Skip to content

Configure Cisco ASA 5505 for site-to-site VPN

We have the small version of Cisco ASA 5505 in our on-premises site so all configuration samples will be done for this model. If you are using firewall from another vendor you would need to search on Google on specific steps.

The following steps are based on this excellent article. Remember we are mostly system programmers and not actually network admins so do verify this setup with someone more network proficient.

First, we are telling Cisco ASA what is the subnet we have in Microsoft Azure.

object-group network vpn-azure-subnet
  description vpn azure subnet

Now we are listing those local subnets that will take part in VPN connections.

object-group network vpn-local-subnet
  description vpn local subnet

Next we create the access list that contains both object groups.

access-list acl-vpn-azure extended permit ip object-group vpn-local-subnet object-group vpn-azure-subnet

Traffic in VPN connection shall be excluded from NAT.

nat (inside,outside) 1 source static vpn-local-subnet vpn-local-subnet destination static vpn-azure-subnet vpn-azure-subnet no-proxy-arp route-lookup

Good, lets create the VPN parameters for our connection.

crypto ikev1 policy 5
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 28800

crypto ipsec ikev1 transform-set azure-transform esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000

Specify the value of public IP address we created earlier and the shared key from the setup VPN connection page. Here we use the as an example.

tunnel-group type ipsec-l2l
tunnel-group ipsec-attribute
  ikev1 pre-shared-key 1SharedSuperSecret!

crypto map azure-crypto-map 1 match address acl-vpn-azure
crypto map azure-crypto-map 1 set peer
crypto map azure-crypto-map 1 set ikev1 transform-set azure-transform
crypto map azure-crypto-map interface outside
sysopt connection tcpmss 1350
sysopt connection preserve-vpn-flows

Finally enable the VPN connection on our Cisco ASA firewall.

crypto ikev1 enable outside