Microsoft Azure To Cisco ASA Site to Site VPN

Advertisement

KB ID 0001166 Dtd 12/03/16

Problem

Given the amount of Cisco work, and the amount of Microsoft work I do I'm surprised I've never had to do this before. The call came in this week for a client who had a Cisco 5512-X firewall and wanted to get a site to site VPN into Microsoft Azure. Some efforts had been made, but the tunnel had refused to come up.

Well I've never even logged into Azure,  (why would I ?) I work for a Data Center hosting company, and we run vCloud, and I've got my own VMware deployments for testing, and VPS's all over the place.

So I created a free Azure account, and tried to do a test run, I have an ASA 5510 Running version 9.2 in my test network, and a few servers to test with.

Azure to Cisco ASA VPN

Solution

I'd like to say, I don't like the Azure UI at all! I don't find it intuitive, and after building a VM, I found I could not even change what network it was on? Just about every blog and YouTube video I could find was for Azure 'Classic', and I could not find a way to change to that either? Anyway I persevered - Here's how to do it.

Step 1: Configure Azure for IPSec VPN

Sign int0 Azure > New > Networking > Virtual Network > Create.

Azure Virtual Network

OK, if you're used to networking this can be a little confusing, we are going to create a virtual network, and in it we are going to put a virtual subnet, (yes I know this is odd, bear with me!) It's the 'Subnet Name 'and 'address range' that things will actually connect to, (10.0.0.0/24) > Create.

Azure VPN to Cisco

To further confuse all the network engineers, we now need to add another subnet, this one will be used by the 'gateway'. If you are  a 'networking type' it's part of the virtual network, but is more specific than the subnet you already created. Select your Virtual Subnet > All Settings > Subnets.

Add Subnet to Azure

Add > Call it 'GatewaySubnet', (or it wont work) > Add > put in another network.

GateWay Subnet Azure

New > Networking > See All, (unless you can see "Connection').

IPSEC VPN Microsoft Azure

Connection.

VPN from Microsoft Azure

Create.

Create VPN From Cisco ASA to Azure

Virtual  network Gateway > Create new > Virtual Network > Select your Virtual Network (if you can't add it, the gateway is wrong) > OK.

Connection Add Virtual Network

Public IP Address > Create New > Give it a name (again makes no sense but hey!) > OK > Set the VPN type to 'Policy Based' > OK.

Azure Public Gateway IP

Now we enter the details of the Cisco ASA and the network behind it > Choose a local gateway > Create new > Give it a name > Enter the public IP of the ASA > Enter the LAN behind the ASA > OK.

Firewall to Azure VPN

Enter a shared key (PSK) Keep a note of it you will need to enter this on the ASA, Note: Azure can only handle letters and numbers, put anything else in and it will error  > Scroll Down.

Azure Shared Key PSK

Enter a resource group name, which can be anything I'm not really sure how these work  > Create > Wait about 20 minutes for the gateway to be created and get a public IP address etc.

VPN Connection from Azure

When its created take a note of its public IP address > And double check the PSK.

Locate Azure Gateway Public IP

Step 2 Configure the Cisco ASA

I read somewhere that the ASA had to be at 9.1? That's not true, I've done it with a firewall running 8.3, and I've read blog posts from people who have done this with a Cisco PIX (running version 6). But the firewall does have to support AES encryption ('show version' will tell you). There are some subtle differences in the code which I will point out below, but essentially you should be running an OS newer than 8.4 for this config to work. (As I've said I'll address 8.4, and 8.3 (or earlier) below).

Connect to the ASA and create an object group for your local subnet, and the subnet that you are using in Azure, (Called Azure-SN above).

Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# object-group network OBJ-AZURE-SN
Petes-ASA(config-network-object-group)# description Azure Subnet
Petes-ASA(config-network-object-group)# network-object 10.0.0.0 255.255.255.0
Petes-ASA(config-network-object-group)# exit
Petes-ASA(config)# object-group network OBJ-LOCAL-SN
Petes-ASA(config-network-object-group)# description Local Subnet
Petes-ASA(config-network-object-group)# network-object 192.168.100.0 255.255.255.0
Petes-ASA(config-network-object-group)# exit 

Then create an access-list, this will alert the firewall that there is some 'interesting traffic' that needs to be encrypted (we will call this ACL later on, from the crypto-map). Then create a NAT rule that stops traffic that's going over the VPN tunnel from being NATTED.

