Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8593
Views
0
Helpful
2
Replies

ASA 5505 and Windows Azure Site-to-Site VPN

Admin_3Fifty
Level 1
Level 1

‎02-06-2014 09:02 AM

Hi all,

I'm trying to set up a site-to-site VPN connection between my ASA 5505 (ASA 9.1(4) and ASDM 7.1(3)) and Windows Azure. For the configuration of the connection Microsoft supplies a configuration script (see below, IP and shared key removed) which sets up all the connection and encryption settings.

! Microsoft Corporation
! Windows Azure Virtual Network
! This configuration template applies to Cisco ASA 5500 Series Adaptive Security Appliances running ASA Software 8.3.
! It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway.
! ---------------------------------------------------------------------------------------------------------------------
! ACL and NAT rules
! 
! Proper ACL and NAT rules are needed for permitting cross-premise network traffic.
! You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
object-group network azure-networks
 network-object 10.0.0.0 255.0.0.0
 exit
object-group network onprem-networks
 network-object 172.16.0.0 255.255.0.0
 exit
access-list azure-vpn-acl extended permit ip object-group onprem-networks object-group azure-networks
nat (inside,outside) source static onprem-networks onprem-networks destination static azure-networks azure-networks
! ---------------------------------------------------------------------------------------------------------------------
! Internet Key Exchange (IKE) configuration
! 
! This section specifies the authentication, encryption, hashing, Diffie-Hellman, and lifetime parameters for the Phase
! 1 negotiation and the main mode security association. We have picked an arbitrary policy # "10" as an example. If
! that happens to conflict with an existing policy, you may choose to use a different policy #.
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800
 exit
! ---------------------------------------------------------------------------------------------------------------------
! IPSec configuration
! 
! This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick
! mode security association. 
crypto ipsec transform-set azure-ipsec-proposal-set esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
! ---------------------------------------------------------------------------------------------------------------------
! Crypto map configuration
!
! This section defines a crypto map that binds the cross-premise network traffic to the
! IPSec transform set and remote peer. We have picked an arbitrary ID # "10" as an example. If
! that happens to conflict with an existing crypto map, you may choose to use a different ID #.
crypto map azure-crypto-map 10 match address azure-vpn-acl
crypto map azure-crypto-map 10 set peer 1.1.1.1
crypto map azure-crypto-map 10 set transform-set azure-ipsec-proposal-set
crypto map azure-crypto-map interface outside
! ---------------------------------------------------------------------------------------------------------------------
! Tunnel configuration
!
! This section defines an IPSec site-to-site tunnel connecting to the Azure gateway and specifies the pre-shared key
! value used for Phase 1 authentication.  
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key abcdefghijklmnopqrstuvwxyz123456
 exit
! ---------------------------------------------------------------------------------------------------------------------
! TCPMSS clamping
!
! Adjust the TCPMSS value properly to avoid fragmentation
sysopt connection tcpmss 1350
exit

I ran this script succesfully and I checked the settings in ASDM. However I keep getting the error that UDP 500 is blocked:

Deny inbound UDP from 1.1.1.1/500 to 2.2.2.2/500 on interface outside

I'm quite new to Cisco firewalls and am looking for a fairly dummy proof way to allow the different protocol settings required (isakmp, NAT-T, L2TP, ESP) from the Azure gateway (1.1.1.1) to my outside ip address (2.2.2.2).

Any help would be appreciated!

Labels:
0 Helpful
2 Replies 2

game123
Level 1
Level 1

‎11-19-2014 03:24 AM

Please try to deploy ACL inbound and outbound

and as per your deny message, permit it from internal network to external network

and vice versa.

 

The error is self-explanatory.

 

 

0 Helpful

Omid Rajaee
Level 1
Level 1
In response to game123

‎04-12-2018 09:17 AM

Hello,

 

this is what I am getting after running Packet Tracer on Phase 5:

 

Phase: 5

Type: VPN

Subtype: ipsec-tunnel-flow

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xae2cbd68, priority=70, domain=ipsec-tunnel-flow, deny=false

        hits=13, user_data=0x0, cs_id=0xadf3d260, reverse, flags=0x0, protocol=0

        src ip/id=10.10.8.0, mask=255.255.252.0, port=0, tag=0

        dst ip/id=10.20.0.0, mask=255.255.0.0, port=0, tag=0, dscp=0x0

        input_ifc=Cust-OutSell, output_ifc=any

0 Helpful
Customers Also Viewed These Support Documents