Thursday, June 21, 2012

Configuring a Windows Azure Virtual Network with a Cisco ASA 5505-BUN-K9 Adaptive Security Appliance

Contents: (This is a preview.)

Updated 6/21/2012: Reorganized topics and repeated Setup Wizard operations; outside VLAN still not connected. (See end of the Configuring the ASA 5505’s inside and outside Interfaces section.)

This tutorial is intended as a guide for setting up a Windows Azure Virtual Network (WAVN) to support single sign-on of Remote Desktop Services (formerly Terminal Services) clients by Active Directory domain users and admins with the new Windows Azure Active Directory (WAAD) feature. The tutorial doesn’t require prior network administration experience. The Windows Azure Team announced the WAAD preview on June 7, 2012 at the Meet Windows Azure conference in San Francisco.

The following slide from Mark Russinovich’s Windows Azure Virtual Machines and Virtual Networks session on day 1 of TechEd North America 2012 describes the Virtual Network topology of a Fabrikam Events Manager sample hybrid cloud application with a Site-to-Site (S2S, cross-premises) VPN Tunnel created by a hardware VPN device:


Windows Azure Active Directory (WAAD) provides authentication of users and administrators of the Windows Azure Web roles in the FrontEnd Subnet (10.3.1/0/24). You can learn more about WAAD and WAVN from the following resources:

This post is based in part on the Windows Azure Team’s Create a Virtual Network for Cross-Premises Connectivity tutorial and uses some identical subnet names and addresses for clarity.


  • A trial or paid Windows Azure subscription with Preview features enabled.
  • Remote Desktop Services configured in a Windows Server 2008 R2 instance of Small or larger size running as a Windows Azure Virtual Machine, as described in my earlier Installing Remote Desktop Services on a Windows Azure Virtual Machine running Windows Server 2012 RC post.
  • A local Windows Server 2003 R2 SP1 or later domain controller with Active Directory installed and running.
  • A hardware VPN appliance or router, preferably from the list of supported devices below, with the latest software upgrade, which is v8.3 for Cisco ASA 5500 series.
  • Java runtime v6.0 or higher installed (Java v7 Update 5 is used for this example)
  • The VPN device connected and configured at least to the point that tunnels can be configured by you or a network administrator
  • A Remote Desktop Services Per User or Per Device Client Access License (CAL) for each user of or device connected to the services.
Supported VPN Appliances and Routers

Creating a WAVN between a WAVM and an on-premises domain with an Active Directory domain controller requires a hardware VPN appliance. When this tutorial was written, only the following Cisco and Juniper VPN routers and gateways were supported with installation script templates that were written and tested by the Windows Azure team:

Cisco Systems OS Family Juniper Networks OS Family
ASA 5500 Series ASA 8.3 SRX 210 Router JunOS 11.2r6 or JunOS 10.4r9
ASR 1001 IOS 15.2 SRX 1400 Router JunOS 11.2r6 or JunOS 10.4r9
ASR 1004 IOS 15.2 J Series Routers JunOS 11.2r6 or JunOS 10.4r9
ASR 1006 IOS 12.2 ISG Series Routers ScreenOS 6.3r9 or ScreenOS 6.2r13
ISR 2921 IOS 15.0 [SSG Series Routers]  
ISR 3925 IOS 15.2    
ISR 3945 E IOS 15.0    

Note: The current version of the Supported VPN devices list doesn’t include Juniper’s SSG series routers.

The Cisco ASA 5505-BUN-K9 Appliance Used for this Tutorial

A Cisco ASA5505-BUN-K9 10-user Adaptive Security Appliance provides the hardware VPN device required by WAAD in this tutorial. This device includes a Basic License for 3 Virtual LANs (VLANs), 10 bundled IPSec and two bundled SSL user sessions. Cisco ASA 5500-series devices replace Cisco’s PIX series firewalls and have been very popular for many years as an Internet firewall for SOHO environments. This device is available from affiliates and other network hardware sellers for about US$325.


