ASA DMVPN to Azure cloud

Hello

It looks like one of our customers were buying SRI is to connect to the Microsoft via DMVPN cloud azure, because Cisco ASA does not (yet) support.

ASA will support this in a future release nearby?

Finally, anyone have any suggestions? (Apart from not using azure ;-)

Based on the comments of the representatives of Cisco in sessions DMVPN/FlexVPN to Cisco Live!, there is no plan to support DMVPN/FlexVPN on SAA. This may have changed since then, but I doubt it.

VPN infrastructure evolve slowly but surely based simply on strategies IPSec VPN that supports the ASA to the more modern and more flexible based on the VPN as DMVPN and FlexVPN road. The key here sentence is "road", which puts the technology firmly within the scope of routers rather than safety devices.

The ASA units are very good in what they do, but modern VPN infrastructure are a bit beyond their reach.

Tags: Cisco Security

Similar Questions

  • How to run the VMWare virtual machines in Microsoft Azure cloud?

    How to run VMware Windows Virtual machines to Microsoft Azure cloud?

    Thank you

    Vincent

    This issue is beyond the scope of this site (for consumers) and to be sure, you get the best (and fastest) reply, we have to ask either on Technet (for IT Pro) or MSDN (for developers)
    *

  • Phase 3 of DMVPN. Two clouds on talk

    Hello! I have a question for the phase 3 of DMVPN

    Can I enable cef of rewriting (ip shortened PNDH) on several (not one) in different clouds DMVPN tunnel interface on talk (two ISP connection on talk)?

    For example

    config spoke

    int tunnel 1

    -cloud DMVPN #1---

    PNDH network IP-1 id

    property intellectual shortened PNDH

    ....................

    tunnel source int fa0/1

    int tunnel 2

    -cloud DMVPN #2---

    PNDH network IP-2 id

    property intellectual shortened PNDH

    ...................

    tunnel source int fa0/2

    Cef (ip shortened PNDH) can only be enabled on the interface of a tunnel or rewriting?

    Andrey,

    There is no limitation to allow switching shortcut on an interface only - especially on a RADIUS where the two clouds are separated.

    There is only one restriction irt routing:

    http://www.Cisco.com/en/us/docs/iOS-XML/iOS/ipaddr/command/ipaddr-i4.html#GUID-23299F54-7B61-4EC4-A658-47E05B6B98DD

    How separate you the two clouds to ISPS?

    M.

  • DMVPN router behind ASA - need help please.

    Hello

    After reading many other discussions on this topic, it appears with the correct IOS and NAT - T active router, you bring up DMVPN behind a NAT device.

    I tried to perform this task, but I can not even phase 1 going to the DMVPN. The routing was checked and I can ping the routers DMVPN public IP. I'm sure that the configurations for routers are good, but asked if any additional NAT is required on the ASA.

    Here is the topology:

    Plate rotating DMVPN > ASA > Internet > ASA > DMVPN Branch

    The SAA on the side of the hub is in our data center and in production with several site-to-site and traffic to DMZ. Devices DMVPN is a Cisco 2921 and 1921. When I run a "debug crypto isakmp" on both routers, I see ISAKMP messages are sent on the branch DMVPN router. Nothing in the hub and no hits on the ASA ACL. I tried both the public IP address and the private IP address of the ACL on the ASA.

    I have attached the relevant training and can post more if necessary.

    Thank you

    Brandon

    Hello

    I finally had time to laboratory it.

    I used this topology:

    I have

    ASA (config) # sh run nat
    NAT (INSIDE, OUTSIDE) static source HUB-ROUTER-REAL-IP interface service udp-eq-4500 udp-eq-4500
    NAT (INSIDE, OUTSIDE) static source HUB-ROUTER-REAL-IP interface service udp-eq-500 udp-eq-500
    !
    object network HUB
    dynamic NAT interface (INSIDE, OUTSIDE)

    ASA (config) # sh run access-list
    extended OUTSIDE permitted udp access list any HUB-ROUTER-REAL-IP eq isakmp object
    list access extended OUTSIDE permitted udp any eq HUB-ROUTER-REAL-IP 4500

    R2 #sh run inter t0

    interface Tunnel0
    172.16.0.1 IP address 255.255.255.0
    no ip redirection
    no ip next-hop-self eigrp 1
    no ip split horizon eigrp 1
    dynamic multicast of IP PNDH map
    PNDH id network IP-99
    source of tunnel FastEthernet0/0
    multipoint gre tunnel mode
    tunnel key 100000
    Tunnel ipsec DMVPN-IPSEC-PROFILE protection profile

    So it should be the same configuration that you use.

