Site to site VPN between Azure and Cisco ASA

Azure, wow isn’t it amazing? IAAS has arrived, and you can do some pretty cool stuff with azure, without worrying about licensing or hardware, beyond the size and spec of your virtual machines in their Data Centres. But that’s just the bloody problem isn’t it? it’s in their network, not yours! So, you need to set up a site to site link between Azure and your local supported device.

Click here to view a list of supported devices and their configuration instructions. This will tell you what type of VPN your equipment will support, and what you should deploy in Azure portal.

My local supported device is a Cisco ASA, which you will notice is only supported for Policy Based, not route Based VPN, so you need to start out right or you’re going to waste a lot of time deploying VPN gateways in Azure, which takes about 45 minutes. The instructions on GitHub are easy to follow and available here [.docx].

If you follow these instructions, you will get going fairly quickly, but if you have multiple subnets you want to allow to communicate with Azure you will have to make some modifications. For example, my protected wireless network should have access to Azure, because I’m going to put a domain controller on a virtual machine there, to handle DHCP (not supported!), DNS, and 802.1x authentication in a Disaster Recovery scenario.

You will need to modify your NAT like this:

first create names for the networks you want to access your azure networks:

config t
object network mgmtnet
 subnet 10.87.0.0 255.255.255.0
object network wirelessnet
 subnet 10.87.20.0 255.255.255.0

Then create corresponding NAT rules;

nat (inside,outside) source static mgmtnet mgmtnet destination static AzureNetworks AzureNetworks
nat (Wireless,outside) source static wirelessnet wirelessnet destination static AzureNetworks AzureNetworks

Hope this saves you a little bit of time getting multiple subnets to work on your ASA to Azure VPN, if you’re in a rush and follow the instructions a little blindly, but who does that? Not you!

Leave a Reply

Your email address will not be published. Required fields are marked *