0

SITE-TO-SITE VPN WITH A CISCO ASA USING ASDM

OVERVIEW:
In this post we have a tendency to are aiming to link associate Azure Virtual Network to on associate premise network via a Cisco ASA. We’ll be making a route based mostly affiliation exploitation IKEv2 and a VTI interface.

We also are aiming to specialize in a way to accomplish this exploitation ASDM.

PREREQUISITES:

  • I am aiming to assume you’re already exploitation Azure and you have already got a Virtual Network in situ.
  • You ASA must be running a minimum of nine.7 but 9.8 or higher is most well-liked. I will be able to be exploitation nine.8
  • You will want ASDM, i will be able to be exploitation seven.9

THE AZURE aspect
VIRTUAL NETWORK entry:
If you Virtual Network already features a “Virtual network gateway” check you settings match then you’ll skip this section.

  • Under “Create a resource” within the high left seek for and choose “Virtual network gateways”
  • Click produce
  • Complete the form;
  • Name: no matter matches your naming convention.
  • Gateway Type: VPN
  • VPN Type: Route based mostly
    SKU: VpnGW1 (or higher, basic doesn’t support IKEv2)
  • Virtual Network: no matter Azure network we have a tendency to are connection over the VPN.
  • Public IP: produce new unless you have already got an area and provide it a reputation.
  • Subscription: Your subscription
  • Location: usually your virtual networks location.
  • Click produce

LOCAL NETWORK entry:
Next we’d like a neighborhood Network entry to outline our ASA public information processing address and also the list of on premise network(s) we would like over the VPN.

  • Under “Create a resource” within the high left seek for and choose “Local network gateway”
  • Click the Add button
  • Complete the form:
  • Name: no matter matches your naming convention.
  • IP Address: this is often the skin public information processing address of your ASA
  • Address space: This wherever you add you om premises subnets/vlan’s exploitation the networks CIDR for instance ten.0.100.0/24
  • Subscription: Your subscription
  • Resource Group: your required resource cluster
  • Location: usually your virtual networks location.
  • Click produce

A affiliation:
Navigate into your antecedently created Virtual network entry and click on Connections
Click Add
Complete the form:
Name: no matter matches your naming convention.
Connection Type: Site-to-Site (IPSec)
Virtual network entry: ought to be pre-filled with you Virtual network gateway
Local network entry: choose the antecedently created native network gateway
Shared key (PSK): choose as befittingly complicated string and build a note of it for later
Click OK


THE ASA aspect:
Connect to your ASA exploitation ASDM.

IKE V2 IPSEC PROPOSAL

  • Navigate to Configuration -> Site-to-Site-VPN -> Advanced -> IPSEC Proposals (Transformation Sets)
  • Add a internet proposal within the Dwight D. Eisenhower v2 section
  • Name: AZURE-PROPOSAL (Or no matter matches your naming convention)
  • Encryption: aes-256
  • Integrity Hash: sha-256
  • Click OK
  • Click Apply

Or the CLI would be:

crypto IPsec ikev2 IPsec-proposal AZURE-PROPOSAL
protocol ESP cryptography aes-256
protocol ESP integrity sha-256
IPSEC PROFILE:
Still underneath Configuration -> Site-to-Site-VPN -> Advanced -> IPSEC Proposals (Transformation Sets)
Add a replacement IPsec Profile
Name: AZURE-PROFILE (Or no matter matches your naming convention)
IKE v2 IPSEC Proposal: AZURE-PROPOSAL (what we have a tendency to simply created)
Click OK
Click Apply

Or the CLI would be:

crypto IPsec profile AZURE-PROFILE
set ikev2 IPsec-proposal AZURE-PROPOSAL
VTI INTERFACE:
Navigate to Configuration -> Device Setup -> Interface Settings -> Interfaces
Click Add on the proper and choose “VTI Interface” from the change posture
On the final tab:
VTI ID: Any range you wish that isn’t already in use 1-100
Interface Name: AZURE-VTI01 (Or no matter matches your naming convention)
Enable Interface: Checked
IP Address: 189.124.124.1 (Or no matter you like)
This is the information processing of the VTI interface therefore it can’t be used anyplace else in your ASA’s configuration.
I have gone with associate APPIPA address as I don’t use them anyplace else.
It solely must be a non-public address.
Later once we get into routing .2 are going to be our next hop to Azure.
Subnet Mask: 255.255.255.252 (we solely want 2 addresses)

On the Advanced tab
Destination information processing: the general public IP address of your Azure Virtual Network entry, that on be found on the summary pane for the entry.
Source Interface: outside (typically)
Tunnel protection with IPsec profile: AZURE-PROFILE (what we have a tendency to antecedently created)
Enable Tunnel Mode IPv4 IPsec: Checked
Click OK
Click Apply

