Site to site vpn from pix to Azure

Hello,
I've created a site to site vpn from pix to azure using vpn wizard.
in monitoring tab in IKE SAs I can see the status of the connection is QM_IDLE
and in IPSec VPNs I can see a row for this vpn but no packet is transferring.
Please let me know if anybody knows what I am doing wrong with this?

Hi,
So seems the L2L VPN connection is up but no traffic is flowing?
I would presume that in that case the L2L VPN connection is probably negotiated from the side of Azure.
You might be missing NAT0 configuration for the subnets/addresses configured on the L2L VPN connection. This would explain atleast why connection could be up (negotiated from remote site) but no traffic was flowing (not having proper nat configuration would make it so that traffic from your side would not match the VPN configurations)
Naturally we could take a look at the PIX configurations.
- Jouni

Similar Messages

ASA 5505 site to site VPN from a device 7.2 to a device 8.2

I'm trying to make some test with two ASA 5505; one has software version 7.2(4) the other 8.2.
I would like to make a sit to site VPN from the two device.
I followed the VPN site to site wizard on both machine with the correct parameters, but it does'n work.
Is it possible to make this kind of VPN between devices with different Software version? Or I should upg the older with 7.2 to 8.2 before ?
Thank for your help.
Marco

Tks Soeren for your help, these are some info about my test:
Cisco 1 (7.2) Ext 192.168.0.1
Int 192.168.11.50
Cisco 2 (8.2) Ext 192.168.0.2
Int 192.168.10.254
Common gateway 192.168.0.254
Both Ext interface of Cisco 1 & Cisco 2 are on a common switch, like the gateway.
These are SH run:
Cisco 1
ASA Version 7.2(4)
hostname DigiASA
domain-name ************
enable password ************* encrypted
passwd *************** encrypted
names
name 192.168.10.0 REMOTE-LAN
interface Vlan1
nameif inside
security-level 100
ip address 192.168.11.150 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name *************
access-list acl_outbound extended permit tcp any host 192.168.0.1 eq ftp-data
access-list acl_outbound extended permit tcp any host 192.168.0.1 eq ftp
access-list acl_outbound extended permit tcp any host 192.168.0.1 eq https
access-list acl_outbound extended permit tcp any host 192.168.0.1 eq pop3
access-list acl_outbound extended permit tcp any host 192.168.0.1 eq www
access-list acl_inbound extended permit tcp 192.168.11.0 255.255.255.0 any eq www
access-list acl_inbound extended permit tcp 192.168.11.0 255.255.255.0 any eq ftp
access-list acl_inbound extended permit tcp 192.168.11.0 255.255.255.0 any eq ftp-data
access-list acl_inbound extended permit tcp 192.168.11.0 255.255.255.0 any eq smtp
access-list acl_inbound extended deny tcp any any eq www
access-list acl_inbound extended deny tcp any any eq ftp
access-list acl_inbound extended deny tcp any any eq ftp-data
access-list acl_inbound extended deny tcp any any eq smtp
access-list acl_inbound extended deny udp any eq tftp any
access-list acl_inbound extended deny tcp any eq 135 any
access-list acl_inbound extended deny udp any eq 135 any
access-list acl_inbound extended deny tcp any eq 137 any
access-list acl_inbound extended deny udp any eq netbios-ns any
access-list acl_inbound extended deny tcp any eq 138 any
access-list acl_inbound extended deny udp any eq netbios-dgm any
access-list acl_inbound extended deny tcp any eq netbios-ssn any
access-list acl_inbound extended deny udp any eq 139 any
access-list acl_inbound extended deny udp any eq 1080 any
access-list acl_inbound extended deny tcp any eq 445 any
access-list acl_inbound extended deny tcp any eq 593 any
access-list acl_inbound extended deny tcp any eq 3067 any
access-list acl_inbound extended deny tcp any eq 3127 any
access-list acl_inbound extended deny tcp any eq 4444 any
access-list acl_inbound extended deny tcp any eq 5554 any
access-list acl_inbound extended deny tcp any eq 9996 any
access-list acl_inbound extended deny tcp any eq 36794 any
access-list acl_inbound extended permit ip any any
access-list VPN extended permit ip 192.168.11.0 255.255.255.0 host 192.168.11.230
access-list VPN extended permit ip 192.168.11.0 255.255.255.0 host 192.168.11.231
access-list VPN extended permit ip 192.168.11.0 255.255.255.0 host 192.168.11.232
access-list VPN extended permit ip 192.168.11.0 255.255.255.0 host 192.168.11.233
access-list VPN extended permit ip 192.168.11.0 255.255.255.0 host 192.168.11.234
access-list VPN extended permit ip 192.168.11.0 255.255.255.0 host 192.168.11.235
access-list VPN extended permit ip 192.168.11.0 255.255.255.0 host 192.168.11.236
access-list VPN extended permit ip 192.168.11.0 255.255.255.0 host 192.168.11.237
access-list VPN extended permit ip 192.168.11.0 255.255.255.0 host 192.168.11.238
access-list VPN extended permit ip 192.168.11.0 255.255.255.0 host 192.168.11.239
access-list VPN extended permit ip 192.168.11.0 255.255.255.0 host 192.168.11.240
access-list inside_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 REMOTE-LAN 255.255.255.0
access-list SplitTunnelNets standard permit 192.168.11.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.11.0 255.255.255.0 REMOTE-LAN 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool Ext-IP 192.168.11.230-192.168.11.240 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 192.168.11.11 www netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.11.11 ftp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.11.10 https netmask 255.255.255.255
