With a CISCO ASA we can establish a site-to-site VPN between an on premises network and a Microsoft Azure Virtual Network. In this blog we’ll provide step-by-step procedure to establish site-to-site VPN (with Static Routing VPN Gateway) between Cisco ASA and Microsoft Azure Virtual Network.
Before we move on to configure site-to-site VPN, let’s make sure we have the minimum prerequisites to establish site-to-site VPN.
1) We recommend ASA version 9.1 or above and the version can be verified with CLI “Show Version”.
2) AES Encryption License should be enabled. Make sure AES license is enabled on ASA, which can be verified using “Show version” or “Show version | include Encryption-3DES-AES” CLI on ASA.
Use the below topology as a reference for site-to-site VPN configuration.
Azure virtual network address space: 10.0.0.0/16
ASA side network: On-premises network inside network 192.168.1.0/24
Creating the Azure VPN
In this section, we’ll be creating a virtual network in the Azure portal.
Step 1:Create the virtual network:
After login to Azure portal, click New -> Networking -> Virtual Network, Create
Step 2:Create new virtual network
Fill in the name of Virtual Network, the Address range you wish to use in Azure, and the location.
Step 3: After creation of a virtual network add a gateway subnet named GatewaySubnet
Step 4: Create a VPN Connection
Step 5: Setup Azure Policy based gateway
Step 6:Setup Local Gateway
In our example:
Local virtual network gateway: 128.X.X.X (ASA outside interface IP (Public IP address)
Local Network Address: 192.168.1.0/24 (Your on-premises local network. Specify starting IP address of your network.)
It takes couple of minutes to create Gateway Connection. Once created review the Virtual Network Gateway IP Address
Configuring Cisco ASA:
In this section we’ll configure site-to-site VPN on ASA 8.4 & 9.x and above.
Step 1a: Create two object-group one with Azure Virtual Network subnet another object-group for On-Premises network, e.g.
object-group network azure-networks
network-object 10.0.0.0 255.255.255.0
object-group network onprem-networks
description On-premises Network
network-object 192.168.1.0 255.255.255.0
Step 1b: Creating the access-list with the above object-group for identifying interesting traffic for the VPN.
access-list azure-vpn-acl extended permit ip object-group onprem-networks object-group azure-networks
Step 2: Creating Identity NAT
With same object-group create identity NAT for this VPN traffic
crypto ikev1 enable outside(Outside is the interface nameif)
Step 4:Configuring IPSec
Configuring IPSec parameters for Phase II.
In the below e.g. 104.x.x.x IP should be replaced by Virtual network gateway, which is available under the connection object <Pre-Share-Key> should be replaced by Share Key (PSK), which is available on same object, under All settings, Shared key
Configure crypto map using below configuration, if your ASA already has existing crypto map use the same name with different priority number. Using “show run crypto map” CLI you can verify If ASA has existing crypto map, if it existing use same name instead of “azure-crypto-map”
crypto map azure-crypto-map 1 match address azure-vpn-acl
crypto map azure-crypto-map 1 set peer 104.x.x.x
crypto map azure-crypto-map 1 set ikev1 transform-set azure-ipsec-proposal-set
crypto map azure-crypto-map interface outside
Step 6: Adjusting TCPMMS value
To avoid fragmentation set TCPMMS value to 1350, use below CLI
sysopt connection tcpmss 1350
Step 7:Allow re-establishment of the L2L VPN Tunnel
I'm beating my head against a wall here. Here's my scenario. My ISP provides me with a block of IP addresses. They required me to have a router to route that block of IPs to the ISP network. There is no NAT on this router. From my router, I have thre...
We have the 2100 series Firepower in a 2-node cluster (v6.2+) managed by FMC (v6.3+). When we migrated from the ASA, the network objects and port objects from the configuration moved over as very generic names in the new configuration. We have...
Hi, We have a DNS rule that forces safe search on any valid browser, a second policy was set up for mainly the IT team top give more flexibility around safe search blocks. We verified both rules are set up in correct order for the rules to have ...
Hello,Recently upgraded to ISE 3.1 having an issue using the "choose file" button on the import endpoints screen. Button doesn't work ,won't click doesn't bring up the file bowser prompt. Happens with different browsers and different PCs/users. I can "tab...
Hi All, We are being bombarded with retrospective quarantine failure alerts on multiple Endpoints for a file that is part of Adobe Creative Cloud - we believe it is a false positive but cannot fetch copy of the file to sandbox and confirm - anyone el...