Solved

ISR 2900 Series and ASA 5506-X for Azure

Posted on 2016-11-02
7
24 Views
Last Modified: 2016-11-23
At the advice of one of our vendors, we replaced our Cisco PIX with an ASA 5506-X running ASA Version 9.4(1).  We made this change with the understanding that we would be able to connect to Azure using a Dynamic Gateway.  Long story short, we now know that the ASA is policy based and can only connect to Azure using a Static Gateway.  This configuration limits much of the great functionality of Azure that we really need.

In order to connect to Azure using a Dynamic Gateway, we are talking about purchasing a Cisco ISR 2900 Series router, which is one of the Microsoft recommended routers.  They even have configuration examples once this unit is in place.  We would like to continue using the ASA as our Firewall solution and add the ISR into the mix.  Our current configuration is ISP >>> ISP Provided Router >>> ASA 5506-X >>> LAN Switch.

Ideally we would like to add the Cisco ISR 2911 behind the ASA and in front of the LAN Switch as we believe there will be less configuration on our running network.  It is going to be difficult for us to set this up in a test environment first so the fewer changes to the ASA the better.  The proposed configuration would be something similar to the following.

ISP >>> ISP Provided Router >>> ASA 5506-X >>> Cisco ISR 2911 >>> LAN Switch.

Below is the sample code from Microsoft for the Cisco ISR 2911.
! Microsoft Corporation
! Windows Azure Virtual Network

! This configuration template applies to Cisco ISR 2900 Series Integrated Services Routers running IOS 15.1.
! It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway.

! Things that begin with "azure-" are variable names and can be changed consistently.

! ---------------------------------------------------------------------------------------------------------------------
! ACL rules
! 
! Proper ACL rules are needed for permitting cross-premise network traffic.
! You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
! In this example 10.0.0.0/8 is the on premises network & 192.168.1.0/16 is the Azure Virtual Network
! In this example the Azure Gateway IP Address is 40.76.X.X and your Outside Interface IP Address is 131.X.X.X

access-list 101 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
access-list 102 permit udp host 40.76.X.X eq isakmp host 131.X.X.X
access-list 102 permit esp host 40.76.X.X host 131.X.X.X

! ---------------------------------------------------------------------------------------------------------------------
! Internet Key Exchange (IKE) configuration
! 
! This section specifies the authentication, encryption, hashing, and Diffie-Hellman group parameters for the Phase
! 1 negotiation and the main mode security association. 
! In this example the Azure Gateway IP Address is 40.76.X.X

crypto ikev2 proposal azure-proposal
  encryption aes-cbc-256 aes-cbc-128 3des
  integrity sha1
  group 2
  exit

crypto ikev2 policy azure-policy
  proposal azure-proposal
  exit

crypto ikev2 keyring azure-keyring
  peer 40.76.X.X
    address 40.76.X.X
    pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    exit
  exit

crypto ikev2 profile azure-profile
  match address local interface <NameOfYourOutsideInterface>
  match identity remote address 40.76.X.X 255.255.255.255
  authentication remote pre-share
  authentication local pre-share
  keyring local azure-keyring
  exit

! ---------------------------------------------------------------------------------------------------------------------
! IPSec configuration
! 
! This section specifies encryption, authentication, tunnel mode properties for the Phase 2 negotiation

crypto ipsec transform-set azure-ipsec-proposal-set esp-aes 256 esp-sha-hmac
 mode tunnel
 exit

! ---------------------------------------------------------------------------------------------------------------------
! Crypto map configuration
!
! This section defines a crypto profile that binds the cross-premise network traffic to the IPSec transform set and remote peer.  
! We also bind the IPSec policy to the virtual tunnel interface, through which cross-premise traffic will be transmitted.  
! We have picked an arbitrary tunnel id "1" as an example. If that happens to conflict with an existing virtual tunnel interface,
! you may choose to use a different id.
! The IP address 169.254.0.1 acts as the “inner” address of the tunnel. Essentially it has one job, to deliver traffic from the Azure side
! to the on-prem side. As it does not need to reach the Internet, it being routable is not necessary. The ISR has an internal routing table
! and knows what to do with the traffic. You should be able to use any 169.254.X.X address. 

crypto ipsec profile azure-vti
  set transform-set azure-ipsec-proposal-set
  set ikev2-profile azure-profile
  exit

int tunnel 1
  ip address 169.254.0.1 255.255.255.0
  ip tcp adjust-mss 1350
  tunnel source <NameOfYourOutsideInterface>
  tunnel mode ipsec ipv4
  tunnel destination 40.76.X.X
  tunnel protection ipsec profile azure-vti
  exit

ip route 192.168.0.0 255.255.0.0 tunnel 1

Open in new window


We need to know the best way to proceed with this and how it is going to actually work.
Thx in advance, Mike
0
Comment
Question by:morther
  • 4
  • 3
7 Comments
 
LVL 13

Accepted Solution

by:
SIM50 earned 500 total points (awarded by participants)
ID: 41872143
Currently ASA doesn't support VTI based VPN tunnels. There is a rumor that it might in the next  9.7 release.

You don't need to necessarily put a router behind a firewall. If you have a block of IP's, you can put it in parallel.
                   /          ASA  ----- switch
ISP router               |
                    \         2911

or you can put it behind the ASA.

ISP router ---- ASA  ----- switch
                            |         /
                         2911    /

In both designs, you will minimize the impact on the current traffic.
0
 

Author Comment

by:morther
ID: 41872701
Hello SIM50, thank you for your reply.  We do have a block of IP's.  If we put in parallel, the 2911 will connect through the ASA to the switch so that the network will still be protected by the firewall, am I reading this right?

You stated that "In both designs, you will minimize the impact on the current traffic."  What do you mean by that?

Also, if the rumors are true about version 9.7, will that change the ASA from a Policy based device to a Route based device that I will be able to use to connect to a dynamic GW on Azure?
0
 
LVL 13

Assisted Solution

by:SIM50
SIM50 earned 500 total points (awarded by participants)
ID: 41872731
If we put in parallel, the 2911 will connect through the ASA to the switch so that the network will still be protected by the firewall, am I reading this right?

That is correct. I prefer this design because I still get to filter the traffic to and from the cloud. If you would put the router behind the firewall, firewall will only see encrypted traffic.

You stated that "In both designs, you will minimize the impact on the current traffic."  What do you mean by that?

The configuration changes will not effect the traffic currently going through the ASA until you change the route to start using the router.

Also, if the rumors are true about version 9.7, will that change the ASA from a Policy based device to a Route based device that I will be able to use to connect to a dynamic GW on Azure?

It will not change it from policy based VPN. It will still support it but will also support VTI based VPNs like routers. Yes, you will be able to use to connect to dynamic gateway.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:morther
ID: 41872902
One last question.  So when we connect the ISR to the Firewall, do you know what protocol or setting we will need to make in the ASA to allow the GW connection from Azure to our network?  I know you might not be able to answer this question, just thought I would throw it out there.
0
 
LVL 13

Expert Comment

by:SIM50
ID: 41872922
The config you posted uses DVTI so you need to allow UDP/500 and ESP (protocol 50). If you use NAT-T, then UDP/4500. That's if the router will be behind the firewall.
If you are asking what to allow coming through the VPN tunnel from and to the cloud, that's up to you to decide.
0
 

Author Comment

by:morther
ID: 41872980
Thanks SIM50 for all of the info.  Looks like I have more research to do, but you have really given me a good head start.
0
 
LVL 13

Expert Comment

by:SIM50
ID: 41898868
Solution was provided.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now