Overview:

In this post we are going to link an Azure Virtual Network to on an premise network via a Cisco ASA. We will be creating a route based connection using IKEv2 and a VTI interface.

We are also going to focus on how to achieve this using ASDM.

Prerequisites

  • I am going to assume you are already using Azure and you already have a Virtual Network in place.
  • You ASA needs to be running at least 9.7 but 9.8 or higher is preferred. I will be using 9.8
  • You will need ASDM, I will be using 7.9

The Azure Side

Virtual network gateway

If you Virtual Network already has a “Virtual network gateway” check you settings match then you can skip this section.

  • Under “Create a resource” in the top left search for and select “Virtual network gateways”
  • Click Create
  • Complete the form;
    • Name: Whatever matches your naming convention.
    • Gateway Type: VPN
    • VPN Type: Route based
    • SKU: VpnGW1 (or higher, basic doesn’t support IKEv2)
    • Virtual Network: Whatever Azure network we are joining over the VPN.
    • Public IP: Create new unless you already have a space and give it a name.
    • Subscription: Your subscription
    • Location: Typically your virtual networks location.
    • Click Create

Local Network Gateway

Next we need a Local Network Gateway to define our ASA public IP address and the list of on premise network(s) we want over the VPN.

  • Under “Create a resource” in the top left search for and select “Local network gateway”
  • Click the Add button
  • Complete the form:
    • Name: Whatever matches your naming convention.
    • IP Address: This is the outside public IP address of your ASA
    • Address space: This where you add you om premise subnets/vlan’s using the networks CIDR for example 10.0.100.0/24
    • Subscription: Your subscription
    • Resource Group: Your desired resource group
    • Location: Typically your virtual networks location.
    • Click Create

A Connection

  • Navigate back into your previously created Virtual network gateway and click Connections
  • Click Add
  • Complete the form:
    • Name: Whatever matches your naming convention.
    • Connection Type: Site-to-Site (IPSec)
    • Virtual network gateway: Should be pre-filled with you Virtual network gateway
    • Local network gateway: Select the previously created local network gateway
    • Shared key (PSK): Pick as suitably complex string and make a note of it for later
    • Click OK

The ASA Side

Connect to your ASA using ASDM.

IKE v2 IPSEC Proposal

  • Navigate to Configuration -> Site-to-Site-VPN -> Advanced -> IPSEC Proposals (Transformation Sets)
  • Add a net proposal in the IKE v2 section
    • Name: AZURE-PROPOSAL (Or whatever matches your naming convention)
    • Encryption: aes-256
    • Integrity Hash: sha-256
    • Click OK
  • Click Apply

Or the CLI would be:

IPSec Profile

  • Still under Configuration -> Site-to-Site-VPN -> Advanced -> IPSEC Proposals (Transformation Sets)
  • Add a new IPSec Profile
    • Name: AZURE-PROFILE (Or whatever matches your naming convention)
    • IKE v2 IPSEC Proposal: AZURE-PROPOSAL (what we just created)
    • Click OK
  • Click Apply

Or the CLI would be:

VTI Interface

  • Navigate to Configuration -> Device Setup -> Interface Settings -> Interfaces
  • Click Add on the right and select “VTI Interface” from the drop down
  • On the General tab:
    • VTI ID: Any number you like that isn’t already in use 1-100
    • Interface Name: AZURE-VTI01 (Or whatever matches your naming convention)
    • Enable Interface: Checked
    • IP Address: 169.254.225.1 (Or whatever you like)
      • This is the IP of the VTI interface so it can’t be used anywhere else in your ASA’s configuration.
      • I have gone with an APPIPA address as I don’t use them anywhere else.
      • It only needs to be a private address.
      • Later when we get into routing .2 will be our next hop to Azure.
    • Subnet Mask: 255.255.255.252 (we only need two addresses)

  • On the Advanced tab
    • Destination IP: The public IP address of your Azure Virtual Network Gateway, which on be found on the overview pane for the gateway.
    • Source Interface: outside (typically)
    • Tunnel protection with Ipsec profile: AZURE-PROFILE (what we previously created)
    • Enable Tunnel Mode IPv4 Ipsec: Checked
    • Click OK
  • Click Apply

Or the CLI would be:

Group Policy

  • Navigate to Configuration -> Site-to-Site VPN -> Group Policies
  • Click Add
    • Name: AZURE-GROUP-POLICY
    • Tunneling Protocols: Un-check inherit and check IPSec IKEv2
    • Click OK
  • Click Apply

Or the CLI would be:

Tunnel Group

  • Navigate to Configuration -> Site-to-Site VPN -> Advanced -> Tunnel Groups
  • Click Add
    • Name: The public IP address of your Azure Virtual Network Gateway. As we used on the Advanced tab when setting up the VTI interface.
    • Group Policy Name: AZURE-GROUP-POLICY (what we just created)
    • Local and Remote Pre-Shared Keys: The PSK we set when creating the connection on the Azure Virtual Gateway.
    • IKE Peer ID Validation: Do Not Check
    • Click OK
  • Click Apply

Or the CLI would be:

The Route(s)

The last step is to define what destination(s) we will be routing over the VPN. In this example with will use a static route, but if you have a more complex setup BGP is an option.

  • Navigate to Configuration -> Device Setup -> Routing -> Static Routes
  • Click Add
    • Interface: AZURE-VTI01 (as we created in the VTI Interface section)
    • Network: The Azure Virtual Network or virtual network gateway is on, or you could add a subnet from that network if you don’t want the whole network.
    • Gateway IP: 169.254.225.2 (Our next hop is one up from the IP we set on the VTP Interface)
    • Click OK
  • Add additional routes to any other subnets
  • Click Apply
  • Click Save
  • Give it a test by trying to RDP onto one of your Azure servers from a client on a network defined in you Azure local network’s address spaces.

Or the CLI would be:

Other Microsoft Recommend ASA Tweaks

Microsoft recommend setting  the MSS to Azure to Cisco ASA VPN via ASDM1350 bytes, and enabling preserving vpn flows during tunnel rekeys

MSS

  • Navigate to Configuration -> Firewall -> Advanced -> TCP Options
  • Under Other options tick “Force maximum segment size for TCP connection to be” and set it to 1350

Or the CLI would be:

Preserving VPN Flows

  • Navigate to Configuration -> Site-to-Site VPN Advanced -> System Options
  • Check “Preserve stateful VPN flows when the tunnel drops”
  • Click Apply
  • Click Save

Or the CLI would be: