Hello all,
It's been a long weekend for me, a dev/architect, not too familiar with networking technology... I have set up my local CISCO ASA5505
to connect a site-site network with Windows Azure.
After a long period of trial & error, I finally managed to get the gateway show up as connected (and that made me backup my cisco config
ASAP :)).
So far, the good news. I want to connect (ping, remote desktop, http...) from my cloud machine (which is connected in the same virtual
network) to my on prem laptop (and the other way around). I just don't manage to get this working.
I feel it has to do with configuration of NAT or routing, but my knowledge is too limited to get it to work. I feel I am very close
to getting it work, and I hope to get this last piece of help here...
Some information:
- The following screenshot is the configuration of my virtual network:
- This is the screenshot of my local network, configured in Azure
-
My virtual machine in Azure has IP address 192.168.10.4
My local machine at home has IP address 192.168.1.6 - This is my running Cisco configuration:
: Saved
:
ASA Version 8.4(4)1
!
hostname ciscoasa
enable password rDFRVUzyJEqRF6oV encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
ftp mode passive
clock timezone GMT 0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Azure_Gateway
range 192.168.12.4 192.168.12.6
description Gateway settings on Azure network
object network Azure_VMs
range 192.168.10.4 192.168.11.254
description Range of Azure Virtual Machines
object network LocalMachines
range 192.168.30.0 192.168.30.255
description From Local Network
object network Azure_Begin
subnet 192.168.0.0 255.255.240.0
description Errors: no matching crypto map entry for remote proxy 192.168.0.0/255.255.240.0/0/0 local proxy 192.168.30.0/255.255.255.0/0/ on interface outside
object-group network RP_Azure
description group that defines the IP Addresses used on the Azure side of things
network-object object Azure_Gateway
network-object object Azure_VMs
network-object object Azure_Begin
object-group network RP_Local
description group that defines the IP Addresses used on your local network
network-object object LocalMachines
access-list outside_cryptomap extended permit ip object-group RP_Local object-group RP_Azure
access-list RP_AccessList extended permit ip object-group RP_Local object-group RP_Azure
access-list outside_cryptomap_1 extended permit ip object-group RP_Local object-group RP_Azure
access-list outside_access_in extended permit icmp object-group RP_Azure object-group RP_Local
access-list outside_access_in extended permit icmp object-group RP_Local object-group RP_Azure
access-list outside_access_in extended permit udp object-group RP_Azure object-group RP_Local
access-list outside_access_in extended permit udp object-group RP_Local object-group RP_Azure
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static RP_Local RP_Local destination static RP_Azure RP_Azure
nat (inside,any) source static RP_Local RP_Local destination static RP_Azure RP_Azure
!
object network obj_any
nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection tcpmss 1350
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set RP_AzureTransforms esp-aes-256 esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
crypto map outside_map1 2 match address outside_cryptomap_1
crypto map outside_map1 2 set peer 137.117.176.125
crypto map outside_map1 2 set ikev1 transform-set RP_AzureTransforms
crypto map RP_IPSecCryptoMap 1 match address RP_AccessList
crypto map RP_IPSecCryptoMap 1 set peer 137.117.176.125
crypto map RP_IPSecCryptoMap 1 set ikev1 transform-set RP_AzureTransforms
crypto map RP_IPSecCryptoMap interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint ASA5505_Manganica
keypair ASA5505_Manganica
crl configure
crypto ca certificate chain ASA5505_Manganica
certificate ca d83954e19c7168a044202ccb4bc4add1
30820308 308201f4 a0030201 020210d8 3954e19c 7168a044 202ccb4b c4add130
0906052b 0e03021d 0500301b 31193017 06035504 03131056 504e4d61 6e67616e
69636152 6f6f7430 1e170d31 33303931 34323134 3631385a 170d3339 31323331
32333539 35395a30 1b311930 17060355 04031310 56504e4d 616e6761 6e696361
526f6f74 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a
02820101 00a7632a 90cf65b9 9beb3bc2 3cc9dbab bede9ece 32882c45 493c511f
a02d8d92 6059e6c5 dc27724e 47cf0484 8d6aeb34 1c47a2d6 58d2bc47 f38bba5c
2bd0588d 27ed1c8f f780458b 30dae086 b2f4ae2c c3a2adb8 d0caef99 0b663115
f1f18531 d81cf6ac 318c56ac e191d691 72d9db59 7aeed4e5 409f5504 21c20a17
b4f777c8 62bd4980 c49581cf ae4ff547 b5bf475d ba1a7ad7 c89fc920 2dd85098
b3cb8e79 d26b5ef0 b1b2e31c 6d3a5567 fbed2427 ba7d620f 9e3a70fd 56bd7e1f
946842c8 694c43b0 c412523f 44e62bed a36741c5 a034deab 5463f0b9 53844bfa
96ec473e c3cb9bcf f49c3fd5 7c6b04b5 ee865d6f cf136e22 4056596b 9f93598e
1551f39f 3f020301 0001a350 304e304c 0603551d 01044530 438010c6 b0fc1b4e
4ede0317 af94e831 c8354aa1 1d301b31 19301706 03550403 13105650 4e4d616e
67616e69 6361526f 6f748210 d83954e1 9c7168a0 44202ccb 4bc4add1 30090605
2b0e0302 1d050003 82010100 711b3a59 5dac3b75 66ba0f94 589fe00c 3ea1003d
f3f6cbd8 e1f3bcd7 1dd03773 306c3f72 afa12a83 e614e20b f1187e05 f0390e39
41b75487 d04faef8 66c1716c c15c641f 4329baa2 c4b4e223 ca99276c 931ff18e
7353755c 2e00bd6d 622bcd30 58122c97 c683e3e7 65d70dc2 4ea70235 adc0803f
c7f3654d bc7a0a0c f725eb42 bdb958d7 7fc136a2 2364c55b 79668016 5cd8eec7
99f1ba44 9d3f7dd1 9053ae58 89e0d61a 84640665 ee2b415f 4e94b6b0 62385bd0
18d2e2bd ce35ca4b e829ceb7 37cf0fba 99f3486e 75ae9ae2 4dc2b1a4 e25add8f
b3b2e766 c2b9de4c 4d407d21 58c90179 6ecde9b9 46c80892 9fae7be3 b21def8a
13904839 803e32d1 f5b60e99
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable inside
crypto ikev2 enable outside
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
tunnel-group 137.117.176.125 type ipsec-l2l
tunnel-group 137.117.176.125 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 300 retry 2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:eafa3fc40bb54a4a556f1028585a5a01
: end
Any help is truly highly appreciated !
Sam Vanhoutte - CTO Codit - VTS-P BizTalk - Windows Azure Integration: www.integrationcloud.eu