    The only thing is that I had to ' stop/no shut' tunnel interface and removing some config that I also need to clear the connection on the ASA using "clear conn."

    R2 #sh dmvpn
    Legend: Attrb--> S - static, D - dynamic, I - incomplete
    Local N - using a NAT, L-, X - no Socket
    # Ent--> entries number of the PNDH with same counterpart NBMA
    State of the NHS: E--> RSVPs, R--> answer, W--> waiting
    UpDn time--> upward or down time for a Tunnel
    ==========================================================================

    Interface: Tunnel0, IPv4 PNDH details
    Type: hub, PNDH peers: 2,.

    # Ent Peer NBMA Peer Tunnel Addr add State UpDn Tm Attrb
    ----- --------------- --------------- ----- -------- -----
    1 200.20.0.10 172.16.0.2 UNTIL 00:11:28
    1 200.30.0.10 172.16.0.3 AT 00:11:22

    R2 #.

  • DMVPN on SAA

    / * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-marge-top : 0 ; mso-para-marge-droit : 0 ; mso-para-marge-bas : 10.0pt ; mso-para-marge-left : 0 ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ;}

    Hello

    It is possible to reconfigure the ASA DMVPN?, if yes, how.

    I know THAT DMVPN is not possible on PIX.

    My problem is to configure the VPN site to site between two sites, first of the site having rent line with fix IP public and second site have ADSL with a dynamic IP. I have ASA 5510 firewall on first and 2811 router on the second site.

    Kind regards

    Sylvie

    Hello

    You don't need a DMVPN for this.

    You can configure a tunnel from site to site using a dynamic configuration to static.

    DMVPN is supported only on the cisco routers, so not possible to implement in routers.

    This is because DMVPN still use GRE which is supported only on the routers.

    Here is an example of a site to site, when one end has a dynamic IP address assigned:

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

    It will be useful.

    Federico.

  • An interface of multipoint GRE tunnel on two physical interfaces?

    Hi all

    I use DMVPN double single cloud VPN network of hubs.

    Our shelves (C831 SRI) are connected to the dynamic DHCP ISP and dynamic PPPoE ISP.  I want to install a temporary kit that fits anywhere.  Here is the configuration of my my ISP PPPoE tunnel:

    interface Tunnel0
    bandwidth 1000
    IP 172.23.2.254 255.255.252.0
    no ip redirection
    IP mtu 1436
    property intellectual PNDH authentication xxxxxx
    map of PNDH 172.16.0.1 IP 230.2.2.1

    map of PNDH IP multicast 230.2.2.1
    map of PNDH 172.16.0.2 IP 230.2.2.2
    map of PNDH IP multicast 230.2.2.1
    PNDH id network IP-900001
    property intellectual PNDH holdtime 300
    property intellectual PNDH nhs 172.16.0.1
    property intellectual PNDH nhs 172.16.0.2
    delay of 1000
    source of Dialer1 tunnel
    multipoint gre tunnel mode
    tunnel key xxxxxx
    Tunnel MyIPSecProf ipsec protection profile

    For my ISP DHCP, I only change the Ethernet1 tunnel source.

    Is it possible to configure tunnel interfaces different related 2 on 2 physical interfaces (like: 1 Ethernet1 and 1 in Dialer1).  The challenge is that I can not change the configuration of hubs at all.  So I can't put the ip address of the tunnel in 2 different subnet.  There is only 1 tunnel on the hub interface

    Someone has an idea?

    Thank you very much

    Yes, I see it now. Unnumbered IP will provide the interface to the MTR and tunnel interface you have is point-to-multipoint. I'm afraid that there is no good solution to your needs.

