Cisco ASA 5505 or ASA 5585 version 8.3

As part of the procedure to establish site-to-site connection your Windows Azure Virtual Network, you need to run a script to configure your VPN device.

Use the script template below for Cisco ASA 5505 or ASA 5585 version 8.3.

Note
To run the script, you need to log in with a privileged account.

Note
Parameters that start with 'SP_' are specified parameters that you get from your Virtual Network settings in the Windows Azure Management Portal. Parameters that start with 'RP_' are parameters that you name by yourself.

Configuration Script

Policy-based VPN Configuration Script

msdos

! ACL Rules and Object-group configuration:
! e.g. object-group network azure-net
object-group network <RP_AzureNetwork>
  network-object <SP_AzureNetworkIpRange> <SP_AzureNetworkSubnetMask>
 exit
! e.g. object-group network cisco-net
object-group network <RP_OnPremiseNework>
  network-object <SP_OnPremiseNetworkIpRange> <SP_OnPremiseNetworkSubnetMask>
 exit
! e.g. access-list cisco-azure extended permit ip object-group cisco-net object-group azure-net 
access-list <RP_AccessList> extended permit ip object-group <RP_OnPremiseNework> object-group <RP_AzureNetwork>
! Internet Key Exchange (IKE) configuration:
crypto ikev1 enable outside
crypto ikev1 policy 10
  authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 28800
 exit
! IPSec configuration:
! e.g. crypto ipsec ikev1 transform-set set1 esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set <RP_IPSecTransformSet> esp-aes esp-sha-hmac 
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
! Crypto map configuration:
! e.g. crypto map map 1 match address cisco-azure
crypto map <RP_IPSecCryptoMap> 1 match address <RP_AccessList>
crypto map <RP_IPSecCryptoMap> 1 set peer <SP_AzureGatewayIpAddress>
crypto map <RP_IPSecCryptoMap> 1 set ikev1 transform-set <RP_IPSecTransformSet>
crypto map <RP_IPSecCryptoMap> 1 set reverse-route
crypto map <RP_IPSecCryptoMap> interface outside
! Tunnel configuration:
! e.g. tunnel-group 65.52.250.209 type ipsec-l2l
tunnel-group <SP_AzureGatewayIpAddress> type ipsec-l2l
tunnel-group <SP_AzureGatewayIpAddress> ipsec-attributes
 ikev1 pre-shared-key <SP_PresharedKey>
 exit
! TCPMSS clamping:
sysopt connection tcpmss 1350

See Also

Concepts

About VPN Devices for Virtual Network
Windows Azure Virtual Network Overview