I used Richard A. Deal’s Cisco ASA Configuration book (ISBN-10: 0071622691, McGraw-Hill, 2009, 718 pp., US$35.32) as a reference when setting up OakLeaf’s ASA5505, which was purchased to test WAVN and later provide a VPN for the OakLeaf domain. Deal’s The Complete Cisco VPN Configuration Guide (ISBN-10: 1587052040, Cisco Press, 2005) is a bit pricey at US$67.40 from

I recommend Harris Andrea’s Cisco ASA Firewall Fundamentals - 2nd Edition eBook (PDF format at US$29.95), which includes a copy of his ASA 5505 Configuration Tutorial eBook and covers ASA software v3. The latter title provides seven configuration examples, none of which apply directly to this tutorial because OakLeaf’s Internet router is configured for five fixed IP addresses, not DHCP.

Note: Michael Dale posted a comparative Cisco ASA 5505 vs Juniper SSG 5 review in early 2008. Although the review is somewhat dated (Cisco software v7.2 and Juniper ScreenOS, replaced by JunOS), it is detailed and appears unbiased. The Juniper SSG5-SB 128MB Security Services Gateway is available from affiliates and other network hardware sellers for about US$490.

Mark Russinovich briefly showed the Home page of the Adaptive Security Device Manager (ADSM) Web UI for the ASA 5505 at 00:55:33 in his Windows Azure Virtual Machines and Virtual Networks session video archive:


Here’s the ASDM Java app’s configuration pane showing interfaces to seven subnets defined in the Virtual Networking portal:


Virtual Networking content begins at 00:48:09 into Mark’s session.
Connecting the Cisco ASA 5505 to Your Local Area Network and the Internet

According to Cisco’s Configuring Interfaces topic of the Cisco ASA 5500 Series Configuration Guide using the CLI, 8.3:

The ASA 5505 adaptive security appliance supports a built-in [8-port] switch. There are two kinds of ports and interfaces that you need to configure:

  • Physical switch ports—The adaptive security appliance has 8 Fast Ethernet switch ports that forward traffic at Layer 2, using the switching function in hardware. Two of these ports are PoE ports. See the "Power over Ethernet" section for more information. You can connect these interfaces directly to user equipment such as PCs, IP phones, or a DSL modem. Or you can connect to another switch.
  • Logical VLAN interfaces—In routed mode, these interfaces forward traffic between VLAN networks at Layer 3, using the configured security policy to apply firewall and VPN services. In transparent mode, these interfaces forward traffic between the VLANs on the same network at Layer 2, using the configured security policy to apply firewall services. See the "Maximum Active VLAN Interfaces for Your License" section for more information about the maximum VLAN interfaces. VLAN interfaces let you divide your equipment into separate VLANs, for example, home, business, and Internet VLANs.

To segregate the switch ports into separate VLANs, you assign each switch port to a VLAN interface. Switch ports on the same VLAN can communicate with each other using hardware switching. But when a switch port on VLAN 1 wants to communicate with a switch port on VLAN 2, then the adaptive security appliance applies the security policy to the traffic and routes or bridges between the two VLANs.

The ASA 5500’s Basic license for the default Router configuration provides three VLANs, two of which are preconfigured for your local LAN (inside, and your Internet provider (outside, DHCP). These default configurations are intended for protecting new Internet-connected SOHO networks where the ASA 5505 provides the Dynamic Host Configuration Protocol (DHCP) server to assign IP addresses to network local PCs.

Here’s the layout of the ASA 5505’s rear panel and its connectors:


Power over Ethernet (PoE) ports are intended for Internet phones and wireless gateways that don’t have their own power supplies.

Following are the required cable connections:

image1. To provide direct (terminal) access to the ASA 5505’s Command Line Interface (CLI) for configuring and managing the device, plug the RJ-45 connector of the Cisco-supplied flat, blue cable into the Console port. Plug the other end into a female DB-9 (serial) connector on the PC you use to configure and manage the ASA 5505.

imageNote: If you don’t have a serial port on your PC (for instance, my development machine built with an Intel DQ45CB motherboard doesn’t have one), you can buy a 1-foot USB-to-Serial cable with driver software for about $12.00 (plus shipping charges and sales tax) from SF Cable and probably other retailers. This device requires configuring terminal programs for COM11.

