Learn how to deploy your ASAv firewall instance in the Microsoft Azure Public Cloud, using Azure console. This is a step by step video that shows detail how to stand up your firewall and protect. Azure Firewall vs Cisco ASAv: Which is better? We compared these products and thousands more to help professionals like you find the perfect solution for your business. Let IT Central Station and our comparison database help you with your research.
-->This article provides sample configurations for connecting Cisco Adaptive Security Appliance (ASA) devices to Azure VPN gateways. The example applies to Cisco ASA devices that are running IKEv2 without the Border Gateway Protocol (BGP).
Device at a glance
Device vendor | Cisco |
Device model | ASA |
Target version | 8.4 and later |
Tested model | ASA 5505 |
Tested version | 9.2 |
IKE version | IKEv2 |
BGP | No |
Azure VPN gateway type | Route-based VPN gateway |
Note
The sample configuration connects a Cisco ASA device to an Azure route-based VPN gateway. The connection uses a custom IPsec/IKE policy with the UsePolicyBasedTrafficSelectors option, as described in this article.
The sample requires that ASA devices use the IKEv2 policy with access-list-based configurations, not VTI-based. Consult your VPN device vendor specifications to verify that the IKEv2 policy is supported on your on-premises VPN devices.
VPN device requirements
Azure VPN gateways use the standard IPsec/IKE protocol suites to establish Site-to-Site (S2S) VPN tunnels. For the detailed IPsec/IKE protocol parameters and default cryptographic algorithms for Azure VPN gateways, see About VPN devices.
Note
You can optionally specify an exact combination of cryptographic algorithms and key strengths for a specific connection, as described in About cryptographic requirements. If you specify an exact combination of algorithms and key strengths, be sure to use the corresponding specifications on your VPN devices.
Single VPN tunnel
This configuration consists of a single S2S VPN tunnel between an Azure VPN gateway and an on-premises VPN device. You can optionally configure the BGP across the VPN tunnel.
For step-by-step instructions to build the Azure configurations, see Single VPN tunnel setup.
Virtual network and VPN gateway information
This section lists the parameters for the sample.
Parameter | Value |
---|---|
Virtual network address prefixes | 10.11.0.0/16 10.12.0.0/16 |
Azure VPN gateway IP | Azure_Gateway_Public_IP |
On-premises address prefixes | 10.51.0.0/16 10.52.0.0/16 |
On-premises VPN device IP | OnPrem_Device_Public_IP |
* Virtual network BGP ASN | 65010 |
* Azure BGP peer IP | 10.12.255.30 |
* On-premises BGP ASN | 65050 |
* On-premises BGP peer IP | 10.52.255.254 |
* Optional parameter for BGP only.
IPsec/IKE policy and parameters
The following table lists the IPsec/IKE algorithms and parameters that are used in the sample. Consult your VPN device specifications to verify the algorithms that are supported for your VPN device models and firmware versions.
IPsec/IKEv2 | Value |
---|---|
IKEv2 Encryption | AES256 |
IKEv2 Integrity | SHA384 |
DH Group | DHGroup24 |
* IPsec Encryption | AES256 |
* IPsec Integrity | SHA1 |
PFS Group | PFS24 |
QM SA Lifetime | 7,200 seconds |
Traffic Selector | UsePolicyBasedTrafficSelectors $True |
Pre-Shared Key | PreSharedKey |
* On some devices, IPsec Integrity must be a null value when the IPsec Encryption algorithm is AES-GCM.
ASA device support
- Support for IKEv2 requires ASA version 8.4 and later.
- Support for DH Group and PFS Group beyond Group 5 requires ASA version 9.x.
- Support for IPsec Encryption with AES-GCM and IPsec Integrity with SHA-256, SHA-384, or SHA-512, requires ASA version 9.x. This support requirement applies to newer ASA devices. At the time of publication, ASA models 5505, 5510, 5520, 5540, 5550, and 5580 do not support these algorithms. Consult your VPN device specifications to verify the algorithms that are supported for your VPN device models and firmware versions.
Sample device configuration
The script provides a sample that is based on the configuration and parameters that are described in the previous sections. The S2S VPN tunnel configuration consists of the following parts:
- Interfaces and routes
- Access lists
- IKE policy and parameters (phase 1 or main mode)
- IPsec policy and parameters (phase 2 or quick mode)
- Other parameters, such as TCP MSS clamping
Important
Complete the following steps before you use the sample script. Replace the placeholder values in the script with the device settings for your configuration.
- Specify the interface configuration for both inside and outside interfaces.
- Identify the routes for your inside/private and outside/public networks.
- Ensure all names and policy numbers are unique on your device.
- Ensure that the cryptographic algorithms are supported on your device.
- Replace the following placeholder values with actual values for your configuration:
- Outside interface name: outside
- Azure_Gateway_Public_IP
- OnPrem_Device_Public_IP
- IKE: Pre_Shared_Key
- Virtual network and local network gateway names: VNetName and LNGName
- Virtual network and on-premises network address prefixes
- Proper netmasks
Sample script
Simple debugging commands
Use the following ASA commands for debugging purposes:
- Show the IPsec or IKE security association (SA):
- Enter debug mode:The
debug
commands can generate significant output on the console. - Show the current configurations on the device:Use
show
subcommands to list specific parts of the device configuration, for example:
Next steps
To configure active-active cross-premises and VNet-to-VNet connections, see Configure active-active VPN gateways.