Hi all
I'm trying to set up a site-to-site VPN connection between my ASA 5505 (ASA 9.1(4) and ASDM 7.1(3)) and Windows Azure. For the configuration of the connection Microsoft supplies a configuration script (see below, IP and shared key removed) which sets up all the connection and encryption settings.
! Microsoft Corporation ! Windows Azure Virtual Network ! This configuration template applies to Cisco ASA 5500 Series Adaptive Security Appliances running ASA Software 8.3. ! It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway. ! --------------------------------------------------------------------------------------------------------------------- ! ACL and NAT rules ! ! Proper ACL and NAT rules are needed for permitting cross-premise network traffic. ! You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel. object-group network azure-networks network-object 10.0.0.0 255.0.0.0 exit object-group network onprem-networks network-object 172.16.0.0 255.255.0.0 exit access-list azure-vpn-acl extended permit ip object-group onprem-networks object-group azure-networks nat (inside,outside) source static onprem-networks onprem-networks destination static azure-networks azure-networks ! --------------------------------------------------------------------------------------------------------------------- ! Internet Key Exchange (IKE) configuration ! ! This section specifies the authentication, encryption, hashing, Diffie-Hellman, and lifetime parameters for the Phase ! 1 negotiation and the main mode security association. We have picked an arbitrary policy # "10" as an example. If ! that happens to conflict with an existing policy, you may choose to use a different policy #. crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption aes-256 hash sha group 2 lifetime 28800 exit ! --------------------------------------------------------------------------------------------------------------------- ! IPSec configuration ! ! This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick ! mode security association. crypto ipsec transform-set azure-ipsec-proposal-set esp-aes-256 esp-sha-hmac crypto ipsec security-association lifetime seconds 3600 crypto ipsec security-association lifetime kilobytes 102400000 ! --------------------------------------------------------------------------------------------------------------------- ! Crypto map configuration ! ! This section defines a crypto map that binds the cross-premise network traffic to the ! IPSec transform set and remote peer. We have picked an arbitrary ID # "10" as an example. If ! that happens to conflict with an existing crypto map, you may choose to use a different ID #. crypto map azure-crypto-map 10 match address azure-vpn-acl crypto map azure-crypto-map 10 set peer 1.1.1.1 crypto map azure-crypto-map 10 set transform-set azure-ipsec-proposal-set crypto map azure-crypto-map interface outside ! --------------------------------------------------------------------------------------------------------------------- ! Tunnel configuration ! ! This section defines an IPSec site-to-site tunnel connecting to the Azure gateway and specifies the pre-shared key ! value used for Phase 1 authentication. tunnel-group 1.1.1.1 type ipsec-l2l tunnel-group 1.1.1.1 ipsec-attributes pre-shared-key abcdefghijklmnopqrstuvwxyz123456 exit ! --------------------------------------------------------------------------------------------------------------------- ! TCPMSS clamping ! ! Adjust the TCPMSS value properly to avoid fragmentation sysopt connection tcpmss 1350 exit
I ran this script succesfully and I checked the settings in ASDM. However I keep getting the error that UDP 500 is blocked:
"Deny inbound UDP from 1.1.1.1/500 to 2.2.2.2/500 on interface outside"
The script states: "You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel."
I'm quite new to Cisco firewalls and am looking for a fairly dummy proof way to allow the different protocol settings required (isakmp, NAT-T, L2TP, ESP) from the Azure gateway (1.1.1.1) to my outside IP address (2.2.2.2).
Any help would be appreciated!