Site-to-site VPN with Azure and Cisco ASA IOS 8.2
We have a customer whose hosted application lives on traditional co-location, and runs on an old unsupported OS, old out of warenty servers etc… We understand times are hard and there isn’t always the time or money to upgrade.
Needless to say this customer’s servers have a long history of issues preventing them from working, usually at the most inopportune moments.
- hardware failures,
- lack of OS updates,
- lack of OS support,
- hacking, to name a few.
We have advised this customer (repeatedly) to migrate from dedicated hardware and old OSes to a modern cloud based solution for their service delivery, which would save costs and allow the application to be developed with the saved costs. However, they’re more traditional, and had spurned this option in preference for the familiar! Numerous rebuilds / un-installs / re-installs later, and something happened: They needed their dev server up, and they needed it up FAST! Before the weekend… and it was Friday 12:00…
We recommended that the customer spin up a VM running Windows Server 2012 in Azure for IIS and keep the back-end system on Windows 2000. This time the customer took the plunge – “Just for the development server, mind, and just for the public facing parts!”.
Looming deadlines tend to focus the mind! We had a go: Excellent! Clear calendars / appointments and lets get Azuring!
We signed them up with Azure, and as an added bonus the Azure promo was still running – £125 free credits for a month.
Within the hour we had the dev VM live, patched, up to date, running IIS and ready for the customer to add their bits, meanwhile we worked on getting the VM to talk to the “local” servers in the Data Centre via VPN. This part proved more problematic, and hence this post.
The customer has a Cisco ASA firewall and so we followed the excellent guides that Azure provides for VPN setup on the Azure and Cisco side: Site-to-site VPN with Azure Portal. We also knew there would be some fettling required: Validated VPN devices; the customer’s ASA version was 8.2 – and with the deadline there was no time to get more memory to support 8.3.
Config for Cisco ASA version 8.2
The guides provided were for IOS 8.3 and up, and the helpful Step by step guide to setup site-to-site VPN using Cisco ASA, had commands that were not recognised by the customer’s ASA. So we dusted off the IOS 8.2 guide and started to tinker and came up with the following config:
NOTE: We’ve used the IP addressing and naming as per the Microsoft guide above, items in bold or <> or IP addresses will need to be converted for your actual configuration:
access-list BYPASS-NAT extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.0.0 access-list ACL-AZURE-VPN extended permit ip 10.0.0.0 255.255.0.0 192.168.1.0 255.255.255.0 ... nat (INSIDE-INTERFACE) 0 access-list BYPASS-NAT ... sysopt connection tcpmss 1350 sysopt connection preserve-vpn-flows ... crypto ipsec transform-set AZURE-TRANSFORM-SET esp-aes-256 esp-sha-hmac crypto ipsec security-association lifetime seconds 3600 crypto ipsec security-association lifetime kilobytes 102400000 crypto map AZURE-CRYPTO-MAP 1 match address ACL-AZURE-VPN crypto map AZURE-CRYPTO-MAP 1 set peer 104.x.x.x crypto map AZURE-CRYPTO-MAP 1 set transform-set AZURE-TRANSFORM-SET crypto map AZURE-CRYPTO-MAP interface OUTSIDE-INTERFACE crypto isakmp enable OUTSIDE-INTERFACE crypto isakmp policy 5 authentication pre-share encryption aes-256 hash sha group 2 lifetime 28800 ... tunnel-group 104.x.x.x type ipsec-l2l tunnel-group 104.x.x.x ipsec-attributes pre-shared-key <pre-shared-key>
The main issue in version 8.2 is that it doesn’t understand that there is an IKE version 2, so the commands with ikev1 are wrong to it. Also to bring up the tunnel its:
crypto isakmp enable outside
crypto ikev1 enable outside
Again, because ikev1 isn’t understood by IOS 8.2.
Azure is currently costing this customer less than £4 per day, with the compute hours being the largest portion of the costs. So a massive cost saving, and huge incentive for the customer to move from old unsupported OS to a newer more modern OS, as well as away from traditional co-location services to a modern cloud solution.