Re: ASA to AZURE Site to Site VPN Issues

Pyie Phyo Htay · ‎04-30-2023

Dear Meambers,

Greeting to All!

Show version

Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)
:
ASA Version 9.2(2)4

Currently, I have configure Cisco ASA to MS Azure Site to Site VPN with the ikev2 route base. In the azure portal the tunnel is showing "connected" but cannot ping and rdp access from my on-premises side.

For the asa side I used the following command to check the Phase1 and Phase2 status, that is showing following output:

MM-PR-DMXFW1/sec/act(config)# show crypto ikev2 sa

IKEv2 SAs:

Session-id:2516, Status:UP-ACTIVE, IKE count:2, CHILD count:1

Tunnel-id Local Remote Status Role
363297573 103.110.100.204/500 20.205.101.41/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/1492 sec

Tunnel-id Local Remote Status Role
329694893 103.110.100.204/500 20.205.101.41/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/1612 sec
Child sa: local selector 10.20.1.0/0 - 10.20.1.255/65535
remote selector 10.0.0.0/0 - 10.0.255.255/65535
ESP spi in/out: 0xa2703621/0xfe592a1c
MM-PR-DMXFW1/sec/act(config)#

MM-PR-DMXFW1/sec/act(config)# show crypto ipsec sa peer 20.205.101.41
peer address: 20.205.101.41
Crypto map tag: CRYPTO-AZURE-MAP, seq num: 1, local addr: 103.110.100.204

access-list AZURE-VPN-ACL extended permit ip 10.20.1.0 255.255.255.0 10.0.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.20.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
current_peer: 20.205.101.41

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 103.110.100.204/500, remote crypto endpt.: 20.205.101.41/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: FE592A1C
current inbound spi : A2703621

inbound esp sas:
spi: 0xA2703621 (2725262881)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 26083328, crypto-map: CRYPTO-AZURE-MAP
sa timing: remaining key lifetime (kB/sec): (4193280/84874)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xFE592A1C (4267256348)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 26083328, crypto-map: CRYPTO-AZURE-MAP
sa timing: remaining key lifetime (kB/sec): (4331520/84874)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

MM-PR-DMXFW1/sec/act(config)#

So, I assume Phase1 and Phase2 is working fine or maybe I'm wrong.

I want to clarify that my asa configuration is correct or not if any need to change in asa firewall.

Could you please kindly suggests for help me issues. Many thanks for your helps everyone.

Best Regards,

Pyie Phyo Htay.

Rob Ingram · ‎05-01-2023

@Pyie Phyo Htay wrote:

Dear Meambers,

Greeting to All!

Show version

Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)
:
ASA Version 9.2(2)4

Currently, I have configure Cisco ASA to MS Azure Site to Site VPN with the ikev2 route base. In the azure portal the tunnel is showing "connected" but cannot ping and rdp access from my on-premises side.

@Pyie Phyo Htay you say you've configured a route based VPN? ASA 9.2 you are running does not support routed based VPN, unless you upgrade to 9.7 or higher.

You've currently configured a Policy Based VPN on the ASA, you'd need to ensure you've configured the Azure side to be Policy Based VPN, example:- https://community.cisco.com/t5/security-blogs/site-to-site-vpn-between-cisco-asa-and-microsoft-azure-virtual/ba-p/3101421

You will also need to ensure that the ASA is configured with a NAT exemption rule to ensure traffic over the VPN is not unintentially translated. Example:-

nat (inside,outside) source static LOCAL-NET LOCAL-NET destination static AZURE-NET AZURE-NET

Pyie Phyo Htay · ‎05-01-2023

Dear Rob Ingram,

Thanks for the explanation,

I'm try to configure following your reference link https://community.cisco.com/t5/security-blogs/site-to-site-vpn-between-cisco-asa-and-microsoft-azure-virtual/ba-p/3101421

Here is my new configuration for ASA

object-group network DEV-NET-SOURCE
network-object 10.20.1.0 255.255.255.0
network-object 10.20.2.0 255.255.255.0
network-object 10.20.3.0 255.255.255.0
network-object 10.20.4.0 255.255.255.0
object-group network AZURE-NET-DESTINATION
network-object 10.0.0.0 255.255.0.0

access-list AZURE-VPN-ACL extended permit ip object-group DEV-NET-SOURCE object-group AZURE-NET-DESTINATION

nat (internal,VPN) source static DEV-NET-SOURCE DEV-NET-SOURCE destination static AZURE-NET-DESTINATION AZURE-NET-DESTINATION

crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800

crypto ikev1 enable VPN

crypto ipsec ikev1 transform-set AZURE-IPSEC-PROPOSAL-SET20.205.101.41 esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000

tunnel-group 20.205.101.41 type ipsec-l2l
tunnel-group 20.205.101.41 ipsec-attributes
ikev1 pre-shared-key *****

crypto map CRYPTO-AZURE-MAP 1 match address AZURE-VPN-ACL
crypto map CRYPTO-AZURE-MAP 1 set peer 20.205.101.41
crypto map CRYPTO-AZURE-MAP 1 set ikev1 transform-set AZURE-IPSEC-PROPOSAL-SET20.205.101.41
crypto map CRYPTO-AZURE-MAP 1 set security-association lifetime seconds 27000
crypto map CRYPTO-AZURE-MAP 1 set security-association lifetime kilobytes 102400000
crypto map CRYPTO-AZURE-MAP interface VPN

sysopt connection tcpmss 1350
sysopt connection preserve-vpn-flows

But still not ok although azure portal vpn connection showing "connected"

Please helps me bro.

Thanks in advance.

Rob Ingram · ‎05-01-2023

@Pyie Phyo Htay and is the Azure side VPN type is configured for a Policy Based VPN?

And is configured to use the same IKEv1/IPSec settings? The local/remote networks are correctly configured?

Pyie Phyo Htay · ‎05-01-2023

Yes, VPN type has configure policy base and In the azure portal once the create Virtual Network Gateway we can only choose gateway SKU type basic. There is no setting for IKEv1 changes in connection. It's by default.

Please kindly see the attachment files. Thanks

MHM Cisco World · ‎05-01-2023

nat (internal,VPN) source static DEV-NET-SOURCE DEV-NET-SOURCE destination static AZURE-NET-DESTINATION AZURE-NET-DESTINATION

What is VPN interface you use here??

Pyie Phyo Htay · ‎05-01-2023

For the Outside Interface that i'm using name VPN.

MHM Cisco World · ‎05-01-2023

In original post you share ikev2 then later you share config of ikev1?

Pyie Phyo Htay · ‎05-01-2023

Yes Bro, It's my early configuration but it's not working, that why I change the new configuration with following reference link https://community.cisco.com/t5/security-blogs/site-to-site-vpn-between-cisco-asa-and-microsoft-azure-virtual/ba-p/3101421

Here is my new configuration for ASA

object-group network DEV-NET-SOURCE
network-object 10.20.1.0 255.255.255.0
network-object 10.20.2.0 255.255.255.0
network-object 10.20.3.0 255.255.255.0
network-object 10.20.4.0 255.255.255.0
object-group network AZURE-NET-DESTINATION
network-object 10.0.0.0 255.255.0.0

access-list AZURE-VPN-ACL extended permit ip object-group DEV-NET-SOURCE object-group AZURE-NET-DESTINATION

nat (internal,VPN) source static DEV-NET-SOURCE DEV-NET-SOURCE destination static AZURE-NET-DESTINATION AZURE-NET-DESTINATION

crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800

crypto ikev1 enable VPN

crypto ipsec ikev1 transform-set AZURE-IPSEC-PROPOSAL-SET20.205.101.41 esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000

tunnel-group 20.205.101.41 type ipsec-l2l
tunnel-group 20.205.101.41 ipsec-attributes
ikev1 pre-shared-key *****

crypto map CRYPTO-AZURE-MAP 1 match address AZURE-VPN-ACL
crypto map CRYPTO-AZURE-MAP 1 set peer 20.205.101.41
crypto map CRYPTO-AZURE-MAP 1 set ikev1 transform-set AZURE-IPSEC-PROPOSAL-SET20.205.101.41
crypto map CRYPTO-AZURE-MAP 1 set security-association lifetime seconds 27000
crypto map CRYPTO-AZURE-MAP 1 set security-association lifetime kilobytes 102400000
crypto map CRYPTO-AZURE-MAP interface VPN

sysopt connection tcpmss 1350
sysopt connection preserve-vpn-flows

But still not ok although azure portal vpn connection showing "connected"

VPN type has configure policy base and In the azure portal once the create Virtual Network Gateway we can only choose gateway SKU type basic. There is no setting for IKEv1 changes in connection. It's by default.

Many thanks for your helps.

Please kindly see the attachment files below:

MHM Cisco World · ‎05-02-2023

there is two setup one Policy based GW and other setup local GW

Pyie Phyo Htay · ‎05-02-2023

Yes, I have done already setup Local Gateway. Please see the attachment file.

Thanks.