Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1218
Views
0
Helpful
3
Replies

ASAv and vpns

dhughes133
Level 1
Level 1

‎04-25-2020 03:52 AM

Hi 

 

I've been asked to fire up an ASAv for in one of our existing Azure environments which currently have Checkpoint CloudGuard IaaS protecting north/south and east/west traffic. The ASAv will be to terminate s2s and web vpns. I'm a little confused reading the guidelines for this it says the only external IP address is given to management interface and can't be changed. How would we terminate our VPNs on this device?

 

Im sure theres a simple explanation and im missing something.

 

Thanks

Labels:
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎04-25-2020 07:15 AM

Not sure what guide lines, you have management IP inside network also. or OOB.

 

You need only Public IP address outside for the Termination of VPN S2S

 

here is the example :  S2S

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html

 

Web VPN 

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/webvpn-ssl-vpn/119417-config-asa-00.html

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame

‎04-25-2020 09:22 AM - edited ‎04-25-2020 09:22 AM

Not clear about your current access to Azure and whether that might allow you to access private addresses inside their cloud. I have done site to site vpn where the ASA terminating the vpn was in private address space and the key to getting it to work is a static translation at the entry point into the private subnets. Not sure if that is feasible with Azure.

HTH

Rick
0 Helpful

ngkin2010
Level 7
Level 7

‎04-25-2020 07:36 PM

Hi,

 

The only NIC allowed to associate a Azure Public IP Address is the MGMT interface of ASAv.

 

This is the current limitation of deploying ASAv on Azure. So, you got two options:

 

1. Deploy your MGMT as your OUTSIDE interface. The webvpn as well as your site to site VPN will through out the MGMT interface. Here is what cisco say in the guideline:

 

In Azure, the first defined interface, which is always the Management interface, is the only interface that can have an Azure public IP address associated with it. Because of this, the ASAv in Azure allows though-data traffic on the Management interface. Therefore the initial configuration for the Management interface does not include the management-only setting.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asav/quick-start-book/asav-98-qsg/asav-azure.html#id_48456

2. If you insist to separate your OUTSIDE from the MGMT interface, then you must assign a private address range on other non-mgmt vNIC. Thus, you use Azure Load Balancer (for example) in front of your VNET, and performing inbound NAT from the Internet to your ASA.

 

This option is not recommended as it cost you more, and you need to manage one more virtual device, which is unnecessary. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card