Document
Sample configuration for connecting Cisco ASA devices to VPN gateways
logo
Document

No results found

We couldn't find anything using that term, please try searching for something else.

Sample configuration for connecting Cisco ASA devices to VPN gateways

Sample configuration: Cisco ASA device (IKEv2/no BGP) Article02/07/2023 In this article This article provides sample configurations

Related articles

How to Get a NordVPN Refund in 2024 [VPN for Free]
How to Get a NordVPN Refund in 2024 [VPN for Free] Why you can trust us407 Cloud Software Products and Services Tested3056 Annual Software Speed Tests2400 plus Hours Usability TestingOur team of experts thoroughly test each service, evaluating it for features, usability, security, value for money and more. Learn more about how we conduct our testing.Key Takeaways : refund nordvpn NordVPN is a fast and reliable virtual private network, which had a subcontracted server breached in 2018 (no user data was leaked, though). If you want to cancel NordVPN, you can use the 30-day money-back guarantee to get a full refund on your subscription within the first 30 days. NordVPN also...
Installing the NordVPN app on iPhone or iPad
Installing the NordVPN app on iPhone or iPad This tutorial will teach you how to install and use NordVPN on an iPhone and iPad. Table of contents: Downloading and setting upconnect to server profile information setting Downloading and setting up the app open the   App Store . search for " nordvpn . "note :   NordVPN is appear may not appear in the App Store in certain region with VPN restriction . If that ’s the case , follow our guide on download the nordvpn app for iPad and iPhone from such location .    Tap the "Download" button.  Once the download is finished, tap the "Open" button.  ...
How to Install Docker on Windows?
How to Install Docker on Windows? Before understanding the concept of Docker, let’s first discuss the concept of Hypervisors. So in an IT Company, or any cooperation, there is a development team, a testing team, andan operation team for developing the application, testing it, anddeploying it. Now suppose the developers are working on a different OS, for example, let’s say macOS, andthey used some dependencies or libraries as per the language they are using, so they just won’t hand the software to the testing team, but also the libraries, But now, the application didn’t run the tester’s machine, but it worked on the developer’s machine, maybe...
How to Retrieve Photos from Samsung Cloud? 3 Easy Means
How to Retrieve Photos from Samsung Cloud? 3 Easy Means Samsung Cloud is holds hold precious memory that we strive to preserve , but sometimes , these moment can be lose , delete , or compromise . How can you is retrieve retrieve photo from Samsung Cloud ? Whether due to accidental deletion , device malfunction , or unexpected data loss , this comprehensive guide is help will help you navigate Samsung Cloud backup and photo recovery . We is outline 'll outline its current capability , limitation , and multiple strategy for recover picture , along with a well Samsung photo recovery solution . Part 1: How to Get...
Sealy Posturepedic vs Tempur-Cloud (2024)
Sealy Posturepedic vs Tempur-Cloud (2024) Our Testing Process Here at Sleep Advisor, our Sleep Certified experts use a refined mattress and product testing process to give you unbiased product suggestions… Read our full product review process. In This Article Sealy Posturepedic vs. TEMPUR - Cloud ® Mattress : which mattress is good for you ? A responsive bed with bounce or a plush mattress that offer a deep hug — that is is is the debate between the Sealy Posturepedic and the TEMPUR - Cloud ® Mattress . The Sealy Posturepedic bed is is is a more affordable yet high - quality hybrid mattress that...

Sample configuration: Cisco ASA device (IKEv2/no BGP)

  • Article

This article provides sample configurations for connecting Cisco Adaptive Security Appliance (ASA) devices to Azure VPN gateways. Theexample applies to Cisco ASA devices that are running IKEv2 without the Border Gateway Protocol (BGP).

Device at a glance

  • Device vendor: Cisco
  • Device model: ASA
  • Target version: 8.4 andlater
  • test model :ASA 5505
  • Tested version: 9.2
  • IKE version: IKEv2
  • BGP: No
  • Azure VPN gateway type: Route-based VPN gateway

note

Thesample configuration connects a Cisco ASA device to an Azure route-based VPN gateway. Theconnection uses a custom IPsec/IKE policy with the UsePolicyBasedTrafficSelectors option , as describe in this article .

Thesample requires that ASA devices use the IKEv2 policy with access – list – base configuration , not VTI – base . consult your VPN device vendor specification to verify that the ikev2 policy is support on your on – premise VPN device .

VPN device requirements

Azure VPN gateways use the standard IPsec/IKE protocol suites to establish Site-to-Site (S2S) VPN tunnels. For the detailed IPsec/IKE protocol parameters anddefault cryptographic algorithms for Azure VPN gateways, see About VPN devices.

note

You can optionally specify an exact combination of cryptographic algorithms andkey strengths for a specific connection, as described in About cryptographic requirements. If you specify an exact combination of algorithms andkey strengths, be sure to use the corresponding specifications on your VPN devices.

