Cisco ASA Route-based Site-to-Site VPN to Azure

prerequirements: ASA software 9.8.1 (I have tested 9.8.2)

Azure configuration:
add a Virtual network gateway to you azure subnet, I use basic, then adding a connection to the gateway like this:

ASA configuration

Configure VPN interface:

crypto ikev2 policy 3
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 10800

crypto ipsec ikev2 ipsec-proposal Proposal-Azure
  protocol esp encryption aes-256
  protocol esp integrity sha-1

crypto ipsec profile Profile-Azure
  set ikev2 ipsec-proposal Proposal-Azure
  set pfs group2
  set security-association lifetime kilobytes 102400000
  set security-association lifetime seconds 10800

interface Tunnel1
  nameif VPN-AZURE
  ip address standby
  tunnel source interface outside
  tunnel destination [Azure vpngateway public ip]
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile Profile-Azure

tunnel-group [Azure vpngateway public ip] type ipsec-l2l
tunnel-group [Azure vpngateway public ip] ipsec-attributes
ikev2 remote-authentication pre-shared-key [PreesharedKey]
ikev2 local-authentication pre-shared-key [PreesharedKey]

Configure static route to azure networks:

route VPN-AZURE [local azure subnet scope] [Azure vpngateway public ip] 1



Key Not Valid for Use in Specified State error installing Anyconnect

If you get this error upon trying to install Cisco Anyconnect:
Key Not Valid for Use in Specified State

Danish translation:
Nøglen er ikke gyldig for anvendelse i den angivne tilstand.

Do the following:

Move the folder RSA from

C:\Users\AppData\Roaming\Microsoft\Crypto\RSA to say C:\RSA (just in case there should be a need to restore it) then try installing again.
This folder appears to act as a cache and should be rebuilt automatically as required.


Cisco ASA 8.4 Port Forwarding (Pat/Nat) ASDM

Cisco ASA 8.4 Port Forwarding Port 25 with ASA 8.4 with ASDM

Step 1. Open ASDM and jumb to Configuration mode:

Step 2. Click Add, choose Network Object… (Found in the Right side panel)

Step 3.
Ip address: type the Inside ipaddress of the pc/server
check Add Automatic Address Translation Rules
Type: static
Translated Addr: choose the WAN interface (default it is outside)
Click Advanced

Step 4.
Souce Interface: Choose the interface which the pc/server is connected
Destination Interface: Choose the WAN interface (default it is outside)
Protocol: tcp
Real Port and Mapped Port: Type smtp og the port nummer your want to open

Step 5. Create a Access Rule, click Add, and choose Add Access Rule…

Step 6.
Interface: Outsite
Action: Permit
Source: Any
Destination: The object we just created

Allow PPTP traffic through ASA

Insert the following in the configuration:

class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect pptp
service-policy global_policy global