SITE TO SITE VPN FROM CISCO PIX TO AZURE

      No Comments on SITE TO SITE VPN FROM CISCO PIX TO AZURE

A customer asked me to build a Site-to-Site VPN between their CISCO PIX environment with Azure, yes, you don’t hear wrong, it is a PIX, I know it’s pretty old but we need to make it if customer need it. Let’s follow the steps and do it.

Settings in Microsoft Azure

  1. Logon to Azure portal and click +New.

2. In the Search the marketplace field, type Virtual Network and then Enter.

3. click Virtual Network, select Resource Manager from the Select a deployment model and then click Create.

4. On the Create virtual network page, enter the name for your virtual network in Name filed.

5. In the Address space filed, enter the address space, make sure that the address space that you specify does not overlap with the address space for your on-premises location.

6. In the Subnet name field, enter the subnet name.

7. In the Subnet address range field, enter the subnet address range, but don’t use all of address space for this, because you need to reserve space for gateway subnet.

8. In the Subscription field, verify that the subscription listed is the correct one.

9. In the Resource group field, create a new one by typing a name for your new resource group.

10. In the Location field, select the location for your Virtual Network and then select Pin to dashboard.

11. Select Subnets after the virtual Network is be created, click +Gateway subnet.

12. In the Address range field, enter your gateway subnet and then click OK.

13. On the left side of the portal page, click +.

14. In the search filed, type Virtual Network Gateway and the enter.

15. click Virtual Network Gateway in Results and then click Create.

16. On the Create virtual network gateway page, type the virtual gateway name in the Name field.

17. Select VPN as the Gateway type.

18. Select Policy-based as the VPN type.

19. Select Computer Account and then click Next.

20. Select Local Computer and then click Finish.

21. Select Basic as SKU.

22. Click Choose a virtual network in Virtual network field and select the new created virtual network.

23. Click Choose a public IP address in the Public IP address field, click Create new.

24. Type gateway IP address name in the Name field and then click OK.

25. Select Pin to dashboard and then click Create.

26. Select All resources in the Azure portal, click +Add.

27. Type local network gateway in search and then hit Enter.

28. Select Local network gateway and click Create.

29. On the Create local network gateway page, type your on-premises site name in the Name field.

30. In the IP address field, type the public IP address of the VPN device at on-premises site.

31. In the address space field, type the on-premises IP address range.

32. In the Resource Group field, Select Use existing and select the existing the resource group name.

33. Select Pin to dashboard and then click Create.

34. On the dashboard of Azure portal, select Virtual Network Gateway that we created.

35. Select Connections and then click +Add.

36. On the Add connection page, type Site-to-Site VPN name to the Name field.

37. Select Site-to-site (IPSEC) as Connection type.

38. In the Local network gateway field, select the local network gateway that we created.

39. Type shared key in the Shared key (PSK) field, this shared must be matched with your on-premises VPN device and then click OK.

Settings in Cisco PIX site

Logon to PIX and add configure as follow:

name 10.13.0.0 sh-az-vnet description Azure Vnet

name 52.176.xxx.xxx sh-az-vnetGWIP description Azure Gateway

access-list inside_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 sh-az-vnet 255.255.0.0

access-list outside_access_in extended permit ip sh-az-vnet 255.255.0.0 10.10.0.0 255.255.0.0

access-list outside_1_cryptomap extended permit ip 10.10.0.0 255.255.0.0 sh-az-vnet 255.255.0.0

nat (inside) 0 access-list inside_nat0_outbound

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto map outside_map 10 match address outside_1_cryptomap

crypto map outside_map 10 set peer sh-az-vnetGWIP

crypto map outside_map 10 set transform-set ESP-AES-256-SHA

crypto map outside_map 10 set security-association lifetime seconds 3600

crypto map outside_map 10 set security-association lifetime kilobytes 102400000

crypto map outside_map 10 set reverse-route

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 28800

tunnel-group sh-az-vnetGWIP type ipsec-l2l

tunnel-group sh-az-vnetGWIP ipsec-attributes

pre-shared-key (type pre-shared key and it need match with Azure)

sysopt connection tcpmss 1350

sysopt connection permit-vpn

Verify the VPN connection

  1. Logon Azure portal.
  2. select the virtual network gateway and then click connections.
  3. Check the VPN status and make sure it’s Connected.

4. Logon on the Cisco PIX.

5. Type show crypto isakmp sa and check the status.

Now, we have Site-to-site VPN successfully.

Happy Friday and hope you enjoy this post!!

Cary Sun @SifuSun

About Post Author

Leave a Reply