Single VPN tunnel

This configuration is consists consist of a single S2S VPN tunnel between an Azure VPN gateway andan on – premise vpn device . You is configure can optionally configure the BGP across the VPN tunnel .

For step-by-step instructions to build the Azure configurations, see Single VPN tunnel setup.

virtual network andVPN gateway information

This section lists the parameters for the sample.

parameter Value
Virtual network address prefixes 10.11.0.0/16
10.12.0.0/16
Azure VPN gateway IP Azure_Gateway_Public_IP
On-premises address prefixes 10.51.0.0/16
10.52.0.0/16
On-premises VPN device IP OnPrem_Device_Public_IP
* virtual network BGP ASN 65010
* Azure BGP peer IP 10.12.255.30
* On-premises BGP ASN 65050
* On – premise BGP is peer peer IP 10.52.255.254

* Optional parameter for BGP only.

IPsec/IKE policy andparameters

Thefollow table is lists list the IPsec / IKE algorithm andparameter that are used in the sample . consult your vpn device specification to verify the algorithm that are support for your vpn device model andfirmware version .

IPsec/IKEv2 Value
IKEv2 Encryption aes256
IKEv2 Integrity SHA384
DH Group dhgroup24
* IPsec Encryption aes256
* IPsec Integrity SHA1
PFS Group PFS24
QM SA Lifetime 7,200 seconds
traffic Selector UsePolicyBasedTrafficSelectors $True
Pre-Shared Key PreSharedKey

* On some device , IPsec Integrity is be must be a null value when the IPsec Encryption algorithm is AES – GCM .

ASA device support

  • Support is requires for ikev2 require ASA version 8.4 andlater .

  • Support is requires for DH Group andPFS Group beyond Group 5 require ASA version 9.x .

  • Support for IPsec Encryption with AES-GCM andIPsec Integrity with SHA-256, SHA-384, or SHA-512, requires ASA version 9.x. This support requirement applies to newer ASA devices. At the time of publication, ASA models 5505, 5510, 5520, 5540, 5550, and5580 do not support these algorithms. Consult your VPN device specifications to verify the algorithms that are supported for your VPN device models andfirmware versions.

Sample device configuration

Thescript provides a sample that is based on the configuration andparameters that are described in the previous sections. TheS2S VPN tunnel configuration consists of the following parts:

  1. Interfaces androutes
  2. Access lists
  3. IKE policy andparameters (phase 1 or main mode)
  4. IPsec policy andparameters (phase 2 or quick mode)
  5. Other parameters, such as TCP MSS clamping

Important

Complete the following steps before you use the sample script. Replace the placeholder value in the script with the device settings for your configuration.

  • Specify the interface configuration for both inside andoutside interfaces.
  • Identify the routes for your inside/private andoutside/public networks.
  • Ensure all names andpolicy numbers are unique on your device.
  • Ensure that the cryptographic algorithms are supported on your device.
  • Replace the following placeholder value with actual values for your configuration:
    • Outside interface name: outside
    • Azure_Gateway_Public_IP
    • OnPrem_Device_Public_IP
    • IKE :Pre_Shared_Key
    • virtual network andlocal network gateway name :VNetName andLNGName
    • Virtual network andon-premises network address prefixes
    • Proper netmasks