access-group acl_inbound in interface inside
access-group acl_outbound in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 192.168.0.2
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 192.168.11.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
group-policy DIGI internal
group-policy DIGI attributes
dns-server value 192.168.11.1 213.140.2.21
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnelNets
default-domain value DIGI
username Marco password ***************** encrypted privilege 15
username Marco attributes
vpn-group-policy DIGI
tunnel-group DIGI type ipsec-ra
tunnel-group DIGI general-attributes
address-pool Ext-IP
default-group-policy DIGI
tunnel-group DIGI ipsec-attributes
pre-shared-key *
tunnel-group DIGIVPN type ipsec-l2l
tunnel-group DIGIVPN ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cisco 2
ASA Version 8.2(1)
hostname XFASA
domain-name ****************
enable password ***************** encrypted
passwd ***************** encrypted
names
name 192.168.11.0 REMOTE-LAN
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.2 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name **************
access-list acl_outbound extended permit tcp any host 192.168.0.2 eq ftp-data
access-list acl_outbound extended permit tcp any host 192.168.0.2 eq ftp
access-list acl_outbound extended permit tcp any host 192.168.0.2 eq https
access-list acl_outbound extended permit tcp any host 192.168.0.2 eq pop3
access-list acl_outbound extended permit tcp any host 192.168.0.2 eq www
access-list acl_inbound extended permit tcp 192.168.10.0 255.255.255.0 any eq www
access-list acl_inbound extended permit tcp 192.168.10.0 255.255.255.0 any eq ftp
access-list acl_inbound extended permit tcp 192.168.10.0 255.255.255.0 any eq ftp-data
access-list acl_inbound extended permit tcp 192.168.10.0 255.255.255.0 any eq smtp
access-list acl_inbound extended deny tcp any any eq www
access-list acl_inbound extended deny tcp any any eq ftp
access-list acl_inbound extended deny tcp any any eq ftp-data
access-list acl_inbound extended deny tcp any any eq smtp
access-list acl_inbound extended deny udp any eq tftp any
access-list acl_inbound extended deny tcp any eq 135 any
access-list acl_inbound extended deny udp any eq 135 any
access-list acl_inbound extended deny tcp any eq 137 any
access-list acl_inbound extended deny udp any eq netbios-ns any
access-list acl_inbound extended deny tcp any eq 138 any
access-list acl_inbound extended deny udp any eq netbios-dgm any
access-list acl_inbound extended deny tcp any eq netbios-ssn any
access-list acl_inbound extended deny udp any eq 139 any
access-list acl_inbound extended deny udp any eq 1080 any
access-list acl_inbound extended deny tcp any eq 445 any
access-list acl_inbound extended deny tcp any eq 593 any
access-list acl_inbound extended deny tcp any eq 3067 any
access-list acl_inbound extended deny tcp any eq 3127 any
access-list acl_inbound extended deny tcp any eq 4444 any
access-list acl_inbound extended deny tcp any eq 5554 any
access-list acl_inbound extended deny tcp any eq 9996 any
access-list acl_inbound extended deny tcp any eq 36794 any
access-list acl_inbound extended permit ip any any
access-list SplitTunnelNets standard permit 192.168.10.0 255.255.255.0
access-list VPN extended permit ip 192.168.10.0 255.255.255.0 host 192.168.10.230
access-list VPN extended permit ip 192.168.10.0 255.255.255.0 host 192.168.10.231
access-list VPN extended permit ip 192.168.10.0 255.255.255.0 host 192.168.10.232
access-list VPN extended permit ip 192.168.10.0 255.255.255.0 host 192.168.10.233
access-list VPN extended permit ip 192.168.10.0 255.255.255.0 host 192.168.10.234
access-list VPN extended permit ip 192.168.10.0 255.255.255.0 host 192.168.10.235
access-list VPN extended permit ip 192.168.10.0 255.255.255.0 host 192.168.10.236
access-list VPN extended permit ip 192.168.10.0 255.255.255.0 host 192.168.10.237
access-list VPN extended permit ip 192.168.10.0 255.255.255.0 host 192.168.10.238
access-list VPN extended permit ip 192.168.10.0 255.255.255.0 host 192.168.10.239
access-list VPN extended permit ip 192.168.10.0 255.255.255.0 host 192.168.10.240
access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 REMOTE-LAN 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 REMOTE-LAN 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool Ext-IP 192.168.10.230-192.168.10.240 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group acl_inbound in interface inside
access-group acl_outbound in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 192.168.0.1
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.10.50-192.168.10.150 inside
dhcpd dns 85.18.200.200 89.97.140.140 interface inside
dhcpd domain XFACTOR interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy XFA internal
group-policy XFA attributes
dns-server value 85.18.200.200
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnelNets
default-domain value XFDMN
username Marco password ************* encrypted privilege 15
username Marco attributes
vpn-group-policy XFA
username xfa password ************* encrypted privilege 0
username xfa attributes
vpn-group-policy XFA
tunnel-group XFA type remote-access
tunnel-group XFA general-attributes
address-pool Ext-IP
default-group-policy XFA
tunnel-group XFA ipsec-attributes
pre-shared-key *
tunnel-group DIGIVPN type ipsec-l2l
tunnel-group DIGIVPN ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
I hope you can find anything wrong, because I ddidn't find.
Thanks again
Marco