    Kind regards

    Lei Tian

  • The licenses to buy... what? Trouble.

    Hi, probably not this ad in the right forum but I hope will be moved if necessary. Working in a small Department of 10 employees, require Adobe Acrobat Pro 2/3 licenses and 1 license of Photoshop, what is the best way to go for these? The full Suite of Business does not seem to contain Acrobat Pro and we wouldn't probably don't use most of the products, so assuming individual licesnes are the best? My apologies so simple, but hard to see what suits individual purchases or full purchase of small business. Will need to convert to Word/Excel too. Have an Azure Cloud-based system, but can install the software on the desktop also.

    Please help

    Based in the United Kingdom, thanks, Scott

    Hi scott.drayton

    I recommend you to go for individual licenses, here are the details of Plans and prices (DC Adobe Acrobat) .

    Please come back if you have any other questions.

    Kind regards

    Rahul

  • How Google Cloud AWS and Windows Azure to compare to another?

    I am quite familiar with AWS, MS Azure, Google Compute engine and have used Linux virtual machines in three environments without any problem. I often hear this argument: use of blue if you're a .NET shop, otherwise use AWS. I plead for more details. What are the benefits that you get if you use AWS or Google Cloud instead of azure and vice versa?

    Cloud of the seller competition warms to include a price war and new offerings feature in the battle for your business. Amazon is the undisputed leader with more than 8 years on the market with Azure after his fine second with their big push for ARMS.

    Aaron pools

    #iWork4Dell

  • Address problem Source DMVPN Dual-Cloud

    Greetings,

    I run a pivot single double-cloud DMVPN in operation phase2 (talk-to-spoke active).  I am very surprised that the question does not come upwards more often.

    Here is my configuration:

    Each station has its own ISP.

    Each remote site has a single router connected to ISP (interface1 and interface2) 2

    Each head of public-IP network is routed static (/ 32) through a single interface.

    The default route is floating based on an IP SLA monitoring mechanism.

    Note the following image (showing the host routes) static and default

    With the two routes by default the value of the interface making DMVPN-X, a spoke-to-spoke on DMVPN-X works well.  But what of the talk-to-spoke out DMVPN?  It gets broken in the following way:

    At Site A, my TunnelY Interface come from 10.2.0.2.  After it to Site B; s public IP (10.4.0.2) via PNDH, he's trying to form a tunnel spoke to rays.  But how to get to 10.4.0.2?  It uses its default route on the 10.1.0.2 interface with address 10.2.0.2 source.    A few things can happen:

    (1) ISP blocks the bad sources completely, either explicitly or through uRPF.

    (2) talking-to-Spoke Tunnel arrives, but assymetic routing is performed (this is rare)

    (3) all sources of the ISP Nat to himself (gateways Comcast SMC this) in the example above, you see 10.1.0.1 crypto packages arriving at 10.4.0.2!  Imagine the confusion caused

    In most cases, isakmp is watered.  Even if the tunnel is in place, I don't want to assymetic shaping with all the bandwidth on a single interface - I like to use actively both ISP connections.

    Then... How to handle this?  I predicted it, but I thought that the mechanism of the PNDH/DMVPN would deal with this situation.  that is if I hear one speak via TunnelY and TunnelY is source on Interface2, it would naturally be to send packets on interface2.  Alas, this isn't the case.

    Here are some ways that I thought to solve:

    (1) because my end points are not dyamic, I could host statically road all rays are out all the interface2s, all the X on the interface1s.  (with 30 sites, it's so ugly, that I hesitate to even include it)

    (2) road map of each external interface and match against the source address.  If interface1 detects a source interface2, set-next-hop to interface2.  The same thing on interface2 - if she hears a source corresponding to the IP address of interface1, value jump following interface1.  It is repeatable, but looks a bit ugly as well.

