With a CISCO ASA we can establish a site-to-site VPN between an on premises network and a Microsoft Azure Virtual Network. In this blog we’ll provide step-by-step procedure to establish site-to-site VPN (with Static Routing VPN Gateway) between Cisco ASA and Microsoft Azure Virtual Network.
Before we move on to configure site-to-site VPN, let’s make sure we have the minimum prerequisites to establish site-to-site VPN.
1) We recommend ASA version 9.1 or above and the version can be verified with CLI “Show Version”.
2) AES Encryption License should be enabled. Make sure AES license is enabled on ASA, which can be verified using “Show version” or “Show version | include Encryption-3DES-AES” CLI on ASA.
Use the below topology as a reference for site-to-site VPN configuration.
Azure virtual network address space: 10.0.0.0/16
ASA side network: On-premises network inside network 192.168.1.0/24
Creating the Azure VPN
In this section, we’ll be creating a virtual network in the Azure portal.
Step 1:Create the virtual network:
After login to Azure portal, click New -> Networking -> Virtual Network, Create
Step 2:Create new virtual network
Fill in the name of Virtual Network, the Address range you wish to use in Azure, and the location.
Step 3: After creation of a virtual network add a gateway subnet named GatewaySubnet
Step 4: Create a VPN Connection
Step 5: Setup Azure Policy based gateway
Step 6:Setup Local Gateway
In our example:
Local virtual network gateway: 128.X.X.X (ASA outside interface IP (Public IP address)
Local Network Address: 192.168.1.0/24 (Your on-premises local network. Specify starting IP address of your network.)
It takes couple of minutes to create Gateway Connection. Once created review the Virtual Network Gateway IP Address
Configuring Cisco ASA:
In this section we’ll configure site-to-site VPN on ASA 8.4 & 9.x and above.
Step 1a: Create two object-group one with Azure Virtual Network subnet another object-group for On-Premises network, e.g.
object-group network azure-networks
network-object 10.0.0.0 255.255.255.0
object-group network onprem-networks
description On-premises Network
network-object 192.168.1.0 255.255.255.0
Step 1b: Creating the access-list with the above object-group for identifying interesting traffic for the VPN.
access-list azure-vpn-acl extended permit ip object-group onprem-networks object-group azure-networks
Step 2: Creating Identity NAT
With same object-group create identity NAT for this VPN traffic
crypto ikev1 enable outside(Outside is the interface nameif)
Step 4:Configuring IPSec
Configuring IPSec parameters for Phase II.
In the below e.g. 104.x.x.x IP should be replaced by Virtual network gateway, which is available under the connection object <Pre-Share-Key> should be replaced by Share Key (PSK), which is available on same object, under All settings, Shared key
Configure crypto map using below configuration, if your ASA already has existing crypto map use the same name with different priority number. Using “show run crypto map” CLI you can verify If ASA has existing crypto map, if it existing use same name instead of “azure-crypto-map”
crypto map azure-crypto-map 1 match address azure-vpn-acl
crypto map azure-crypto-map 1 set peer 104.x.x.x
crypto map azure-crypto-map 1 set ikev1 transform-set azure-ipsec-proposal-set
crypto map azure-crypto-map interface outside
Step 6: Adjusting TCPMMS value
To avoid fragmentation set TCPMMS value to 1350, use below CLI
sysopt connection tcpmss 1350
Step 7:Allow re-establishment of the L2L VPN Tunnel
Hi Community I would like to know if the community has had experiences or any discussion about the best practices to migrate two ASA firewalls in standalone mode operating in a critical network. The process is to migrate the two ASAs to new Fire...
Hello, I have ISE 2.6 with 2 PAN and 4 PSNI would like to change the admin certificate from the default self signed to one form my PKI. When I change it there will be a restart on the node right?Is it advisable to change it on the PSN also...
We have 1x FortiGate Firewall 100E, further connected 2Switches, 2x NVRs and 2xServers, there total power load is 1.5 KVA. These are connected to 10KVA UPS, but when the electricity goes and load shifts on UPS; That time we faces internet disconnection is...