2. To connect the outside interface, plug one end of the Cisco-supplied yellow network cable into a port of your DSL or cable Internet modem/router. Plug the other end into the ASA 5505’s Port 0.

image3. To connect the inside interface, Plug one end of a Cat 5 or higher network cable into an unused network interface card (NIC) of the PC you use to configure and manage the ASA 5505. Plug the other end into the ASA 5505’s port 1 (or any other open port).

Note: If the configuration and management PC is already connected to a private LAN and doesn’t have an open NIC, purchase a NIC to create a multihomed host PC. You can purchase a Realtek RTL8139D 10/100Mbps PCI Fast Ethernet Adapter from an affiliate for about US$7.00 (plus shipping). For potential issues with multihomed PCs, see the later Troubleshooting ASDM Connection Problems on Multi-Homed PCs section. This tutorial assumes a multihomed configuration and management PC.

4. To configure the inside interface’s NIC, open the Network and Sharing Center tool, which will display links to your LAN (OakLeaf LAN for this example) and new NIC (New NIC for this example):


5. Click the New NIC link to open the Network Connections window with the New NIC button selected:


6. Right-click the New NIC button and choose Properties to open the New NIC Properties dialog and select the Internet Protocol Version 4 (TCP/IPv4) item:


7. Click the Properties button to open the IPv4 properties dialog, select the fixed IP option, type the IP Address, Subnet Mask, Default Gateway, and Preferred DNS Server addresses, and mark the Validate Settings Upon Exit check box:


Note: You can obtain all address values required except the IP Address by opening the OakLeaf LAN IPv4 Properties page.

8. Click OK twice to close the dialogs and apply the settings. If you receive the following warning message, click Yes to dismiss it:


Note: The warning message results from configuring the Default Gateway for one NIC by DHCP and the other with a fixed IP address and, in this case, can be safely ignored. See the later Troubleshooting ASDM Connection Problems on Multi-Homed PCs section for more details.

Resetting the ASA 5505 to Factory Default Configuration and Changing Its IP Address with the Command Line Interface (CLI)

By default, the ASA 5505 is configured to provide a private Small Office/Home Office (SOHO) network, which Cisco calls the inside Virtual LAN (VLAN), with a firewall-protected Internet connection, which Cisco calls the outside VLAN. The default gateway IP address of the inside network and the ASA 5505 is with a subnet mask of If you don’t have a LAN or are willing to rebuild an existing one, you can use the default IP address. Otherwise, you must change the default inside IP address to a free IP address ( for this example) within your private LAN’s address range ( to for this example.)

Tip: ADSM’s Start Up Wizard, which you’ll use in the next section, claims to enable you to reset the ASA 5505 to its factory default configuration and optionally specify a different IP address on its first page. As reported in many articles on the Internet, this feature does not work.

You must use the Command Line Interface (CLI) to perform the reset operation. The CLI is accessible to a terminal app via a COM port connected to the console connector on the back of the ASA 5505, as described in the previous section. Windows 7 and later no longer provide a built-in terminal program, such as HyperTerminal, so the following procedure uses the open-source PuTTY terminal program.

After you’ve made the COM connection, do the following to reset the ASA 5505 device to the factory default condition:

image1. Download, save and run the Windows Installer for Putty 0.62 from here. PuTTY is a simple open-source terminal program with SSH, RLogin and Telnet capabilities.

2. Double-click the desktop icon to start Putty and display the default dialog; select the Serial option:


3. Click the Serial node to open the Serial configuration dialog, select None as the Flow Control option and accept the remaining defaults:


Note: If you have a serial device connected to COM1 already or you have existing COM ports without connectors, which is typical for computers based on recent Intel motherboards, type an unused COM port in the text box.

4. Click the Session node to return to Putty’s default dialog and click Open to open a terminal window, press Return to display a ciscoasa prompt.