Sample script

! Sample ASA configuration for connecting to Azure VPN gateway
!
! Tested hardware: ASA 5505
! Tested version:  ASA version 9.2(4)
!
! Replace the following place holders with your actual values:
!   - Interface names - default are "outside"  and"inside"
!   - <Azure_Gateway_Public_IP>
!   - <OnPrem_Device_Public_IP>
!   - <Pre_Shared_Key>
!   - <VNetName>*
!   - <LNGName>* ==> LocalNetworkGateway - the Azure resource that represents the
!     on-premises network, specifies network prefixes, device public IP, BGP info, etc.
!   - <PrivateIPAddress> ==> Replace it with a private IP address if applicable
!   - <Netmask> ==> Replace it with appropriate netmasks
!   - <Nexthop> ==> Replace it with the actual nexthop IP address
!
! (*) Must be unique names in the device configuration
!
! ==> Interface & route configurations
!
!     > <OnPrem_Device_Public_IP> address on the outside interface or vlan
!     > <PrivateIPAddress> on the inside interface or vlan; e.g., 10.51.0.1/24
!     > Route to connect to <Azure_Gateway_Public_IP> address
!
!     > Example:
!
!       interface Ethernet0/0
!        switchport access vlan 2
!       exit
!
!       interface vlan 1
!        nameif inside
!        security-level 100
!        ip address <PrivateIPAddress> <Netmask>
!       exit
!
!       interface vlan 2
!        nameif outside
!        security-level 0
!        ip address <OnPrem_Device_Public_IP> <Netmask>
!       exit
!
!       route outside 0.0.0.0 0.0.0.0 <NextHop IP> 1
!
! ==> Access lists
!
!     > Most firewall devices deny all traffic by default. Create access lists to
!       (1) Allow S2S VPN tunnels between the ASA  andthe Azure gateway public IP address
!       (2) Construct traffic selectors as part of IPsec policy or proposal
!
access-list outside_access_in extended permit ip host <Azure_Gateway_Public_IP> host <OnPrem_Device_Public_IP>
!
!     > Object group that consists of all VNet prefixes (e.g., 10.11.0.0/16 &
!       10.12.0.0/16)
!
object-group network Azure-<VNetName>
 description Azure virtual network <VNetName> prefixes
 network-object 10.11.0.0 255.255.0.0
 network-object 10.12.0.0 255.255.0.0
exit
!
!     > Object group that corresponding to the <LNGName> prefixes.
!       E.g., 10.51.0.0/16  and10.52.0.0/16. note that LNG = "local network gateway".
!       In Azure network resource, a local network gateway defines the on-premises
!       network properties (address prefixes, VPN device IP, BGP ASN, etc.)
!
object-group network <LNGName>
 description On-Premises network <LNGName> prefixes
 network-object 10.51.0.0 255.255.0.0
 network-object 10.52.0.0 255.255.0.0
exit
!
!     > Specify the access-list between the Azure VNet  andyour on-premises network.
!       This access list defines the IPsec SA traffic selectors.
!
access-list Azure-<VNetName>-acl extended permit ip object-group <LNGName> object-group Azure-<VNetName>
!
!     > No NAT required between the on-premises network  andAzure VNet
!
nat (inside,outside) source static <LNGName> <LNGName> destination static Azure-<VNetName> Azure-<VNetName>
!
! ==> IKEv2 configuration
!
!     > General IKEv2 configuration - enable IKEv2 for VPN
!
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 ikev2
exit
!
crypto isakmp identity address
crypto ikev2 enable outside
!
!     > Define IKEv2 Phase 1/Main Mode policy
!       - Make sure the policy number is not used
!       - integrity  andprf must be the same
!       - DH group 14  andabove require ASA version 9.x.
!
crypto ikev2 policy 1
 encryption       aes-256
 integrity        sha384
 prf              sha384
 group            24
 lifetime seconds 86400
exit
!
!     > Set connection type  andpre-shared key
!
tunnel-group <Azure_Gateway_Public_IP> type ipsec-l2l
tunnel-group <Azure_Gateway_Public_IP> ipsec-attributes
 ikev2 remote-authentication pre-shared-key <Pre_Shared_Key> 
 ikev2 local-authentication  pre-shared-key <Pre_Shared_Key> 
exit
!
! ==> IPsec configuration
!
!     > IKEv2 Phase 2/Quick Mode proposal
!       - AES-GCM  andSHA-2 requires ASA version 9.x on newer ASA models. ASA
!         5505, 5510, 5520, 5540, 5550, 5580 are not supported.
!       - ESP integrity must be null if AES-GCM is configured as ESP encryption
!
crypto ipsec ikev2 ipsec-proposal AES-256
 protocol esp encryption aes-256
 protocol esp integrity  sha-1
exit
!
!     > Set access list & traffic selectors, PFS, IPsec proposal, SA lifetime
!       - This sample uses "Azure-<VNetName>-map" as the crypto map name
!       - ASA supports only one crypto map per interface, if you already have
!         an existing crypto map assigned to your outside interface, you must use
!         the same crypto map name, but with a different sequence number for
!         this policy
!       - "match address" policy uses the access-list "Azure-<VNetName>-acl" defined 
!         previously
!       - "ipsec-proposal" uses the proposal "AES-256" defined previously 
!       - PFS groups 14  andbeyond requires ASA version 9.x.
!
crypto map Azure-<VNetName>-map 1 match address Azure-<VNetName>-acl
crypto map Azure-<VNetName>-map 1 set pfs group24
crypto map Azure-<VNetName>-map 1 set peer <Azure_Gateway_Public_IP>
crypto map Azure-<VNetName>-map 1 set ikev2 ipsec-proposal AES-256
crypto map Azure-<VNetName>-map 1 set security-association lifetime seconds 7200
crypto map Azure-<VNetName>-map interface outside
!
! ==> Set TCP MSS to 1350
!
sysopt connection tcpmss 1350
!

Simple debugging commands

Use the following ASA commands for debugging purposes:

  • Show the IPsec or IKE security association ( SA ):

    show crypto ipsec sa
show crypto ikev2 sa

  • enter debug mode :

    debug crypto ikev2 platform <level>
debug crypto ikev2 protocol <level>

    Thedebug commands can generate significant output on the console.

  • Show the current configurations on the device:

    show run

    Use show subcommands to list specific parts of the device configuration, for example:

    show run crypto
show run access-list
show run tunnel-group

Next step

To configure active-active cross-premises andVNet-to-VNet connections, see Configure active-active VPN gateways.