Configure Cisco ASA 5505 for site-to-site VPN
We have the small version of Cisco ASA 5505 in our on-premises site so all configuration samples will be done for this model. If you are using firewall from another vendor you would need to search on Google on specific steps.
The following steps are based on this excellent article. Remember we are mostly system programmers and not actually network admins so do verify this setup with someone more network proficient.
First, we are telling Cisco ASA what is the subnet we have in Microsoft Azure.
object-group network vpn-azure-subnet description vpn azure subnet network-object 10.2.0.0 255.255.0.0
Now we are listing those local subnets that will take part in VPN connections.
object-group network vpn-local-subnet description vpn local subnet network-object 192.168.1.0 255.255.255.0 network-object 192.168.4.0 255.255.255.0
Next we create the access list that contains both object groups.
access-list acl-vpn-azure extended permit ip object-group vpn-local-subnet object-group vpn-azure-subnet
Traffic in VPN connection shall be excluded from NAT.
nat (inside,outside) 1 source static vpn-local-subnet vpn-local-subnet destination static vpn-azure-subnet vpn-azure-subnet no-proxy-arp route-lookup
Good, lets create the VPN parameters for our connection.
crypto ikev1 policy 5 authentication pre-share encryption aes-256 hash sha group 2 lifetime 28800 crypto ipsec ikev1 transform-set azure-transform esp-aes-256 esp-sha-hmac crypto ipsec security-association lifetime seconds 3600 crypto ipsec security-association lifetime kilobytes 102400000
tunnel-group 220.127.116.11 type ipsec-l2l tunnel-group 18.104.22.168 ipsec-attribute ikev1 pre-shared-key 1SharedSuperSecret! crypto map azure-crypto-map 1 match address acl-vpn-azure crypto map azure-crypto-map 1 set peer 22.214.171.124 crypto map azure-crypto-map 1 set ikev1 transform-set azure-transform crypto map azure-crypto-map interface outside sysopt connection tcpmss 1350 sysopt connection preserve-vpn-flows
Finally enable the VPN connection on our Cisco ASA firewall.
crypto ikev1 enable outside