5. Type ena, Enter to enter enable mode and press the spacebar to bypass the password prompt, which changes the prompt to ciscoasa#.

6. Type config t, Enter to enter configuration mode, which changes the prompt to ciscoasa(config)# The t is an abbreviation for terminal.

7. Type config factory-default.

8. If you want to change the address of the inside Vlan 1, add the new IP address and subnet mask, for example config factory-default

Note: There appears to be considerable variation in Internet articles about changing the IP address of the inside Vlan1. The command shown in step 8 is the simplest of all, because it deletes the dhcpd address pool before assigning the new address, which avoids pool-related error messages.

9. Press Return to issue a substantial number of commands. Press the spacebar to page through the more prompts.

10. When the ciscoasa(config)# prompt reappears, type reload save-config to save the factory configuration code to ephemeral memory:


9. Type y at the Proceed with reload? [confirm] prompt to save the configuration to flash memory.

10. Type exit, Return twice to log off, and close PuTTY’s window.

Your software version will be reset to ASA v8.2(5).

Configuring inside and outside Interfaces

As noted earlier OakLeaf’s internal (inside) network is, (, class B) with its default gateway and DNS server at with some clients having fixed IPs and others having DHCP-assigned addresses in the 10.7.5.x (class C) range:

imageRouting and Remote Access Services (RRAS) running on the Windows 2003 R2 domain controller provides Internet connectivity to an AT&T DSL connection with the first of five fixed IP addresses, through 246 with a default gateway of is NATted to provide Internet connectivity to the local LAN, and 244 are occupied by a smart TV and BluRay Disk player. Therefore, the outside interface will use

To configure the two or three interfaces, do the following

1. Change the IP address of the ASA 5505 to an unused LAN address ( for this example) by the process described in the earlier Resetting the ASA 5505 to Factory Default Configuration and Changing Its IP Address with the Command Line Interface (CLI) section. (You change the IP address in step 8.)

2. Start ADSM in the browser with the new IP address you assigned in step 1,, click Yes and OK to dismiss the initial dialogs to display the Cisco ASDM 6.4(5) splash screen:


3. Click the Run Startup Wizard and click Yes and OK to dismiss initial messages to open the Cisco Call Home dialog:


4. Choose an option and click OK or Remind Me Later, which displays a nagware message, to open the Startup Wizard’s Starting Point (Step 1) page. Accept the Modify Existing Configuration Option to use the new IP Address you assigned in step 1:


Note: As mentioned earlier, changing the IP address by selecting the Reset Configuration to Factory Defaults and specifying the IP Address and Subnet Mask doesn’t work. There are numerous references to this issue on the Internet.

5. Click Next to open the Basic Configuration (Step 2) page. Accept the default ciscoasa as the Device Name, and type your Active Directory or an arbitrary Domain Name:


Note: Password-protecting the Enable mode account is optional at this point.

6. Click Next to open the Step 3 page, accept the defaults to create the standard three-VLAN configuration or, if you don’t need or want a demilitarized zone, select the Do Not Configure option for the dmz VLAN:


7. Click Next to open the Switch Port Allocation (Step 4) page, accept the default allocation of the Ethernet0/0 port to the outside VLAN and the remaining seven ports to the inside VLAN:


8. Click Next to open the Interface IP Address Configuration (Step 5) page. If your Internet Service Provider (ISP) doesn’t offer DHCP, mark the Use the Following IP Address, type the IP address and subnet mask of an assigned fixed IP address (, for this example) for the outside IP Address and accept the default (, for this example) for the inside VLAN:


9. Click Next to open the DHCP Server (Step 6) page and clear the Enable DHCP Server on the Inside Interface check box:


10. Click Next to open the Address Translation (NAT/PAT) Page and accept the default Use Port Address Translation (PAT) and Use the IP Address on the Outside Interface options:


11. Click Next to open the Administrative Access page, accept the default IP address which enables any host on the LAN subnet to access the ASA, and the marked Enable HTTP Server checkbox:


12. Click Next to display the Startup Wizard Summary (Step 9) page:


13. Click Finish to dismiss the Wizard and display the Device Information:


Note: I’m presently investigating why the outside interface is down.