Petes-ASA(config)# access-list ACL-AZURE-VPN extended permit ip object-group OBJ-LOCAL-SN object-group OBJ-AZURE-SN
Petes-ASA(config)# nat (inside,outside) 1 source static OBJ-LOCAL-SN OBJ-LOCAL-SN destination static OBJ-AZURE-SN OBJ-AZURE-SN no-proxy-arp route-lookup

Our VPN is going to use a pre-shared-key, (you created in Azure above). It will use AES-256 for encryption, SHA for hashing, and Diffie Hellman version 2 for key exchange. So we need to have a matching 'phase 1' (that's ISAKMP) policy.

Petes-ASA(config)# crypto ikev1 policy 5
Petes-ASA(config-ikev1-policy)# authentication pre-share
Petes-ASA(config-ikev1-policy)# encryption aes-256
Petes-ASA(config-ikev1-policy)# hash sha
Petes-ASA(config-ikev1-policy)# group 2
Petes-ASA(config-ikev1-policy)# lifetime 28800
Petes-ASA(config-ikev1-policy)# exit

Enable ISAKMP (version 1) on the outside interface, then configure the parameters that will be used in 'phase 2' (that's IPSEC). Note: If your outside interface is called something else like Outside or WAN substitute that!

Petes-ASA(config)# crypto ikev1 enable outside 
Petes-ASA(config)# crypto ipsec ikev1 transform-set AZURE-TRANSFORM  esp-aes-256 esp-sha-hmac
Petes-ASA(config)# crypto ipsec security-association lifetime seconds 3600
Petes-ASA(config)# crypto ipsec security-association lifetime kilobytes 102400000

Next, you need a tunnel-group, in this case the only job of the tunnel group has is to keep  the pre-shared-key (PSK) to the peer you specify. Which in this case is the Azure Gateway.

Petes-ASA(config)# tunnel-group 40.113.16.195 type ipsec-l2l
Petes-ASA(config)# tunnel-group 40.113.16.195 ipsec-attribute
Petes-ASA(config-tunnel-ipsec)#  ikev1 pre-shared-key 1234567890asdfg
Petes-ASA(config-tunnel-ipsec)# exit

The thing that ties it all together is the crypto map. Here I've called it "AZURE-CRYPTO-MAP", WARNING if you already have a crypto map, use the name of that one, or all your existing VPNS will stop working, (show run crypto will tell you). This is because, you can only have one crypto map applied to an interface, but you can have many crypto map numbers, i.e crypto map {NAME} {NUMBER} {COMMAND}. And each VPN tunnel has its own number.

Petes-ASA(config)# crypto map AZURE-CRYPTO-MAP 1 match address ACL-AZURE-VPN
Petes-ASA(config)# crypto map AZURE-CRYPTO-MAP 1 set peer 40.113.16.195
Petes-ASA(config)# crypto map AZURE-CRYPTO-MAP 1 set ikev1 transform-set AZURE-TRANSFORM
Petes-ASA(config)# crypto map AZURE-CRYPTO-MAP interface outside

There are a couple of extra commands you will need, these are sysops commands. Their purpose set things globally, and are generally hidden from the config, (i.e 'show run' wont show them). These are recommendations from Azure. The first one drops the maximum segment size to 1350.The second command keeps the TCP session information even if the VPN tunnel drops.

Petes-ASA(config)# sysopt connection tcpmss 1350
Petes-ASA(config)# sysopt connection preserve-vpn-flows
Petes-ASA(config)# exit

Testing Azure to Cisco ASA VPN

To test we usually use 'ping', the problem with that is, if you are using Windows Servers they will have their Windows firewall on by default, which blocks pings, (bear this in mind when testing). Also your ASA needs to be setup to allow pings, (try pinging 8.8.8.8 that usually responds), if yours doesn't then configure your ASA to allow ping traffic.

Setup a Virtual Machine in Azure and make sure it's connected to the right virtual network.

Add Virtual Machine to Network Azure

 

As mentioned above, you might want to turn the firewall off to test.

Test Azure VPN

 

On the Cisco ASA you can see the tunnel is established at Phase 1 (ISAKMP)

Petes-ASA# show cry isa               

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 40.113.16.195
    Type    : L2L             Role    : initiator 
    Rekey   : no              State   : MM_ACTIVE 

If yours says something else, (or nothing at all) then phase 1 has not established. You need to Troubleshoot phase 1 of the VPN tunnel.

Assuming that's working your next test it to make sure that phase 2 has established. You should see packets encrypting and decrypting.

