Wednesday 2 September 2015

Configuring Azure Site to Site VPN with Cisco ASA 9.x Firewall

It is highly likely you will be required to create a site to site VPN from your on-premises network to the Azure public cloud. In order to do this you must have a compatible VPN peer that is capable of terminating the IPsec VPN. All of the main network vendors have supported devices such as Cisco, Juniper and Palo Alto etc. You can consult the following website to see what devices are supported;
Windows Server 2012/2012 R2 is also a supported configuration with the Routing and Remote Access (RRAS) role installed, this however when I tried to do it behind my Cisco ASA I could not get it to work. If you research around some forums etc most people only get RRAS to work with Azure if it is directly connected to the internet without any kind of NAT in-between. Most enterprises won’t be using RRAS anyway.
This example will cover setting up an Azure vNet with an Azure Gateway that is connected to a Cisco ASA 5505 firewall. At the time of writing Azure automatically generated configuration scripts for Cisco and Juniper devices, although these sometimes need tweaking before they work correctly, I cover this further down.

Define Local Network
The first stage is to define the Local Network, which is the network space in which your on premise environment works with. It is with the Local Network you also specify the outside global address that your VPN device has on its outside (or public) interface.
Open the Azure Management console, click New then Network Services, Virtual Network and then Custom Create.

Input a name for the local network, something descriptive is best and then enter the VPN Device IP as stated above.

You must then specify the address space that is being used within your on premise network, the address spaces used on premise and the cloud cannot overlap. Therefore you cannot have on site and in the cloud.

Define DNS Servers
The next step is to define the name resolution servers, you require at least one on premise and in the cloud, click New > Network Services > Virtual Network > Register DNS Server and define the DNS servers.

Create Virtual Network
Now create a new Virtual Network click New > Network Services > Virtual Network > Custom Create. The vNet is the logical entity that the VM instances connect to.

Enter a descriptive name for the vNet and set the location. 

From the next pane click the DNS Servers that were defined in the previous step. Tick Configure site-to-site VPN and then select the Local Network object that was defined in a previous step.

Now configure the address spaces you intend to use for your cloud based instances. Also click Add Gateway Subnet this will provision a small subnet to be used for the inter-tunnel communications. 

When the network is created the next step is to create a Virtual Gateway, which is assigned a public address. This process can take around 15-20 minutes to complete.  Click Create Gateway and select the Routing type, the Cisco ASA actually only supports Static Routing. Consult the following document to check if dynamic routing is supported for your VPN device 

Click Yes to confirm you want to create a gateway.

The interface will appear like it is below, the VPN cannot be formed until the VPN device is up dated with the configuration script. Unfortunately if you do not have a Cisco or Juniper firewall device you may have to do some manual configuration.

Click Download VPN Device Script from under Quick Glance. You can then select what options suit your environment, I hope Microsoft increase the number of devices and operating systems. The current options do not come close to what Amazon Web Services offers, they have pre-created scripts for almost all of the networking vendors I can name, with multiple different operating system versions.

Something that is not obvious when you download the configuration script for the Cisco ASA is that it assumes your firewall's interfaces are called inside/outside, for example some environments use private/public, this is not obvious if you are not a familiar with firewall scripts. I have highlighted everything below that must be changed to reflect your exact firewall configurations.
! Microsoft Corporation
! Windows Azure Virtual Network

! This configuration template applies to Cisco ASA 5500 Series Adaptive Security Appliances running ASA Software 8.3.
! It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway.

! ---------------------------------------------------------------------------------------------------------------------
! ACL and NAT rules
! Proper ACL and NAT rules are needed for permitting cross-premise network traffic.
! You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
object-group network azure-networks
object-group network onprem-networks
access-list azure-vpn-acl extended permit ip object-group onprem-networks object-group azure-networks
nat (inside,outside) source static onprem-networks onprem-networks destination static azure-networks azure-networks

! ---------------------------------------------------------------------------------------------------------------------
! Internet Key Exchange (IKE) configuration
! This section specifies the authentication, encryption, hashing, Diffie-Hellman, and lifetime parameters for the Phase
! 1 negotiation and the main mode security association. We have picked an arbitrary policy # "10" as an example. If
! that happens to conflict with an existing policy, you may choose to use a different policy #.
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800

! ---------------------------------------------------------------------------------------------------------------------
! IPSec configuration
! This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick
! mode security association.
crypto ipsec transform-set azure-ipsec-proposal-set esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000

! ---------------------------------------------------------------------------------------------------------------------
! Crypto map configuration
! This section defines a crypto map that binds the cross-premise network traffic to the
! IPSec transform set and remote peer. We have picked an arbitrary ID # "10" as an example. If
! that happens to conflict with an existing crypto map, you may choose to use a different ID #.
crypto map azure-crypto-map 10 match address azure-vpn-acl
crypto map azure-crypto-map 10 set peer x.x.x.x
crypto map azure-crypto-map 10 set transform-set azure-ipsec-proposal-set
! Note that you can only bind one crypto map to the "outside" interface. You can, however, define
! different peer/transform-set within a crypto map and identify them with different IDs.
crypto map azure-crypto-map interface outside

! ---------------------------------------------------------------------------------------------------------------------
! Tunnel configuration
! This section defines an IPSec site-to-site tunnel connecting to the Azure gateway and specifies the pre-shared key
! value used for Phase 1 authentication. 
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key xxxxxxxxx

! ---------------------------------------------------------------------------------------------------------------------
! TCPMSS clamping
! Adjust the TCPMSS value properly to avoid fragmentation
sysopt connection tcpmss 1350

For example if you see my interfaces on my home ASA are inside/outside so the script is fine for me, but if your interfaces are different you will have to edit the script. My ASA is also running IOS 9.3 and the script is for 8.3, the difference is how the static NAT statement is written.

You can use the ASDM or an SSH session to your firewall to input the script, if you are using ASDM click Tools and Command Line Interface...

Select Multiple Lines and copy and paste the lines of code into the box, I have found the exit statements in the script get returned by the ASA as none executable code, so I edit them out.

Return to the vNet page and click Connect. If everything has been completed successfully your VPN should form correctly, all of the routes etc should automatically be in place therefore when you ping an on premise server it should get all the way to your Azure instances.