Re: Site-to-Site VPN to Azure using ASA question.

dreyes13 · ‎09-24-2018

Not very familiar with ASA's at all, so hoping someone can shine some light on an issue we are coming across.

We are experiencing some road blocks in trying to implement a Site to Site VPN connection to Azure. The status of the VPN connection on the Azure portal has been stuck on "Connecting" for a couple of weeks now. We followed the Microsoft script to create a route based VPN connection on our ASA 5555 appliance running 9.6 code, but for whatever reason we still aren't getting a connection between the two.

I'm wondering if we used an incorrect network address. We are using our outside interface (address) on our side of the connection, but maybe we need to use the address that is associated to our internet connection/router?

We are using this interface.

Interface GigabitEthernet0/0 "outside", is up, line protocol is up
Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
Full-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: OUTSIDE-INTERFACE
MAC address 58ac.785c.4668, MTU 1500
IP address xx.xxx.xx.x, subnet mask 255.255.255.0

Any help would be greatly appreciated.

dreyes13 · ‎09-24-2018

Update - So it looks like the issue revolved around our ASA not liking the Route Based VPN config that Microsoft gave us. The VPN tunnel is showing up once we did a policy based config... But we can't ping any of the virtual servers that we put up in the Azure cloud...

balaji.bandi · ‎09-24-2018

Lookout for ACL, interesting traffic allowed in the VPN config ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

dreyes13 · ‎09-24-2018

I'm not very familiar with looking up information on interesting traffic on the VPN, but in terms of ACL's, as far as we know we matched all the object groups and policy's to the Microsoft specifications provided.

object-group network AzureNetworks
description Azure-Virtual-Networks

network-object 10.x.x.x 255.255.0.0
exit

object-group network OnpremisesNetworks
description Onpremises-Networks

network-object 10.0.0.0 255.255.255.0
exit

access-list Azure-ACL extended permit ip object-group OnPremisesNetworks object-group AzureNetworks log notifications

group-policy AzureGroupPolicy internal
group-policy AzureGroupPolicy attributes
vpn-tunnel-protocol ikev2
dynamic-access-policy-record DfltAccessPolicy
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
default-group-policy AzureGroupPolicy
tunnel-group x.x.x.x ipsec-attributes
ikev2 remote-authentication pre-shared-key x
ikev2 local-authentication pre-shared-key x
no tunnel-group-map enable peer-ip
tunnel-group-map default-group x.x.x.x

!crypto map outside_map 1 match address Azure-ACL
!crypto map outside_map 1 set peer x.x.x.x
!crypto ipsec ikev1 transform-set Azure-Ipsec-Tunnel-xxx-Azure-Connection-x.x.x.x esp-aes-256 esp-sha-hmac
!crypto ipsec security-association lifetime seconds 3600
!crypto ipsec security-association lifetime kilobytes 102400000
!tunnel-group x.x.x.x type ipsec-l2l
!tunnel-group x.x.x.x ipsec-attributes
! ikev1 pre-shared-key x
!crypto map outside_map 1 set ikev1 transform-set Azure-Ipsec-Tunnel-xxx-Azure-Connection-x.x.x.x
!crypto map outside_map 1 set security-association lifetime seconds 3600
!crypto map outside_map 1 set security-association lifetime kilobytes 102400000
!crypto map outside_map interface outside

balaji.bandi · ‎09-25-2018

Looks your Address space is over lapped each other..

until we see full octet information and routing table of both the side, it is hard to identify the issue for now.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

dreyes13 · ‎09-25-2018

The Azure Virtual network is 10.200.0.0 /16

Our On Prem networks would look be 10.0.0.0 /24

Wouldn't NAT take care of any private ip range issues?

Thanks!