[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

ISR 2900 Series and ASA 5506-X for Azure

Posted on 2016-11-02
7
Medium Priority
?
215 Views
Last Modified: 2016-11-23
At the advice of one of our vendors, we replaced our Cisco PIX with an ASA 5506-X running ASA Version 9.4(1).  We made this change with the understanding that we would be able to connect to Azure using a Dynamic Gateway.  Long story short, we now know that the ASA is policy based and can only connect to Azure using a Static Gateway.  This configuration limits much of the great functionality of Azure that we really need.

In order to connect to Azure using a Dynamic Gateway, we are talking about purchasing a Cisco ISR 2900 Series router, which is one of the Microsoft recommended routers.  They even have configuration examples once this unit is in place.  We would like to continue using the ASA as our Firewall solution and add the ISR into the mix.  Our current configuration is ISP >>> ISP Provided Router >>> ASA 5506-X >>> LAN Switch.

Ideally we would like to add the Cisco ISR 2911 behind the ASA and in front of the LAN Switch as we believe there will be less configuration on our running network.  It is going to be difficult for us to set this up in a test environment first so the fewer changes to the ASA the better.  The proposed configuration would be something similar to the following.

ISP >>> ISP Provided Router >>> ASA 5506-X >>> Cisco ISR 2911 >>> LAN Switch.

Below is the sample code from Microsoft for the Cisco ISR 2911.
! Microsoft Corporation
! Windows Azure Virtual Network

! This configuration template applies to Cisco ISR 2900 Series Integrated Services Routers running IOS 15.1.
! It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway.

! Things that begin with "azure-" are variable names and can be changed consistently.

! ---------------------------------------------------------------------------------------------------------------------
! ACL rules
! 
! Proper ACL rules are needed for permitting cross-premise network traffic.
! You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
! In this example 10.0.0.0/8 is the on premises network & 192.168.1.0/16 is the Azure Virtual Network
! In this example the Azure Gateway IP Address is 40.76.X.X and your Outside Interface IP Address is 131.X.X.X

access-list 101 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
access-list 102 permit udp host 40.76.X.X eq isakmp host 131.X.X.X
access-list 102 permit esp host 40.76.X.X host 131.X.X.X

! ---------------------------------------------------------------------------------------------------------------------
! Internet Key Exchange (IKE) configuration
! 
! This section specifies the authentication, encryption, hashing, and Diffie-Hellman group parameters for the Phase
! 1 negotiation and the main mode security association. 
! In this example the Azure Gateway IP Address is 40.76.X.X

crypto ikev2 proposal azure-proposal
  encryption aes-cbc-256 aes-cbc-128 3des
  integrity sha1
  group 2
  exit

crypto ikev2 policy azure-policy
  proposal azure-proposal
  exit

crypto ikev2 keyring azure-keyring
  peer 40.76.X.X
    address 40.76.X.X
    pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    exit
  exit

crypto ikev2 profile azure-profile
  match address local interface <NameOfYourOutsideInterface>
  match identity remote address 40.76.X.X 255.255.255.255
  authentication remote pre-share
  authentication local pre-share
  keyring local azure-keyring
  exit

! ---------------------------------------------------------------------------------------------------------------------
! IPSec configuration
! 
! This section specifies encryption, authentication, tunnel mode properties for the Phase 2 negotiation

crypto ipsec transform-set azure-ipsec-proposal-set esp-aes 256 esp-sha-hmac
 mode tunnel
 exit

! ---------------------------------------------------------------------------------------------------------------------
! Crypto map configuration
!
! This section defines a crypto profile that binds the cross-premise network traffic to the IPSec transform set and remote peer.  
! We also bind the IPSec policy to the virtual tunnel interface, through which cross-premise traffic will be transmitted.  
! We have picked an arbitrary tunnel id "1" as an example. If that happens to conflict with an existing virtual tunnel interface,
! you may choose to use a different id.
! The IP address 169.254.0.1 acts as the “inner” address of the tunnel. Essentially it has one job, to deliver traffic from the Azure side
! to the on-prem side. As it does not need to reach the Internet, it being routable is not necessary. The ISR has an internal routing table
! and knows what to do with the traffic. You should be able to use any 169.254.X.X address. 

crypto ipsec profile azure-vti
  set transform-set azure-ipsec-proposal-set
  set ikev2-profile azure-profile
  exit

int tunnel 1
  ip address 169.254.0.1 255.255.255.0
  ip tcp adjust-mss 1350
  tunnel source <NameOfYourOutsideInterface>
  tunnel mode ipsec ipv4
  tunnel destination 40.76.X.X
  tunnel protection ipsec profile azure-vti
  exit

ip route 192.168.0.0 255.255.0.0 tunnel 1

Open in new window


We need to know the best way to proceed with this and how it is going to actually work.
Thx in advance, Mike
0
Comment
Question by:Mike Orther
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 14

Accepted Solution

by:
SIM50 earned 2000 total points (awarded by participants)
ID: 41872143
Currently ASA doesn't support VTI based VPN tunnels. There is a rumor that it might in the next  9.7 release.

You don't need to necessarily put a router behind a firewall. If you have a block of IP's, you can put it in parallel.
                   /          ASA  ----- switch
ISP router               |
                    \         2911

or you can put it behind the ASA.

ISP router ---- ASA  ----- switch
                            |         /
                         2911    /

In both designs, you will minimize the impact on the current traffic.
0
 

Author Comment

by:Mike Orther
ID: 41872701
Hello SIM50, thank you for your reply.  We do have a block of IP's.  If we put in parallel, the 2911 will connect through the ASA to the switch so that the network will still be protected by the firewall, am I reading this right?

You stated that "In both designs, you will minimize the impact on the current traffic."  What do you mean by that?

Also, if the rumors are true about version 9.7, will that change the ASA from a Policy based device to a Route based device that I will be able to use to connect to a dynamic GW on Azure?
0
 
LVL 14

Assisted Solution

by:SIM50
SIM50 earned 2000 total points (awarded by participants)
ID: 41872731
If we put in parallel, the 2911 will connect through the ASA to the switch so that the network will still be protected by the firewall, am I reading this right?

That is correct. I prefer this design because I still get to filter the traffic to and from the cloud. If you would put the router behind the firewall, firewall will only see encrypted traffic.

You stated that "In both designs, you will minimize the impact on the current traffic."  What do you mean by that?

The configuration changes will not effect the traffic currently going through the ASA until you change the route to start using the router.

Also, if the rumors are true about version 9.7, will that change the ASA from a Policy based device to a Route based device that I will be able to use to connect to a dynamic GW on Azure?

It will not change it from policy based VPN. It will still support it but will also support VTI based VPNs like routers. Yes, you will be able to use to connect to dynamic gateway.
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 

Author Comment

by:Mike Orther
ID: 41872902
One last question.  So when we connect the ISR to the Firewall, do you know what protocol or setting we will need to make in the ASA to allow the GW connection from Azure to our network?  I know you might not be able to answer this question, just thought I would throw it out there.
0
 
LVL 14

Expert Comment

by:SIM50
ID: 41872922
The config you posted uses DVTI so you need to allow UDP/500 and ESP (protocol 50). If you use NAT-T, then UDP/4500. That's if the router will be behind the firewall.
If you are asking what to allow coming through the VPN tunnel from and to the cloud, that's up to you to decide.
0
 

Author Comment

by:Mike Orther
ID: 41872980
Thanks SIM50 for all of the info.  Looks like I have more research to do, but you have really given me a good head start.
0
 
LVL 14

Expert Comment

by:SIM50
ID: 41898868
Solution was provided.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question