Need Help on Configuring the Site to Site VPN from Cisco 2811 to Websense Cloud for web Traffic redirect

Hi All,
I need help on Configuring the Site to Site VPN from Cisco 2811 to Websense Cloud for web Traffic redirect
2811 having C2800NM-ADVIPSERVICESK9-M
2811 router connects to the Internet SW then connects to the Internet router.
Note- For Authentication am using the Device ID & Pre share key. I am worried as all user traffic goes with PAT and not firing up my tunnel for port 80 traffic. Can you please suggest what can be the issue ?
Below is router config for VPN & NAT
crypto keyring ISR_Keyring
pre-shared-key hostname vpn.websense.net key 2c22524d554556442d222d565f545246
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10
crypto isakmp profile isa-profile
   keyring ISR_Keyring
   self-identity user-fqdn [email protected]
   match identity user vpn-proxy.websense.net
crypto ipsec transform-set ESP-NULL-SHA esp-null esp-sha-hmac
crypto map GUEST_WEB_FILTER 10 ipsec-isakmp
set peer vpn.websense.net dynamic
set transform-set ESP-NULL-SHA
set isakmp-profile isa-profile
match address 101
interface FastEthernet0/1
description connected to Internet
ip address 216.222.208.101 255.255.255.128
ip access-group HVAC_Public in
ip nat outside
ip virtual-reassembly
duplex full
speed 100
no cdp enable
crypto map GUEST_WEB_FILTER
access-list 101 permit tcp 192.168.8.0 0.0.3.255 any eq www
access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.187 log
access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.181 log
access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.182 log
access-list 103 deny   ip 192.168.8.0 0.0.3.255 86.111.216.0 0.0.1.255
access-list 103 deny   ip 192.168.8.0 0.0.3.255 116.50.56.0 0.0.7.255
access-list 103 deny   ip 192.168.8.0 0.0.3.255 86.111.220.0 0.0.3.255
access-list 103 deny   ip 192.168.8.0 0.0.3.255 103.1.196.0 0.0.3.255
access-list 103 deny   ip 192.168.8.0 0.0.3.255 177.39.96.0 0.0.3.255
access-list 103 deny   ip 192.168.8.0 0.0.3.255 196.216.238.0 0.0.1.255
access-list 103 permit ip 192.168.8.0 0.0.3.255 any
ip nat pool mypool 216.222.208.101 216.222.208.101 netmask 255.255.255.128
ip nat inside source list 103 interface FastEthernet0/1 overload
ip nat inside source route-map nonat pool mypool overload

How does Websense expect your source IPs in the tunnel? 192.168.8.0 0.0.3.255 or PAT'ed 216.222.208.101 ?
Check
show crypto isakmp sa
show crypto ipsec sa
show crypto session
You'd better remove the preshared key from your post.

Enable Site to Site VPN option in Windows Azure Network on existing VNET

Hi Experts,
There are two separate subscriptions in Azure in which we have already VNET created, on the same VNET there is no site to site vpn option enabled, so I have different scenarios as below along with questions related to this.
I will create two VNET in one subscription (We will use IaaS nothing else) named VNET1 and VNET 2, VNET 1 will be used for external web sites which is why we do not want to enable communication with VNET2, VNET2 will have a site to site VPN established with
our on premises, VNET1 has its own Active Directory and VNET 2 will have its own Active Directory (I am not talking about Windows Azure Active Directory) these Active Directories has nothing to do with each other. Currently we will go with this design (I hope
there is nothing wrong in it), for VNET 1 we will use 192.168.16.0/24 and VNET we will use 192.168.0.0/24. In the future we might need both VNET to communicate with each other, which means we will need to connect VNET to VNET communication, my questions are
1. Can we enable site to site vpn option once the vnet is created as VNET 1 is not created using site to site vpn option enabled.
2. If it is possible then how to enable it as I do not see the option available
3. If it is not possible then how to design VNET1 in a way that currently it would not communicate with VNET 2 as well as in the future we would enable communication between VNET1 and VNET2 by creating the site to site vpn between VNET1 and VNET2.
4. lets say that VNET 2 is already enabled for site to site VPN with our on premises and once it is required to create site to site vpn between VNET 1 and VNET 2, where site to site vpn of VNET2 with our on premises should remain
same as well as we will add one more site to site vpn between VNET2 and VNET1 is it possible, if yes would it break the VNET2 site to site vpn with on premises or it would only connect with one either on premises or VNET1.
5. What if in the future we want to enable VNET to VNET vpn connection between two subscription where we already have a VNET 2 which is connected with on premises as well as with VNET1 and we now want VNET2 to connect with another VNET in another subscription
as well as we would like to have a communication / connectivity as below
VNET2 with VNET in another subscription
VNET2 with VNET1
is it possible with question number 5 and we should not loos connectivity between any of the Vnet or vnet to on premises. ofcourse I know that network should not collapse with each other.
6. by achieving question number 5, VNET from another subscription can communicate with our on premises network through VNET2 and VNET from another subscription can also communicate with VNET1 through VNET2 as well as VNET2 and VNET 1can communicate with
VNET from another subscription and VNET1 and VNET 2 can also communicate with another subscription's on premises network using VNET, please correct me if I misunderstood some thing as well as how this will be achieveable by adding network ips of each network
on local network option of each VNETs.
I hope it is not too complicated.
Thanks
If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

Knock Knock some one there, can some one please answer the question
If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

REMOVING IPSEC VPN CONFIG FROM PIX 6.3 FIREWALL

Hey,
we have pix 6.3 serving as internet firewall and we are int process of replacing it with new ASA Device. currently there are several site to site and remote vpn are configured for access purposes.
i tried to remove one site2site ipsec vpn from pix and it starts acting like a loop generating the same error with qty that processor got 100% CPU, couldn't logged in through normal ssh so i connected via console and place back the isakmp and crypto map commands back in and the error stops.
My purpose of this question is that how can i remove vpn config from pix without generating any error is there any formal process or order of removing rules from pix or we can do it one by one no order is required.
MY PROCESS OF REMOVING CONFIG:
REMOVE THE ACCESS-LIST INSIDEOUT AND OUTSIDE IN COMMANDS
REMOVE THE OBJECTS AND OBJECTS GROUPS
REMOVE THE VPN DEFINED ACCESS-LIST FOR INTERESTING TRAFFIC
REMOVE CRYPTO MAP TRANSFORM-SET
REMOVE ISAKMP-POLICY
REMOVE CRYPTO MAP
WE DO USE ISAKMP SHARED KAY MECHANISM "I DID NOT REMOVE THAT "
BUT AS SOON AS I REMOVE THE CRYPTO MAP FROM THE PIX I GOT THIS ERROR
IPSEC(crypto_map_check): crypto map XYZ 20 incomplete. No peer or access-list specified.
20 IS THE ISAKMP POLICY NUMBER & Peer and Access-list was removed from pix
any help would great
regards

Hi
You could do either of 2 things.
1) Enable NAT-Traversal on your ASA
2) Add the following on your pix :
fixup protocol esp-ike
This allows one IPSEC connection to run through PAT.
HTH
Jon

