesco. I opened a TAC Case and the Engineer told me the trick is in the Azure part. If I set the TrafficSelectors option I could use policy-based configurations with a route-based gateway.

I will do a couple of test and I will update this discussion with my results.

Thanks for replying.

R

Francesco Molino · ‎03-17-2018

Ok thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

raulgomez101 · ‎05-11-2018

Just wanted to provide an update.

Similar to Francesco, I created a IKEv1 tunnel to one of my branch offices but not directly to Azure. I think it will be possible. I don't see why not. The only caveats is that you need to customize your local gateway in Azure with powershell scripts.

To customize the local gateway, you need to use the UsePolicyBasedTrafficSelectors $True.

FMC was out of the question for me because the Firewall is located in the branch office, and it's not a good idea to manage your Firewall using the outside interface.

I find this FTD firewalls lacking of several features. I hit a bug and couldn't even manage the Firewall using the inside interface via the VPN Tunnel.

But yes, it is possible to create an IKEv2 Tunnel to Azure using the FTD and customizing the Azure gateway via powershell.

Thanks,

RG

Francesco Molino · ‎05-11-2018

Thanks for the update.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question