    (3) poster on the forums of Cisco and see what the consensus is

    Thank you much in advance.  Here are my configs sites speaks if you need:

    Example of use of site A above:

    (using the PKI for isakmp)

    interface TunnelX
    bandwidth 10000
    IP 192.168.X.13 255.255.255.0
    no ip redirection
    IP 1400 MTU
    authentication of the PNDH IP [redact]
    map of PNDH IP 1.1.1.1 multicast
    PNDH IP card 192.168.X.1 1.1.1.1
    PNDH IP network id X
    property intellectual PNDH holdtime 240
    property intellectual PNDH nhs 192.168.X.1
    IP tcp adjust-mss 1360
    source of tunnel GigabitEthernet0/1
    multipoint gre tunnel mode
    tunnel key X
    Tunnel DMVPN_IPSEC ipsec protection profile
    !

    interface TunnelY
    bandwidth 10000
    IP 192.168.Y.13 255.255.255.0
    no ip redirection
    IP 1400 MTU
    authentication of the PNDH IP [redact]
    map of PNDH IP multicast 2.2.2.2
    PNDH IP card 192.168.Y.1 2.2.2.2
    PNDH IP network id Y
    property intellectual PNDH holdtime 240
    property intellectual PNDH nhs 192.168.Y.1
    IP tcp adjust-mss 1360
    source of tunnel GigabitEthernet0/2
    multipoint gre tunnel mode
    tunnel key Y
    Tunnel DMVPN_IPSEC ipsec protection profile
    !

    Route IP 1.1.1.1 255.255.255.255 10.1.0.1

    IP route 2.2.2.2 255.255.255.255 10.2.0.1

    IP route 0.0.0.0 0.0.0.0 10.1.0.1 Track1

    IP route 0.0.0.0 0.0.0.0 10.2.0.1 250 (for failover if track 1 breaks down)

    This is usually resolved by separating the ISP in before VRF (keeping global VRF inside if you chose to), allowing both titled tracks.

    It's late (almost 1:00) but I think that tunnel road-via could potentially work too.

  • DMVPN Cloud

    Hello

    I have create a DMVPN cloud with 1 hub and 5 spokes, the main purpose of the VPN is for the deployment of voice centralizes. Now the rays are high and connection very well, I can see all phones in various sites and even browse the Web pages of phone.

    The problem I have is two of the phones registered with CUCM but other sites sites even though I can see the phones that they enroll in CUCM. See a copy of my config below, I use the static route as the routing protocol.

    ++++++++++++
    HUB
    ++++++++++++

    crypto ISAKMP policy 1

    BA aes
    preshared authentication
    Group 2
    !
    address of cisco key crypto isakmp 0.0.0.0 0.0.0.0
    ISAKMP crypto keepalive 10 3 periodicals
    ISAKMP xauth timeout 20 crypto
    !
    life 7200 seconds crypto ipsec security association
    !
    Crypto ipsec transform-set esp - aes DMVPN_SPOKE
    transport mode
    !
    Profile of crypto ipsec DMVPNspoke
    86400 seconds, life of security association set
    security association idle time 86400 value
    game of transformation-DMVPN_SPOKE
    !
    interface Tunnel0
    Description < tunnel=""> >
    bandwidth 1000
    IP 192.168.222.1 255.255.255.0
    no ip redirection
    IP mtu 1452
    client authentication IP PNDH
    dynamic multicast of IP PNDH map
    PNDH network IP-1 id
    property intellectual PNDH holdtime 300
    property intellectual shortened PNDH
    the PNDH IP forwarding
    Max-fragments IP virtual-reassembly 64
    IP tcp adjust-mss 1360
    period of 30
    source tunnel 1 Dialer
    multipoint gre tunnel mode
    tunnel key 131
    Profile of tunnel shared DMVPNspoke ipsec protection

