04-25-2020 03:52 AM
Hi
I've been asked to fire up an ASAv for in one of our existing Azure environments which currently have Checkpoint CloudGuard IaaS protecting north/south and east/west traffic. The ASAv will be to terminate s2s and web vpns. I'm a little confused reading the guidelines for this it says the only external IP address is given to management interface and can't be changed. How would we terminate our VPNs on this device?
Im sure theres a simple explanation and im missing something.
Thanks
04-25-2020 07:15 AM
Not sure what guide lines, you have management IP inside network also. or OOB.
You need only Public IP address outside for the Termination of VPN S2S
here is the example : S2S
Web VPN
https://www.cisco.com/c/en/us/support/docs/security-vpn/webvpn-ssl-vpn/119417-config-asa-00.html
04-25-2020 09:22 AM - edited 04-25-2020 09:22 AM
Not clear about your current access to Azure and whether that might allow you to access private addresses inside their cloud. I have done site to site vpn where the ASA terminating the vpn was in private address space and the key to getting it to work is a static translation at the entry point into the private subnets. Not sure if that is feasible with Azure.
04-25-2020 07:36 PM
Hi,
The only NIC allowed to associate a Azure Public IP Address is the MGMT interface of ASAv.
This is the current limitation of deploying ASAv on Azure. So, you got two options:
1. Deploy your MGMT as your OUTSIDE interface. The webvpn as well as your site to site VPN will through out the MGMT interface. Here is what cisco say in the guideline:
In Azure, the first defined interface, which is always the Management interface, is the only interface that can have an Azure public IP address associated with it. Because of this, the ASAv in Azure allows though-data traffic on the Management interface. Therefore the initial configuration for the Management interface does not include the management-only setting.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asav/quick-start-book/asav-98-qsg/asav-azure.html#id_48456
2. If you insist to separate your OUTSIDE from the MGMT interface, then you must assign a private address range on other non-mgmt vNIC. Thus, you use Azure Load Balancer (for example) in front of your VNET, and performing inbound NAT from the Internet to your ASA.
This option is not recommended as it cost you more, and you need to manage one more virtual device, which is unnecessary.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide