- #CISCO ASAV AZURE HA VPN HOW TO#
- #CISCO ASAV AZURE HA VPN REGISTRATION#
- #CISCO ASAV AZURE HA VPN LICENSE#
#CISCO ASAV AZURE HA VPN LICENSE#
Check VM and licensing informationĬiscoasa# show vm - shows the vm details (vcpu, memory, hypervisor)Ĭiscoasa# Show license status - show your current licensing statusĬiscoasa(config)# dns domain-lookup outsideĬiscoasa(config)# domain-name networkjigsaw.localĬiscoasa(config)# DNS server-group DefaultĬiscoasa# ping - test DNS resolutionĬiscoasa(config-smart-lic)# feature tier standardĬiscoasa(config-smart-lic)# throughput level
#CISCO ASAV AZURE HA VPN HOW TO#
There is documentation on how to configure a proxy for this traffic but if you want to route directly you will need to configure the Smart Licensing to use the external interface (un-documented). The Smart licensing process uses the management interface by default.
#CISCO ASAV AZURE HA VPN REGISTRATION#
Cisco ASAv Smart Licensing registration issueīy default the Cisco ASAv management interface is not part of the firewall routing table so cannot route directly to the Internet.
Ensure you permit the NAT-T protocol (4500/udp) and that the remote end of the VPN supports NAT-T. If you are going to use the Cisco ASAv for a VPN this is also possible as NAT-T is on by default so the firewall will source traffic from the public IP and access IKE traffic destined to the public IP.
However be aware that the firewall is unware of the public IP address you assign to the outside interface. Using Cisco ASAv in AWS or Azure is possible. Nat (inside,outside) 1 source static LOCAL-NETWORKS LOCAL-NETWORKS-VPN-NAT destination static REMOTE-NETWORKS REMOTE-NETWORKS NAT-T # Define the interesting traffic in the ACL using the NAT address as the sourceĪccess-list VPN-TO-SAP permit ip object-group LOCAL-NETWORKS-VPN-NAT object-group REMOTE-NETWORKS Object-group network LOCAL-NETWORKS-VPN-NAT # Create network groups and define your local networks and NAT address Would this work? I had such a requirement recently and it does in fact work with a Cisco ASAv (might not work with all VPN vendors). This always confused me, how can you configure a VPN connection using a public IP, for example 1.1.1.1 and then define the local encryption domain as 1.1.1.1. As such you either need to use a public IP range in your DMZ or NAT your source traffic behind the public IP of your firewall. In some instances 3rd parties do not accept a VPN connection using an RFC-1918 source IP address, for example SAP and some banks due to the amount of customers they have. Frequently asked Questions VPN NAT behind the VPN Gateway Public IP