    ISAKMP crypto key cisco address 77.95.xxx.xxx

    +++++++++++
    TALK
    +++++++++++

    crypto ISAKMP policy 1
    BA aes
    preshared authentication
    Group 2
    !
    address of cisco key crypto isakmp 0.0.0.0 0.0.0.0
    ISAKMP crypto keepalive 10 3 periodicals
    ISAKMP xauth timeout 20 crypto
    !
    life 7200 seconds crypto ipsec security association
    !
    Crypto ipsec transform-set esp - aes DMVPN_SPOKE
    transport mode
    !
    Profile of crypto ipsec DMVPNspoke
    86400 seconds, life of security association set
    security association idle time 86400 value
    game of transformation-DMVPN_SPOKE
    !
    interface Tunnel0
    Description < tunnel=""> >
    bandwidth 1000
    IP 192.168.222.11 255.255.255.0
    no ip redirection
    IP mtu 1452
    client authentication IP PNDH
    map of PNDH IP multicast 212.20.xxx.xxx
    property intellectual PNDH card 192.168.222.1 xxx.xxx.xxx.xxx
    PNDH network IP-1 id
    property intellectual PNDH holdtime 300
    property intellectual PNDH nhs 192.168.222.1
    property intellectual shortened PNDH
    the PNDH IP forwarding
    Max-fragments IP virtual-reassembly 64
    IP tcp adjust-mss 1360
    period of 30
    source tunnel 1 Dialer
    multipoint gre tunnel mode
    tunnel key 131
    Profile of tunnel shared DMVPNspoke ipsec protection

    ISAKMP crypto key cisco address xxx.xxx.xxx.xxx

    Hi Ray,

    You get an error for failing to register in of CUCM? Do you have the appropriate rules in the ends allowing traffic through the tunnel like Qos voice / inspect statements is already configured... have you checked the server accessibility CUCM those talked about sites?

    Concerning

    Knockaert

  • two DMVPN rays behind the ASA made hide NAT for Internet

    This scenario requires that the particular configuration of the ASA? Until now, the installation program does not work, we face the following problem:

    The nodal point DMVPN shows an error "invalid SPI", because the two rays to come with the same IP address (ASA hide-NAT) to the DMVPN hub.

    THX

    Holger

    Using an IP address for the two rays?  This is not going to work

  • ASA 5510 L2L VPN static gateway of azure and branches and

    Hello

    I am trying to configure an ASA to operate as a hub between two site-to-site VPN, at our office and the other on Azure.

    i.e.

    Office <-- internet="" --="">ASA <-- internet="" --="">Azure

    On the two sites I can establish a VPN for the hosts of the ASA and access on our data center network, but I can't seem to get the connectivity from end to end of Azure at our office or vice versa.

    Any ideas on what I can try as I have been hitting my head against a wall with this one.

    Hello

    If traffic also came from the blue to office network so it would seem that there is a problem with configuring VPN L2L between ASA and Azure, very probably on the Côte d'Azur.

    -Jouni

  • Double-Cloud DMVPN spoke Router Configuration

    I have a decided to adopt an architecture dual-cloud DMVPN (1 head of network in the main office, 1 head of bed instead of DR) with the option later to go to double / hub in each of my network places.

    I tried to configure each of the clouds to have its own key.

    Cloud Hub 1 1:

    ISAKMP crypto key KEY123 address 0.0.0.0 0.0.0.0 no.-xauth

    1 2 hub cloud:

    ISAKMP crypto key KEY456 address 0.0.0.0 0.0.0.0 no.-xauth

    Of course, the rays I want to connect to the two clouds not would allow me to use the same simple crypto isakmp key command twice.

    Several of my sites will have 2 internet connections.  Given that I source a tunnel each of these Internet connections, I came up with the following solution:

    talk 1:

    door-key crypto X-RING

    address Gig0/1 (internet connection interface 1)

    preshared key address 0.0.0.0 0.0.0.0 touches 0 KEY123

    door-key crypto Y-RING

    address Gig0/2 (internet connection interface 2)

    preshared key address 0.0.0.0 0.0.0.0 touch 0 KEY456

    Crypto isakmp DMVPN_ISAKMP_X profile

    X-RING keychain

    function identity address 0.0.0.0

    address Gig0/1

    Crypto isakmp DMVPN_ISAKMP_Y profile

    Y-RING keychain

    function identity address 0.0.0.0

    address Gig0/2

    OK... to the question... the first site I tried to connect the two clouds DMVPN has only 1 internet connection!

    Without changing both my DMVPN clouds to the same key (almost all of the examples have this) - how can I make sure that tunnels speaks - has spoken-star work?

    Is there anything else I can match? or create on each configs speaks and hub?