14. Select the address in the Device List and press delete to remove it.

image15. Click the Save Running Configuration to Flash button to save the configuration.

16. Change the software version as described in the Upgrading to ASA v8.3(1) Software on Cisco ASA 5505s with Earlier Versions section that follows.

Upgrading to ASA v8.3(1) Software on Cisco ASA 5505s with Earlier Versions

Currently shipping ASA 5505s (as of May 12, 2012, the date my ASA 5505 was initially configured) are configured with ASA v8.2(5) software and include a CD-ROM with v8.3(1) software. WAVN requires v8.3 software, which necessitates a software upgrade by following these steps:

1. Plug a network cable from the NIC on the PC used to manage the ASA 5505 to a switch port other than 0 of the device, port 1 for this example. (Port 0 is reserved for the outside VPN’s connection to the Virtual Machine running on Windows Azure.) Power the unit if it’s unplugged.

Note: ASA 5505s use DHCP by default to set the IP address (192.168.1.n, within a to range), gateway address ( by default), and subnet mask ( This is the default address of the inside network (LAN).

2. Open IE 6.0 or later with Java 7.5 or later installed, and type, ignore the Certificate warning, and continue to open the Cisco ASDN 6.4(5) landing page:


Note: If you can’t open the Cisco ASDM 6.4(5) or later page, see the Troubleshooting ASDM Connection Problems on Multi-Homed PCs Section below.

3. Click the Run ASDM button to start opening a session, which displays the following Security Warning and mark the Always Trust Content from this Publisher checkbox to avoid seeing this message again:


4. Click Yes to open the Launcher dialog, leaving the Username and Password text boxes empty (Defaults are used until you provide administrative user names and passwords.)


5. Click OK to open the Cisco ASDM 6.4 for ASA management app’s default Devise Information tab and verify the installed ASA version (8.2(5) for a device purchased in June 2012):


6. If the ASA Version is lower than 8.3(1), choose Upgrade Software from Local Computer from the Tools menu:


to open the Upgrade Software dialog.

7. Load the Cisco ASA 5500 Series and ASD Software & Documentation CD-ROM, choose ASA in the Image to Upload list:


8. Click Browse Local Files and navigate to the …\ASA folder and select asa831-k8.bin:


9. Click Select to add the Flash File System Path:


10. Click Upload Image to upload about 16 MB and click Yes when asked if you want to set the image as the boot image:


11. Click OK to dismiss this information dialog:


12. Choose System Reload from the Tools menu to open the eponymous dialog:


13. Accept the default options and Click Schedule Reload, click Yes when when asked “Are you sure …? to display the Reload Status dialog:


16. Close the Reload Status dialog and wait for the Refresh to complete. The Device Dashboard’s Device Information pane confirms that the ASA Version is now 8.3(1).


Note: Mark Russinovich used ASA 8.3(2)33 and ASDM 6.4(7) in his TechEd session. There are only minor differences between these versions and those installed from the CD-ROM.

Backing Up Configurations to local *.zip Files

In the event that you make an unrecoverable error when reconfiguring the ASA 5505, you need to make a configuration backup file by following these steps:

1. From the Tools menu, choose Backup Configurations to open the dialog of the same name, click the Browse Local button to open the Select File dialog, and type a descriptive name for the backup file, which requires a .zip type suffix:


2. Click Select File to close the dialog and return to the Backup Configurations dialog:


3. Click Backup to start the backup process and display the Backup Progress dialog:


4. Click Close to display the Backup Statistics dialog, which reports errors for missing elements that you haven’t configured yet:


5. The *.zip file contains four files at this point:


6. If you want to explore the file contents, extract the files and open running-config.cfg, startup-config.cfg in a full-featured text reader, such as TextPad:


Note: The file doesn’t have newline characters at the end of rows, so it isn’t easily readable in NotePad. enable_15 is the name of the default user with a blank password.