Or the CLI would be:

Interface Tunnel20
no ending
nameif AZURE-VTI01
ip address 169.254.225.1 255.255.255.252
tunnel destination fifty one.143.xxx.xxx
tunnel supply interface outside
tunnel protection ipsec profile AZURE-PROFILE
tunnel mode ipsec ipv4

GROUP POLICY: Navigate to Configuration-> Site-to-Site VPN -> cluster Policies
Click Add
Name: AZURE-GROUP-POLICY
Tunneling Protocols: Un-check inherit and check IPsec IKEv2
Click OK
Click Apply

Or the CLI would be:

group-policy AZURE-GROUP-POLICY internal
group-policy AZURE-GROUP-POLICY attributes
vpn-tunnel-protocol ikev2
exit


TUNNEL cluster:
Navigate to Configuration -> Site-to-Site VPN -> Advanced -> Tunnel teams
Click Add
Name: the general public information processing address of your Azure Virtual Network entry. As we have a tendency to used on the advanced tab once fitting the VTI interface

AZURE-GROUP-POLICY (what we have a tendency to simply created)
Local and Remote Pre-Shared Keys: The PSK we have a tendency to set once making the affiliation on the Azure Virtual entry.
IKE Peer ID Validation: don’t Check
Click OK
Click Apply

Or the CLI would be:

Interface Tunnel20
no ending
nameif AZURE-VTI01
ip address 169.254.225.1 255.255.255.252
tunnel destination fifty one.143.xxx.xxx
tunnel supply interface outside
tunnel protection ipsec profile AZURE-PROFILE
tunnel mode ipsec ipv4

GROUP POLICY:

Navigate to Configuration-> Site-to-Site VPN -> cluster Policies
Click Add
Name: AZURE-GROUP-POLICY
Tunneling Protocols: Un-check inherit and check IPsec IKEv2
Click OK
Click Apply

Or the CLI would be:

group-policy AZURE-GROUP-POLICY internal
group-policy AZURE-GROUP-POLICY attributes
vpn-tunnel-protocol ikev2
exit


TUNNEL cluster:
Navigate to Configuration -> Site-to-Site VPN -> Advanced -> Tunnel teams
Click Add
Name: the general public information processing address of your Azure Virtual Network entry. As we have a tendency to used on the advanced tab once fitting the VTI interface

AZURE-GROUP-POLICY (what we have a tendency to simply created)
Local and Remote Pre-Shared Keys: The PSK we have a tendency to set once making the affiliation on the Azure Virtual entry.
IKE Peer ID Validation: don’t Check
Click OK

Click Apply

Or the CLI would be:

tunnel-group fifty one.143.xxx.xxx sort ipsec-l2l
tunnel-group fifty one.143.xxx.xxx general-attributes
default-group-policy AZURE-GROUP-POLICY
tunnel-group fifty one.143.xxx.xxx IPsec-attributes
peer-id-validate nocheck
ikev2 local-authentication pre-shared-key MyVerySecureKey
ikev2 remote-authentication pre-shared-key MyVerySecureKey
isakmp keep alive threshold ten hear two
THE ROUTE(S):
The last step is to outline what destination(s) we’ll be routing over the VPN. During this example with can use a static route, however if you’ve got  a lot of complicated setup BGP is associate choice.

Navigate to Configuration -> Device Setup -> Routing -> Static Routes
Click Add
Interface: AZURE-VTI01 (as we have a tendency to created within the VTI Interface section)
Network: The Azure Virtual Network or virtual network entry is on, otherwise you might add a subnet from that network if you don’t need the total network.
Gateway IP: 169.254.225.2 (Our next hop is one up from the information processing we have a tendency to assail the VTP Interface) Click OK
Add extra routes to the other subnets
Click Apply

Or the CLI would be:

route AZURE-VTI01 ten.xx.xx.xx 255.255.0.0 169.254.225.2 1
OTHER MICROSOFT advocate ASA TWEAKS:
Microsoft advocate setting the MSS to 1350 bytes, and enabling conserving vpn flows throughout tunnel rekeys

MSS:
Navigate to Configuration -> Firewall -> Advanced -> communications protocol choices
Under alternative choices tick “Force most section size for communications protocol affiliation to be” and set it to 1350

Or the CLI would be:

sysopt affiliation tcpmss 1350
PRESERVING VPN FLOWS:
Navigate to Configuration -> Site-to-Site VPN Advanced -> System choices
Check “Preserve stateful VPN flows once the tunnel drops”
Click Apply
Click Save

Or the CLI would be:

sysopt affiliation preserve-vpn-flows

Asad Mukhtar

Leave a Reply

Your email address will not be published. Required fields are marked *