    I tried:

    - identity group match, but couldn't figure out how to set a group name on each of the rays - or the hub also.  Also, no.-xauth wouldn't prevent it being considered?

    -matching fqdn does not seem to work either.

    -vrf is not an option - not applicable
    -telesignalisations behind the ip address do not appear to be an option and seems to complicate the issue too.

    Thank you very much in advance!

    There is something special with ICP when seen DMVPN. PKI or preshared keys is just how isakmp authenticates the session, and there is no difference between DMVPN or Site to Site.

    Basically, you'd have to do these things:

    -create a CA. The basic can be created on some of your routers.

    -create the Trustpoint on each DMVPN hub and spokes.

    -change the type of authentication in isakmp profile of pre-shared key to rsa - SIG.

    You can certainly more trustpoint then one, one for each cloud, but I highly doubt that it is necessary for the public key infrastructure.

    Maybe this doc will be of little help, even if it has too much info:

    http://www.Cisco.com/en/us/docs/solutions/enterprise/security/DCertPKI.html

    If you need, I can bring up some full example site to site with PKI auth.

  • ASA VPN Site to site: mesh DMVPN or full?

    Hi all

    I'm a new man in the cisco environment, please help me

    Currently I am working on a project that requires to set up the VPN for security at the site of mutiple with diffirent ISP (no decided static or dynamic IP yet)

    I can also ask router Cisco for L3 routing devices and ASA appliance

    My goal is: all sites can communicate with each other.

    Now I am considering all DMVPN or Full mesh topology

    If you guys please answer my questions:

    1. static IP from ISP is straight? Can I use a dynamic IP? (I know ASA have a kind of dynamic - static VPN)

    2 DMVPN:

    + ASA can't, but I've heard that, somehow, ASA can config like speaks of talking about VPN. Is - this match my target?

    + Please refer me documents to set it up if you have

    3 - full mesh VPN:

    + How to set up, am I have to config VPN L2L each of the sites for the rest?

    4 - DMVPN vs Full Mesh - what is the best? which is less config work, less administration tasks?

    5 - the last of them: Please consult me the device necessary for my target

    Thanks to you all!

    You are right that an ASA will not support DMVPN. It should be that configure you individual VPN LAN-to-LAN tunnels at each site (total n x (n - 1) tunnels).

    FlexVPN with ISR G2 routers would be the least amount of configuration work and more flexible setting for your requirements. It has the advantages of EZVPN and DMVPN together.

    There are a number of examples of configuration of FlexVPN here.

  • Our ASA 5510 can provide VPN to our LAN cloud?

    Hi people,

    We have a number of (1 7 or if virtual, dedicated) servers hosted in a cloud provider well known on the West coast of the USA.

    They just put an ASA5510 across our LAN Server to help protect the servers.

    I was wondering if it is possible that the ASA5510 can provide VPN access to our LAN cloud? At the moment we have the firewall block - all - ports except 80/443/3389 (RDP for our Windows servers).

    I was actually hoping to block port 3389, so nobody can RDP on all servers. BUT... VPN in our LAN cloud, then we can connect to a server via RDP or any software / port. Indeed, the VPN opens all ports... you have created a VPN tunnel has provided

    So is this possible? The ASA5510 this offer?

    Last question-> and it's a ballast: gulp:...

    We cannot install any client software 3rd party... including any cisco vpn client software. We must use the built in software Windows7 VPN... making PPTP, SSTP, L2TP-IPSEC.

    So... now the ASA5510 can offer that? If so... is there any special scripts or configs I need to give to the Cloud hosting provider, so they can set the machine to work?

    Help, please!

    -Jussy-

    Two possibilities come to mind.

    -Built-in L2tp over Ipsec client.

    ASA config Guide:

    http://www.Cisco.com/en/us/docs/security/ASA/asa82/configuration/guide/l2tp_ips.html

    -Clientless webvpn (if RDP and other plugins, but requires java/activeX for some features...

    http://www.Cisco.com/en/us/docs/security/ASA/asa82/configuration/guide/WebVPN.html

    These options should work except ASA is in mode multi-conext.

    M.

Maybe you are looking for