Restoring a Configuration Backup

If you made a configuration backup, following are the steps to restore it:

1. Choose Restore Configurations from the Tools menu to open the eponymous dialog, click the Browse Local button to open the Select File dialog, navigate to the folder in which you stored the *.zip backup file, select it, and click Select File to close the dialog and return to the Restore Configurations dialog:


2. Click Next to expand the dialog with check boxes enabled for those elements included in the selected backup file:


3. Mark the enabled check boxes, except the All SSL VPN Configurations check box, unless you’ve configured SSL VPNs.

4. Click Restore to open the Restore Progress dialog:


5. When restoration completes, click the Close button.

Troubleshooting ASDM Connection Problems on Multi-Homed PCs

Multiple NICs using DHCP from different domains is problematic with recent Windows versions. If the NIC connecting the management PC to your network uses DHCP to obtain its address or the domain has an active DHCP server, there’s a good chance that the management NIC will be assigned a domain network address rather the required to IP address range and gateway address for the 5505 adapter. It’s unlikely that you’ll be so lucky as to have an existing LAN with vacant.

To verify that the management NIC has the correct addresses assigned and fix the problem if it doesn’t, do the following:

1. Open a Command Prompt and type ipconfig to display connection data for the LAN and Cisco 5505. Appropriate settings for the Manage Cisco 5505 adapter appear as shown:


2. If the management adapter has a LAN address, such as that shown below, type ipconfig /release and ipconfig /renew to renew the leases:


3. Type ipconfig again and verify the correct management adapter address.

4. If the preceding steps don’t solve the problem, open the Network and Sharing Center dialog:


Note: The presence of both adapters as connections in the domain causes the adapter to receive its configuration from the domain controller’s DHCP server instead of the ASA 5505 DHCP server.

5. Click the management adapter in the View Your Active Networks section to open its Manage Status dialog:


6. Click the Disable button to remove the adapter from the Domain Network and close the dialog.

7. Click Change Adapter Settings, select the Management NIC in the Adapter Settings dialog:


8. Close the dialog and reopen the Network and Sharing Center tool, which now shows only the LAN adapter connection:


9. Click Change Adapter Settings to open the dialog, select the management NIC, and click Enable This Network Device to place it in a new Network 2:


Note: The NIC’s status will display as “Identifying …” for a minute or two.

10. Close the Adapter Settings dialog to return to the Network and Sharing Center windows with the device’s NIC in Network 2:


11. Remove the network connection to the management client PC.

12. Repeat steps 2 and 3 to reconfigure the manaqement NIC and verify the result:


13. Optionally*, reconnect the management PC’s NIC to the network, which should reconfigure the LAN adapter automatically.

14. If the LAN adapter isn’t configured, type ipconfig /renew OakLeaf* (substitute the first few characters which distinguish your LAN adapter’s name) and Enter at the command prompt to configure it.

* Note: Multihomed PCs with network adapters having different default gateways for disjoint networks aren’t supported by Windows 7 or earlier versions. If you assign the IP configuration shown in above step 12 to the ASA 5505’s NIC as a fixed address, subnet mask and default gateway, you receive the following message:


Such configurations cause problems with the management PC’s LAN connection, so you lose network connectivity while the management NIC is enabled. Therefore, you should enable the management NIC only when actively managing the ASA 5505. Notice that Mark Russinovich’s slide at the beginning of this post uses a subnet. This subnet enables connectivity to the ASA 5505 via its default gateway address, as shown in the two stills from the video of his presentation in the The Cisco ASA 5505-BUN-K9 Appliance Used for this Tutorial section above.

You will solve this multihoming issue when when you change the IP address of the ASA 5505 in the following section.

Installing and Configuring a Cross-Premises Windows Azure Virtual Network

I was unable to complete the following ASA5505 configuration for my home-office Windows network as depicted here:


imageThe AT&T DSL connection’s Internet gateway is at and has five fixed IP addresses at through Computers on the wired and wireless networks connect to with the server’s Routing and Remote Access’s Network Address Translation feature. For details of problems connecting DISH Network’s VIP722k DVR to a fixed IP address see my Changing AT&T DSL Fixed IP Addresses to DHCP to Accommodate DISH Network’s Broadband Configuration article of 8/15/2012 (incomplete).