Question about site to site VPN failover on an ASA

Hello all. I am building a site to site VPN from our headquarters to a customer. I am using an ASA 5520. The customer is using Cisco 3945 routers. The customer has two VPN termination points. The customer requests that we make one of their termination points the primary VPN connection and make the other termination point the backup in the event that the primary VPN fails. How do I configure this on the ASA? Does the below configuration fulfill this goal?
crypto map cccccc 10 set peer 2.2.2.2 1.3.3.3

I have just encountered a similar situation. It seems to work near enough, but I still consider it a hack.
Also if the second peer (887 router in this case) attempts to bring up the IPSec tunnel the ASA drops the the primary tunnel and restablishes it causing brief packet loss during the tunnel bounce. A debug shows an error that it thinks the peer IP has changed, hence the tunnel should be dropped!!!
Im just using HRSP on the access site between 2 x 887's tracking the WAN interface. On the ASA side I have both peers defined in the same way "crypto map cccccc 10 set peer 2.2.2.2 1.3.3.3".
The ASA feature set just hasnt improved in this space since the VPN3000 days, it may have actually gone backwards. Introduction of VTI interfaces and support for routing protocols over tunnels should have been introduced into the ASA years ago, but from what I understand has been put in the too hard basket.
Cheers
Kent.

Site-to-site VPN failng RV320-to-RV320

I am following the information I found at http://www.cisco.com/c/dam/en/us/td/docs/routers/csbr/app_notes/rv0xx_g2gvpn_an_OL-26286.pdf in an attempt to create a site to site VPN from my home to my Office.
After setting it up and attempting to start the connection from home, both routers show 'waiting for connection'.
The logs at the office show:
2014-09-30, 12:37:26 VPN Log packet from 9x.xx8.1xx.15:500: [Tunnel Authorize Fail] no connection has been authorized with policy=PSK
2014-09-30, 12:37:26 Connection Accepted IN=eth1 SRC=96.228.129.15 DST=5x.xx.231.44 DMAC=f4:0f:1b:7d:49:e1 SMAC=b0:c6:9a:a1:f4:e8 LEN=132 TOS=0x00 PREC=0x00 TTL=55 ID=0 DF PROTO=UDP SPT=500 DPT=500 LEN=112
2014-09-30, 12:38:06 VPN Log packet from 9x.xx8.1xx.15:500: [Tunnel Authorize Fail] no connection has been authorized with policy=PSK
2014-09-30, 12:38:06 Connection Accepted IN=eth1 SRC=96.228.129.15 DST=5x.xx.231.44 DMAC=f4:0f:1b:7d:49:e1 SMAC=b0:c6:9a:a1:f4:e8 LEN=132 TOS=0x00 PREC=0x00 TTL=55 ID=0 DF PROTO=UDP SPT=500 DPT=500 LEN=112
I have compared the screens from both sites and can't see any difference in names, options, or the key. Can anybody use the above messages to point me in the right direction?
Thanks,
TonyT

Found the problem. I needed NAT Traversal turned on.
TonyT

From Azure unable to connect internal LAN network with windows RRAS site to site VPN

Hi All,
Below is my scenario.
Our side.
We have installed RRAS on Windows 2012 R2 on VMware and created a site to site VPN with azure.
on RRAS server we have two interfaces
eth0- 10.1.1.1
eth1- 10.1.1.2
We have natted(static nat) internal ip (eth0) 10.1.1.1 with public ip 1.1.1.1 (eg.).
On Azure,
We created a gateway, and two VMs.
VM1 = 11.11.11.1
VM2 = 11.11.11.2
Both VMs can ping each other.
VPN gateway on Azure and demand dial on RRAS server shows connected and, in and out data shows as well.
We can ping, tracert and rdp the RRAS server using both the interfaces IP [eth0- 10.1.1.1 , eth1- 10.1.1.2]
But we are unable to ping, tracert or rdp our other internal Lan machines on 10.1.x.x
So we can reach Azure VM from our RRAS and
we can reach RRAS server from Azure VM.
But we cannot reach our other internal Lan machines from Azure VM and from other internal Lan machine to Azure VM.
Please help?

I will give you some pointers to check.
The reason for this could be one of the two
- local site in azure virtual network is not configured correctly
- route for the azure subnet is not setup correctly on rras server
Can you please validate the above?
Open the Routing and Remote access UI and verify that there is a static route for azure subnet and the interface is the public ip of the azure gateway.
Also verify that you have a local site created with the on-premises subnet and added in the azure virtual network.
What is the gateway specified in the on-premises VM. Provide it as the IP of eth1, the IP that is not natted
Is NAT allowing all traffic in or is it restricted to certain points.
This posting is provided "AS IS" with no warranties, and confers no rights

Azure Site to Site VPN with Cisco ASA 5505

I have got Cisco ASA 5505 device (version 9.0(2)). And i cannot connect S2S with azure (azure network alway in "connecting" state). In my cisco log:
IP = 104.40.182.93, Keep-alives configured on but peer does not support keep-alives (type = None)
Group = 104.40.182.93, IP = 104.40.182.93, QM FSM error (P2 struct &0xcaaa2a38, mess id 0x1)!
Group = 104.40.182.93, IP = 104.40.182.93, Removing peer from correlator table failed, no match!
Group = 104.40.182.93, IP = 104.40.182.93,Overriding Initiator's IPSec rekeying duration from 102400000 to 4608000 Kbs
Group = 104.40.182.93, IP = 104.40.182.93, PHASE 1 COMPLETED
I have done all cisco s2s congiguration over standard wizard cos seems your script for 8.x version of asa only?
(Does azure support 9.x version of asa?)
How can i fix it?