Petes-ASA(config)# show cry ipsec sa
interface: outside
    Crypto map tag: AZURE-CRYPTO-MAP, seq num: 1, local addr: 128.65.98.43

      access-list ACL-AZURE-VPN extended permit ip 192.168.100.0 255.255.255.0 10.0.0.0 255.255.255.0 
      local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
      current_peer: 40.113.16.195


      #pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2
      #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 2, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 128.65.98.43/0, remote crypto endpt.: 40.113.16.195/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 97624DA8
      current inbound spi : D7705547
              
    inbound esp sas:
      spi: 0xD7705547 (3614463303)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 335872, crypto-map: AZURE-CRYPTO-MAP
         sa timing: remaining key lifetime (kB/sec): (97199999/3556)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x0000000F
    outbound esp sas:
      spi: 0x97624DA8 (2539802024)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 335872, crypto-map: AZURE-CRYPTO-MAP
         sa timing: remaining key lifetime (kB/sec): (97199999/3556)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

Petes-ASA(config)# 
If phase 2 did not connect, then you need to troubleshoot phase 2 of the VPN tunnel.

Back in Azure you should see the VPN shown as connected, and 'data in' and 'data out' figures going up.

Azure VPN Test

Azure to Cisco VPN Complete Code Snippets to Copy and Paste

(Change the values highlighted in red) WARNING: re-read the warning about crypto map names above!

VERSION 8.4 AND NEWER
!
object-group network OBJ-AZURE-SN
 description Azure Subnet
 network-object 10.0.0.0 255.255.255.0
exit
 object-group network OBJ-LOCAL-SN
 description Local Subnet
 network-object 192.168.100.0 255.255.255.0
exit 
!
access-list ACL-AZURE-VPN extended permit ip object-group OBJ-LOCAL-SN object-group OBJ-AZURE-SN
!
nat (inside,outside) 1 source static OBJ-LOCAL-SN OBJ-LOCAL-SN destination static OBJ-AZURE-SN OBJ-AZURE-SN
!
crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
!
crypto ikev1 enable outside   
!
crypto ipsec ikev1 transform-set AZURE-TRANSFORM esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
!
tunnel-group 40.113.16.195 type ipsec-l2l
tunnel-group 40.113.16.195 ipsec-attribute
 ikev1 pre-shared-key 1234567890asdfg
!
crypto map AZURE-CRYPTO-MAP 1 match address ACL-AZURE-VPN
crypto map AZURE-CRYPTO-MAP 1 set peer 40.113.16.195
crypto map AZURE-CRYPTO-MAP 1 set ikev1 transform-set AZURE-TRANSFORM
!
crypto map AZURE-CRYPTO-MAP interface outside
!
sysopt connection tcpmss 1350
!
sysopt connection preserve-vpn-flows


VERSION 8.4 (BEFORE IKEv2 WAS INTRODUCED)

!
object-group network OBJ-AZURE-SN
 description Azure Subnet
 network-object 10.0.0.0 255.255.255.0
exit
 object-group network OBJ-LOCAL-SN
 description Local Subnet
 network-object 192.168.100.0 255.255.255.0
exit 
!
access-list ACL-AZURE-VPN extended permit ip object-group OBJ-LOCAL-SN object-group OBJ-AZURE-SN
!
nat (inside,outside) 1 source static OBJ-LOCAL-SN OBJ-LOCAL-SN destination static OBJ-AZURE-SN OBJ-AZURE-SN
!
crypto isakmp policy 5
authentication pre-share 
encryption aes-256 
hash sha 
group 2 
lifetime 28800
!
crypto isakmp enable outside 
!
crypto ipsec transform-set AZURE-TRANSFORM esp-aes-256 esp-sha-hmac 
crypto ipsec security-association lifetime seconds 3600 
crypto ipsec security-association lifetime kilobytes 102400000
!
tunnel-group 40.113.16.195 type ipsec-l2l 
tunnel-group 40.113.16.195 ipsec-attribute 
pre-shared-key 1234567890asdfg
!
crypto map AZURE-CRYPTO-MAP 1 match address ACL-AZURE-VPN 
crypto map AZURE-CRYPTO-MAP 1 set peer 40.113.16.195 
crypto map AZURE-CRYPTO-MAP 1 set ikev1 transform-set AZURE-TRANSFORM !
crypto map AZURE-CRYPTO-MAP interface outside 
!
sysopt connection tcpmss 1350
!
sysopt connection preserve-vpn-flows


OLDER THAN VERSION 8.3 (BEFORE NAT SYNTAX CHANGED)