1. Open the Windows Azure Preview portal and select Virtual Networks in the navigation pane:


2. Click the Create a Virtual Network button to open the Virtual Network Details page. Type a name for the VN, select Create a New Affinity Group, specify the Region and type an Affinity Group Name:


3. Click the Next button to proceed to page 2. Type a class B IP address in Classless Inter-Domain Routing (CIDR) format ( for this example), and three named class C subnets within the address space. For this example, the subnets and their CIDR addresses are:

  • FrontEndSubnet:
  • BackEndSubnet:
  • ADDNSSubnet:


3. Click the Next button to open page 3, type YourDNS and in the DNS Servers text boxes, mark the Configure Connection to Local Network check box, and select the Create a New Local Network in the Local Network list:


4. Click the Next button to proceed to newly created page 4:


5. Return to the Dashboard, which displays the status as “Gateway Not Created:”


6. After a minute or two, the Gateway IP Address for the outside network appears.


7. Write down the Gateway IP Address and click the Download button to open the Download VPN Device Config Script dialog and select ASA 5500 Series Adaptive Security Appliances to obtain the template for configuring the ASA 5505:


The content of the device configuration script for the Cisco ASA 5500 series is:

Note: Parameters that start with 'SP_' are specified parameters that you get from your Virtual Network settings in the Windows Azure Management Portal. Parameters that start with 'RP_' are parameters that you name by yourself.

! ACL Rules and Object-group configuration:
! e.g. object-group network azure-net
object-group network <RP_AzureNetwork>
  network-object <SP_AzureNetworkIpRange> <SP_AzureNetworkSubnetMask>
! e.g. object-group network cisco-net
object-group network <RP_OnPremiseNework>
  network-object <SP_OnPremiseNetworkIpRange> <SP_OnPremiseNetworkSubnetMask>
! e.g. access-list cisco-azure extended permit ip object-group cisco-net object-group azure-net
access-list <RP_AccessList> extended permit ip object-group <RP_OnPremiseNework> object-group <RP_AzureNetwork>
! Internet Key Exchange (IKE) configuration:
crypto ikev1 enable outside
crypto ikev1 policy 10
  authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
! IPSec configuration:
! e.g. crypto ipsec ikev1 transform-set set1 esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set <RP_IPSecTransformSet> esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
! Crypto map configuration:
! e.g. crypto map map 1 match address cisco-azure
crypto map <RP_IPSecCryptoMap> 1 match address <RP_AccessList>
crypto map <RP_IPSecCryptoMap> 1 set peer <SP_AzureGatewayIpAddress>
crypto map <RP_IPSecCryptoMap> 1 set ikev1 transform-set <RP_IPSecTransformSet>
crypto map <RP_IPSecCryptoMap> 1 set reverse-route
crypto map <RP_IPSecCryptoMap> interface outside
! Tunnel configuration:
! e.g. tunnel-group type ipsec-l2l
tunnel-group <SP_AzureGatewayIpAddress> type ipsec-l2l
tunnel-group <SP_AzureGatewayIpAddress> ipsec-attributes
ikev1 pre-shared-key <SP_PresharedKey>
! TCPMSS clamping:
sysopt connection tcpmss 1350

Here’s are the scripts available for Juniper devices:


More follows this week.


Anonymous said...

I look forward to the next part of the tutorial. Good stuff so far...

Anonymous said...

Good stuff - hooking up my 5510 to azure as we speak. We were able to skip most of the tutorial - and just focus on no-nat to the private azure network and setup the vpn tunnel - the prebuilt scripts make that very easy.

We are going to migrate lots of our on prem stuff to azure now the VM roles are persistent and move to 2012 server in the process. Can't wait - going to be a great project!

Anonymous said...

I missed the next part to this blog, did you finish?

Roger Jennings (--rj) said...


No, I haven't finished the second part because I decided to continue with fixed Internet IP addresses, which I haven't been able to handle with the 5510.