Hi,
As of now, we do not have any scripts for Cisco ASA 9x series.
Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as
demonstrated in this blog:
Step-By-Step: Create a Site-to-Site VPN between your network and Azure
http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
You can refer to this article for Cisco ASA templates for Static routing:
http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
Did you download the VPN configuration file from the dashboard and copy the content of the configuration
file to the Command Line Interface of the Cisco ASDM application? It seems that there is no specified IP address in the access list part and maybe that is why the states message appeared.
According to the
Cisco ASA template, it should be similar to this:
access-list <RP_AccessList>
extended permit ip object-group
<RP_OnPremiseNetwork> object-group <RP_AzureNetwork>
nat (inside,outside) source static <RP_OnPremiseNetwork>
<RP_OnPremiseNetwork> destination static <RP_AzureNetwork>
<RP_AzureNetwork>
Based on my experience, to establish
IPSEC tunnel, you need to allow the ESP protocol and UDP Port 500. Please make sure that the
VPN device cannot be located behind a NAT. Besides, since Cisco ASA templates are not
compatible for dynamic routing, please make sure that you chose the static routing.
Since you configure the VPN device yourself, it's important that you would be familiar with the device and its configuration settings.
Hope this helps you.
Girish Prajwal

Multiple Site-Site VPN Tunnel on a Single PiX Firewall

I cureently have a site to site VPN tunnel (VPN1) between HK (Pix ver 6.1(2) & Leeds (ASA version 7.2(2). I am in the process of migrating the VPN tunnel to a newly deployed 10 Mb internet link in Leeds which has a Pix 506E Ver 7.0(2). I have decided to create a 2nd VPN tunnel to HK (VPN2) and will shutdown VPN1 when VPN2 is up.
On the HK PIX I am using the same isakmp policy, transform-set and have created another crypto map for the the new VPN (VPN2).
On passing intersting traffic to establish the new tunnel for the Leeds end, I am gettting the following debugging errors.
Feb 04 15:06:42 [IKEv1]: QM FSM error (P2 struct &0x1b24150, mess id 0x47595d7)!
Feb 04 15:06:42 [IKEv1]: Group = 192.168.0.1, IP = 192.168.0.1, Removing peer from correlator table failed, no match!
Feb 04 15:06:42 [IKEv1]: QM FSM error (P2 struct &0x1b24860, mess id 0x9cafcd4d)!
Feb 04 15:06:42 [IKEv1]: Group = 192.168.0.1, IP = 192.168.0.1, Removing peer from correlator table failed, no match!
sh Feb 04 15:06:47 [IKEv1]: QM FSM error (P2 struct &0x1d085d0, mess id 0x458d4091)!
Feb 04 15:06:47 [IKEv1]: Group = 192.168.0.1, IP = 192.168.0.1, Removing peer from correlator table failed, no match!
sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 192.168.0.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Site HK - PIX1(192.168.0.1)
crypto ipsec transform-set chevvie esp-des esp-md5-hmac
(crypto map for existing VPN (VPN1)
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer 192.168.0.2
crypto map transam 1 set transform-set chevvie
(New Crpto Map for new VPN (VPN2)
crypto map transam 2 ipsec-isakmp
crypto map transam 2 match address 101
crypto map transam 2 set peer 192.168.0.3
crypto map transam 2 set transform-set chevvie
crypto map transam interface outside
isakmp enable outside
isakmp key ****** address 192.168.0.2 netmask 255.255.255.255
isakmp key ev0lut10n address 192.168.0.3 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
isakmp am-disable
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
Site - Leeds PIX2 (192.168.0.3)
crypto ipsec transform-set ford esp-des esp-md5-hmac
crypto map VPNHK 2 match address outside_crypto_acl
crypto map VPNHK 2 set peer 192.168.0.1
crypto map VPNHK 2 set transform-set ford
crypto map VPNHK interface outside
isakmp identity address
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
isakmp am-disable
tunnel-group 192.168.0.1 type ipsec-l2l
tunnel-group 192.168.0.1 ipsec-attributes
pre-shared-key ev0lut10n
sysopt connection permit-ipsec
Your assistance will be grately appreciated.

How could the HK PIX decide which tunnel to use if you apply the same ACL to both? You have to choose a different subnet to Leeds2.
Peter

How can i test Site to site VPN in Azure

Hi,
i have create site to site vpn in Azure. Now i want to test the connection from my local network. How can i test the connection is established or not from my local network
Thanks

Hi,
Please refer the following links :
http://azure.microsoft.com/en-us/documentation/articles/virtual-networks-create-site-to-site-cross-premises-connectivity/
http://azure.microsoft.com/en-us/documentation/articles/virtual-networks-create-site-to-site-cross-premises-connectivity/
Or
You can take network traces to make sure traffic is going to, and making is across, the VPN tunnel.
Regards,
Bharath

Azure Site-to-Site VPN works, but RDP/Server Manager/Replication does not.

Hi,
At home, I have a Raspberry Pi with Raspbian as OS. I have installed OpenSwan to make a Site-to-Site VPN between the Raspberry and Azure. The Raspberry has an IP Address of 192.168.1.2 behind NAT. Ping works from both sites, but I'm not able to RDP or for
example manage the servers within the Server Manager. The AD Replication doesn't work either, but I was able to join a VM in Azure over this VPN. I'm using the following configuration:
Network topology:
• 192.168.1.0/24 - Home network
• 192.168.2.0/24 - Azure network
• 192.168.1.1 - Home router's private IP
• 192.168.1.2 - Raspberry Pi
I enabled L2TP Passthrough in the router firewall and I tried to forward the following ports to my RPI:
• UDP 500
• UDP 4500
I also tried to place the Pi in the DMZ.
My ipsec.conf looks like this:
version 2.0
config setup
    nat_traversal=yes
    virtual_private=%4:192.168.1.0/24
    protostack=auto
    interfaces="ipsec0=eth0"
conn azure
    authby=secret
    auto=start
    type=tunnel
    left=192.168.1.2
    leftsubnet=192.168.1.0/24
    leftnexthop=192.168.1.1
    right=[Azure IP]
    rightsubnet=192.168.2.0/24
    ike=3des-sha1-modp1024,aes128-sha1-modp1024
    esp=3des-sha1,aes128-sha1
    pfs=no
ipsec.secrets:
192.168.1.2 [Azure IP] : PSK "AzureSecret"
That got the link up and running, to allow routing between sites:
/etc/sysctl.conf:
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
IPtables rules:
iptables -A FORWARD -s 192.168.2.0/24 -m policy --dir in --pol ipsec -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -m policy --dir out --pol ipsec -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
iptables -A INPUT -p esp -j ACCEPT
The NAT table allows the Azure VM's to connect to any machine on my home network:
iptables -A PREROUTING –t nat -i eth0 -p udp -m udp --dport 4500 -j DNAT --to-destination [Azure IP]:4500
iptables -A PREROUTING –t nat -i eth0 -p udp -m udp --dport 500 -j DNAT --to-destination [Azure IP]:500
iptables –t nat -A POSTROUTING -o eth0 -j MASQUERADE
With all this I can ping and communicate in both directions, all Azure VM's can see my home network, all home network machines can see my Azure VM's.
Any idea what's going wrong? Thank you!

Hi Arvind,
I can confirm that RDP from the server in Azure works to my home lab. It doesn't work from my home lab (DC01) to Azure (DC02-1). I did a capture on my DC01 with NetMon.
DC01 is 192.168.1.10 (home)
DC02-1 is 192.168.2.4 (Azure)
I found the following 'errors' in the capture:
- Scale factor not supported
- Checksum: 0x9EBF, Disregarded
Do you know what's the problem?
Take a look at the capture below:
215 11:24:20 27-12-2014 1.8730574 mstsc.exe 192.168.1.10 192.168.2.4 TCP TCP:Flags=CE....S., SrcPort=50487, DstPort=MS WBT Server(3389), PayloadLen=0, Seq=4073688143, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:5, IPv4:11}
222 11:24:20 27-12-2014 1.9105602 mstsc.exe 192.168.2.4 192.168.1.10 TCP TCP:Flags=.E.A..S., SrcPort=MS WBT Server(3389), DstPort=50487, PayloadLen=0, Seq=3665192609, Ack=4073688144, Win=64000 ( Scale factor not supported ) = 64000 {TCP:5, IPv4:11}
223 11:24:20 27-12-2014 1.9106166 mstsc.exe 192.168.1.10 192.168.2.4 TCP TCP:Flags=...A...., SrcPort=50487, DstPort=MS WBT Server(3389), PayloadLen=0, Seq=4073688144, Ack=3665192610, Win=515 (scale factor 0x8) = 131840 {TCP:5, IPv4:11}
224 11:24:20 27-12-2014 1.9118241 mstsc.exe 192.168.1.10 192.168.2.4 RDP RDP:Windows stub parser: Requires full Common parsers. See the "How Do I Change Parser Set Options(Version 3.3 or before) or Configure Parser Profile (Version 3.4)" help topic for tips on loading these parser sets. {TCP:5, IPv4:11}
236 11:24:20 27-12-2014 2.2214169 mstsc.exe 192.168.1.10 192.168.2.4 TCP TCP:[ReTransmit #224]Flags=...AP..., SrcPort=50487, DstPort=MS WBT Server(3389), PayloadLen=19, Seq=4073688144 - 4073688163, Ack=3665192610, Win=515 (scale factor 0x8) = 131840 {TCP:5, IPv4:11}
262 11:24:21 27-12-2014 2.8307052 mstsc.exe 192.168.1.10 192.168.2.4 TCP TCP:[ReTransmit #224]Flags=...AP..., SrcPort=50487, DstPort=MS WBT Server(3389), PayloadLen=19, Seq=4073688144 - 4073688163, Ack=3665192610, Win=515 (scale factor 0x8) = 131840 {TCP:5, IPv4:11}
338 11:24:22 27-12-2014 4.0339011 mstsc.exe 192.168.1.10 192.168.2.4 TCP TCP:[ReTransmit #224]Flags=...AP..., SrcPort=50487, DstPort=MS WBT Server(3389), PayloadLen=19, Seq=4073688144 - 4073688163, Ack=3665192610, Win=515 (scale factor 0x8) = 131840 {TCP:5, IPv4:11}
370 11:24:23 27-12-2014 4.9156751 mstsc.exe 192.168.2.4 192.168.1.10 TCP TCP:Flags=.E.A..S., SrcPort=MS WBT Server(3389), DstPort=50487, PayloadLen=0, Seq=3665192609, Ack=4073688144, Win=64000 ( Scale factor not supported ) = 64000 {TCP:5, IPv4:11}
371 11:24:23 27-12-2014 4.9157253 mstsc.exe 192.168.1.10 192.168.2.4 TCP TCP:Flags=...A...., SrcPort=50487, DstPort=MS WBT Server(3389), PayloadLen=0, Seq=4073688163, Ack=3665192610, Win=515 (scale factor 0x8) = 131840 {TCP:5, IPv4:11}
383 11:24:23 27-12-2014 5.2369090 mstsc.exe 192.168.1.10 192.168.2.4 TCP TCP:[ReTransmit #224]Flags=...AP..., SrcPort=50487, DstPort=MS WBT Server(3389), PayloadLen=19, Seq=4073688144 - 4073688163, Ack=3665192610, Win=515 (scale factor 0x8) = 131840 {TCP:5, IPv4:11}
429 11:24:25 27-12-2014 6.4450070 mstsc.exe 192.168.1.10 192.168.2.4 TCP TCP:[ReTransmit #224]Flags=...AP..., SrcPort=50487, DstPort=MS WBT Server(3389), PayloadLen=19, Seq=4073688144 - 4073688163, Ack=3665192610, Win=515 (scale factor 0x8) = 131840 {TCP:5, IPv4:11}
520 11:24:27 27-12-2014 8.8541736 mstsc.exe 192.168.1.10 192.168.2.4 TCP TCP:[ReTransmit #224]Flags=...AP..., SrcPort=50487, DstPort=MS WBT Server(3389), PayloadLen=19, Seq=4073688144 - 4073688163, Ack=3665192610, Win=515 (scale factor 0x8) = 131840 {TCP:5, IPv4:11}
587 11:24:29 27-12-2014 10.9267084 mstsc.exe 192.168.2.4 192.168.1.10 TCP TCP:Flags=...A..S., SrcPort=MS WBT Server(3389), DstPort=50487, PayloadLen=0, Seq=3665192609, Ack=4073688144, Win=64000 ( Scale factor not supported ) = 64000 {TCP:5, IPv4:11}
Frame: Number = 587, Captured Frame Length = 62, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[MAC Address],SourceAddress:[B8-27-EB-8C-CA-84]
+ Ipv4: Src = 192.168.2.4, Dest = 192.168.1.10, Next Protocol = TCP, Packet ID = 17414, Total IP Length = 48
- Tcp: Flags=...A..S., SrcPort=MS WBT Server(3389), DstPort=50487, PayloadLen=0, Seq=3665192609, Ack=4073688144, Win=64000 ( Scale factor not supported ) = 64000
SrcPort: MS WBT Server(3389)
DstPort: 50487
SequenceNumber: 3665192609 (0xDA7666A1)
AcknowledgementNumber: 4073688144 (0xF2CF8C50)
+ DataOffset: 112 (0x70)
+ Flags: ...A..S.
Window: 64000 ( Scale factor not supported ) = 64000
Checksum: 0x57F9, Good
UrgentPointer: 0 (0x0)
+ TCPOptions:
588 11:24:29 27-12-2014 10.9267808 mstsc.exe 192.168.1.10 192.168.2.4 TCP TCP:[Dup Ack #371]Flags=...A...., SrcPort=50487, DstPort=MS WBT Server(3389), PayloadLen=0, Seq=4073688163, Ack=3665192610, Win=515 (scale factor 0x8) = 131840 {TCP:5, IPv4:11}
698 11:24:32 27-12-2014 13.6755119 mstsc.exe 192.168.1.10 192.168.2.4 TCP TCP:[ReTransmit #224]Flags=...AP..., SrcPort=50487, DstPort=MS WBT Server(3389), PayloadLen=19, Seq=4073688144 - 4073688163, Ack=3665192610, Win=515 (scale factor 0x8) = 131840 {TCP:5, IPv4:11}
Frame: Number = 698, Captured Frame Length = 73, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[MAC Address],SourceAddress:[MAC Address]
+ Ipv4: Src = 192.168.1.10, Dest = 192.168.2.4, Next Protocol = TCP, Packet ID = 17408, Total IP Length = 59
- Tcp: [ReTransmit #224]Flags=...AP..., SrcPort=50487, DstPort=MS WBT Server(3389), PayloadLen=19, Seq=4073688144 - 4073688163, Ack=3665192610, Win=515 (scale factor 0x8) = 131840
SrcPort: 50487
DstPort: MS WBT Server(3389)
SequenceNumber: 4073688144 (0xF2CF8C50)
AcknowledgementNumber: 3665192610 (0xDA7666A2)
+ DataOffset: 80 (0x50)
+ Flags: ...AP...
Window: 515 (scale factor 0x8) = 131840
Checksum: 0x9EBF, Disregarded
UrgentPointer: 0 (0x0)
RetransmitPayload: Binary Large Object (19 Bytes)
722 11:24:32 27-12-2014 14.3901288 mstsc.exe 192.168.1.10 192.168.2.4 TCP TCP:Flags=C..A.R.., SrcPort=50487, DstPort=MS WBT Server(3389), PayloadLen=0, Seq=4073688163, Ack=3665192610, Win=0 (scale factor 0x8) = 0 {TCP:5, IPv4:11}

Can't ping from DC1 behind TMG1 to DC2 behind TMG2 on a site-to-site VPN connection

Hi,
I have a weird problem. I have two TMG servers on each site in a hyper-v lab environment. I have been able to establish the site-to-site VPN successfully however when I ping from DC1 behind TMG1(on site 1) to TMG2, DC2, i am able to ping. However the opposite
doesn't work. After some trial and error, I figured out that the one initiating the demand-dial request is able to ping the other site, not vice-versa..very strange. I would like to know whether ICMP requests could be achieved bi-directionally..
Secondly, I am able to ping from TMG1 to all the clients sitting behind TMG2 (including the TMG host), however the clients sitting behind TMG1 can't ping TMG2 neither any of the clients behind it. I tried every possible combination under the firewall policies
but of complete vain. hell, I am starting to develop a very bad feeling about this product because of making such simple tasks overly complex. I mean, if it were a Cisco or Sonicwall, we could have done this so easily.
What my final motive is to send LDAP requests from DC1 to DC2 and vice-versa over a site-to-site VPN so that I could set up 2 different sites in AD on different subnets and then proceed with configuring DAG. But if this simple thing turns out to be such
major roadblock, dunno how am I gonna pass DAG traffic over it.
Can someone PLEASE help me!! I am completely exhausted researching on this issue.
Regards,
Dman

Hi，
For site2site VPN, you must create proper network rule and network set and you need to create proper access rule to allow or deny the traffic between VPN network and any other network.
http://technet.microsoft.com/en-us/library/bb838949.aspx
Best Regards
Quan Gu

Azure multiple site-to-site VPNs (dynamic gateway) with Cisco ASA devices

Hello
I've been experimenting with moving certain on-premise servers to Azure however they would need a site-to-site VPN link to our many branch sites e.g. monitoring of nodes.
The documentation says I need to configure a dynamic gateway to have multiple site-to-site VPNs. This is not a problem for our typical Cisco ISR's. However three of our key sites use Cisco ASA devices which are listed as 'Not Compatible' with dynamic routing.
So I am stuck...
What options are available to me? Is there any sort of tweak-configuration to make a Cisco ASA work with Azure and dynamic routing?
I was hoping Azure's VPN solution would be very flexible.
Thanks

Hello RTF_Admin,
1. Which is the Series of CISCO ASA device you are using?
Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as demonstrated in this blog:
Step-By-Step: Create a Site-to-Site VPN between your network and Azure
http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
You can refer to this article for Cisco ASA templates for Static routing:
http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
If your requirement is only for Multi-Site VPN then there is no option but to upgrade the device as Multisite VPN requires dyanmic routing and unfortunately there is no tweak or workaround due to hardware compatibility issue.
I hope that this information is helpful
Thanks,
Syed Irfan Hussain

UNABLE TO ACCESS THE INTERNET FROM LOCAL PROVIDER ON A SITE-TO-SITE VPN CONNECTION

Dear All,
I have a site-to-site connection from point A to point B. From point B i am unable to access the internet from local internet provider.
I am trying to ping from 192.168.20.1 the dns 8.8.8.8 but i receive the message "destination net unreachable".
When i run "show ip nat translation" i receive nothing.
The vpn connection is working properly, i can ping the other side 192.168.10/24
Below is the configuration of the cisco router on point B.
dot11 syslog
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.21.254
ip dhcp pool voice
network 192.168.21.0 255.255.255.0
default-router 192.168.21.254
option 150 ip 192.168.5.10
ip cef
ip domain name neocleous.ru
ip inspect name IOS_FIREWALL tcp
ip inspect name IOS_FIREWALL udp
ip inspect name IOS_FIREWALL icmp
ip inspect name IOS_FIREWALL h323
ip inspect name IOS_FIREWALL http
ip inspect name IOS_FIREWALL https
ip inspect name IOS_FIREWALL skinny
ip inspect name IOS_FIREWALL sip
no ipv6 cef
multilink bundle-name authenticated
vty-async
isdn switch-type primary-net5
redundancy
crypto isakmp policy 5
hash md5
authentication pre-share
group 2
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp policy 50
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Pb85heuvMde9Wdac5Qohha7lziIf142u address [ip address]
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
crypto ipsec transform-set TRANSET esp-aes esp-sha-hmac
crypto ipsec transform-set TRANSET2 esp-des esp-md5-hmac
crypto ipsec df-bit clear
crypto map CryptoMAP1 ipsec-isakmp
set peer [ip address]
set transform-set TRANSET
match address CryptoACL
interface FastEthernet0/0
description Primary Provider
ip address [PUBLIC IP MAIN PROVIDER] 255.255.255.252
ip access-group outside_acl in
ip mtu 1390
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
crypto map CryptoCY
crypto ipsec df-bit clear
interface FastEthernet0/1
description TO LAN
no ip address
load-interval 30
speed 100
full-duplex
interface FastEthernet0/1.1
description DATA VLAN
encapsulation dot1Q 20
ip address 192.168.20.254 255.255.255.0
ip access-group inside_acl in
ip nat inside
ip inspect IOS_FIREWALL in
ip virtual-reassembly in
ip tcp adjust-mss 1379
interface FastEthernet0/1.2
description VOICE VLAN
encapsulation dot1Q 21
ip address 192.168.21.254 255.255.255.0
interface Serial0/2/0:15
no ip address
encapsulation hdlc
isdn switch-type primary-net5
isdn incoming-voice voice
no cdp enable
interface FastEthernet0/3/0
no ip address
ip access-group outside_acl in
ip nat outside
ip virtual-reassembly in
shutdown
duplex auto
speed auto
crypto map CryptoCY
ip local pool VPNPool 192.168.23.2 192.168.23.10
ip forward-protocol nd
ip http server
no ip http secure-server
ip nat inside source list nat_list interface FastEthernet0/3/0 overload
ip route 0.0.0.0 0.0.0.0 [default gateway ip]
ip access-list standard VTY
permit 192.168.20.0 0.0.0.255
ip access-list extended CryptoACL
permit ip 192.168.20.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.21.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.21.0 0.0.0.255 192.168.6.0 0.0.0.255
permit ip 192.168.21.0 0.0.0.255 192.168.12.0 0.0.0.255
permit ip 192.168.21.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip host 192.168.22.1 192.168.5.0 0.0.0.255
permit ip host 192.168.20.1 192.168.5.0 0.0.0.255
permit ip host 192.168.22.1 192.168.6.0 0.0.0.255
ip access-list extended DFBIT_acl
permit tcp any any
ip access-list extended inside_acl
permit ip 192.168.20.0 0.0.0.255 host 192.168.3.35
permit ip 192.168.20.0 0.0.0.255 host 192.168.3.39
permit ip 192.168.20.0 0.0.0.255 host 192.168.3.23
permit ip 192.168.20.0 0.0.0.255 host 192.168.3.18
permit ip 192.168.20.0 0.0.0.255 host 192.168.3.55
permit ip 192.168.20.0 0.0.0.255 host 192.168.10.144
permit ip 192.168.20.0 0.0.0.255 host 192.168.10.146
permit ip 192.168.20.0 0.0.0.255 host 192.168.10.141
permit ip host 192.168.20.253 host 192.168.3.21
permit ip host 192.168.20.254 host 192.168.3.21
permit ip 192.168.20.0 0.0.0.255 host 192.168.3.10
permit ip 192.168.20.0 0.0.0.255 host 192.168.20.254
ip access-list extended nat_list
deny ip host 192.168.20.254 192.168.10.0 0.0.0.255
deny ip host 192.168.20.254 192.168.3.0 0.0.0.255
deny ip host 192.168.20.1 192.168.3.0 0.0.0.255
deny ip host 192.168.20.1 192.168.10.0 0.0.0.255
deny ip host 192.168.20.2 192.168.3.0 0.0.0.255
deny ip host 192.168.20.2 192.168.10.0 0.0.0.255
permit ip host 192.168.20.1 any
permit ip host 192.168.20.2 any
permit ip host 192.168.20.254 any
ip access-list extended outside_acl
permit gre any host [ip address]
permit esp any host [ip address]
deny ip any any
ip sla 2
icmp-echo 192.168.10.254 source-interface FastEthernet0/1.1
frequency 180
timeout 500
ip sla schedule 2 life forever start-time now
logging 192.168.3.21
route-map DFBIT_routemap permit 10
match ip address DFBIT_acl
set ip df 0
route-map ISP2 permit 10
match ip address nat_list
match interface FastEthernet0/3/0
route-map nonat permit 10
match ip address nonat_acl
route-map ISP1 permit 10
match ip address nat_list
match interface FastEthernet0/0

You cannot access internet, because all traffic is tunneled for VPN !!!!
Please see cisco tech documentation and bypass traffic for internet.
eg. if lan traffic is going from site a to site b then through vpn
else
lan traffic to internet (any) should be out thorugh the vpn .

Site to site vpn from pix to Azure

Similar Messages

Maybe you are looking for