!
name 10.0.0.0 OBJ-AZURE-SN
name 192.168.100.0 OBJ-LOCAL-SN
!
access-list ACL-AZURE-VPN extended permit ip OBJ-LOCAL-SN 255.255.255.0 OBJ-AZURE-SN 255.255.0.0 
!
access-list NO-NAT-TRAFFIC extended permit ip OBJ-LOCAL-SN 255.255.255.0 OBJ-AZURE-SN 255.255.0.0 
nat (inside) 0 access-list NO-NAT-TRAFFIC
!
crypto isakmp policy 5
authentication pre-share 
encryption aes-256 
hash sha 
group 2 
lifetime 28800 
!
crypto isakmp enable outside 
!
crypto ipsec transform-set AZURE-TRANSFORM esp-aes-256 esp-sha-hmac 
crypto ipsec security-association lifetime seconds 3600 
crypto ipsec security-association lifetime kilobytes 102400000 
!
tunnel-group 40.113.16.195 type ipsec-l2l 
tunnel-group 40.113.16.195 ipsec-attribute 
pre-shared-key 1234567890asdfg
!
crypto map AZURE-CRYPTO-MAP 1 match address ACL-AZURE-VPN 
crypto map AZURE-CRYPTO-MAP 1 set peer 40.113.16.195 
crypto map AZURE-CRYPTO-MAP 1 set ikev1 transform-set AZURE-TRANSFORM 
!
crypto map AZURE-CRYPTO-MAP interface outside 
!
sysopt connection tcpmss 1350
!
sysopt connection preserve-vpn-flows


Related Articles, References, Credits, or External Links

Microsoft Azure To Cisco ISR Router Site to Site VPN

Azure to Cisco VPN ‚Äď ‚ÄėFailed to allocate PSH from platform‚Äô

Author: PeteLong

Share This Post On

12 Comments

  1. So I’m trying to mentally get over this configuration hurdle that we have with EIGRP at the L3 core and the ASA hosting the VPN connection to Azure. All your instructions above are fine, just the route redistribution into the L3 core is causing me issues >.>

    I can see the redistr’d route in the L3 core, but the pkts coming from Azure don’t go back out. I can see traffic coming back in from Azure and decrypting, but there’s no encryption to be seen. Any thoughts?

    Post a Reply
    • Hi,

      So the traffic from Azure is decrypting, you can see this on ‘show cry ipse sa’? But no traffic is going back to Azure from your LAN (the Decrypting packets in the same display is not incrementing?)

      Are you reverse route injecting the Azure subnet? You say you can see this route on the core? If so check your ACL and NAT policies on the ASA, make sure the static nat has a route-lookup on the end of it.

      Post a Reply
  2. Hi! All clear as usual )
    And what’s about if my Radius/Syslog/CRL server is on outside interface? For ASA-ASA L2L I need to add additional line to crypto map (azure-vpn-acl) but not with Azure… Any ideas ?

    Post a Reply
    • Are they physically outside the ASA of just presented to the outside world from inside/DMZ?

      Post a Reply
  3. Pete,
    Thank you for the documentation. I’ve been able to get everything setup as expected, but if I set the mask on my ASA (obj-Azure-sn)to 255.255.255.0, The tunnel says I have no matching crypto map entry for remote proxy 172.5.0.0/255.255.0.0).
    If I set the Mask to 255.255.0.0 The tunnel comes up, but is unable to pass traffic between sites. I could not use the 10.0.0.0 network as we have other traffic on it. We use 172.16.x.x for LAN, so I figured I could use 172.5.x.x, but this could have been my fatal error. Sub-netting is not in my wheelhouse.
    Thanks for any and all help in advance.

    Post a Reply
    • Hi,

      Without seeing the config, its hard to comment, if you do a ‘show run crypto’ it show show you the ACL its matching. You may need to take the tunnel offline then make the change, then bring the tunnel back up!

      Pete

      Post a Reply
  4. hi pete, is it work also if version ASA is 8.2?

    Post a Reply
    • Yes providing you use the pre 8.3 version at the bottom of the page.

      Pete

      Post a Reply
  5. What happens if you configure IKEv2 with the Azure gateway?

    Post a Reply
    • Hi Tim,

      I’ve not tried IKEv2, all the examples given by M$ specify IKEv1. If you wanted to try you, would not need to specify it as a policy, the enable it on the outside interface and create a V2 transform set.

      Pete

      Post a Reply
  6. Hi Pete,

    Great guide! Have you ever seen issues initiating the VPN from Azure > ASA? I recently configured an Azure VPN connection where I only have control of the ASA configuration. Simply put the tunnel comes up regardless of initiation but when trying from Azure > ASA traffic will not passing. When pinging in the other direction (ASA > Azure) it comes up immediately and passes traffic in both direction.

    It has me totally puzzled as to why this would be.

    Cheers,

    John

    Post a Reply
    • Hi John,

      One way initiation: I usually see with older versions of the ASA code, or if you managed to enable PFS on one end, then I’ve seen that happen before.

      Pete

      Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *