Cisco ASA Route-based Site-to-Site VPN to Azure

prerequirements: ASA software 9.8.1 (I have tested 9.8.2)

Azure configuration:
add a Virtual network gateway to you azure subnet, I use basic, then adding a connection to the gateway like this:


ASA configuration

Configure VPN interface:

crypto ikev2 policy 3
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 10800


crypto ipsec ikev2 ipsec-proposal Proposal-Azure
  protocol esp encryption aes-256
  protocol esp integrity sha-1


crypto ipsec profile Profile-Azure
  set ikev2 ipsec-proposal Proposal-Azure
  set pfs group2
  set security-association lifetime kilobytes 102400000
  set security-association lifetime seconds 10800


interface Tunnel1
  nameif VPN-AZURE
  ip address 169.254.2.1 255.255.255.0 standby 169.254.2.2
  tunnel source interface outside
  tunnel destination [Azure vpngateway public ip]
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile Profile-Azure


tunnel-group [Azure vpngateway public ip] type ipsec-l2l
tunnel-group [Azure vpngateway public ip] ipsec-attributes
ikev2 remote-authentication pre-shared-key [PreesharedKey]
ikev2 local-authentication pre-shared-key [PreesharedKey]

Configure static route to azure networks:

route VPN-AZURE [local azure subnet scope] 255.255.255.0 [Azure vpngateway public ip] 1

 

Source:
https://supportforums.cisco.com/t5/vpn/route-based-vpn-vti-for-asa-finally-here/td-p/3046928

Key Not Valid for Use in Specified State error installing Anyconnect

If you get this error upon trying to install Cisco Anyconnect:
Key Not Valid for Use in Specified State

Danish translation:
Nøglen er ikke gyldig for anvendelse i den angivne tilstand.

Do the following:

Move the folder RSA from

C:\Users\AppData\Roaming\Microsoft\Crypto\RSA to say C:\RSA (just in case there should be a need to restore it) then try installing again.
This folder appears to act as a cache and should be rebuilt automatically as required.

Source https://discussions.apple.com/thread/6514053

Cisco ASA 8.4 Port Forwarding (Pat/Nat) ASDM

Cisco ASA 8.4 Port Forwarding Port 25 with ASA 8.4 with ASDM


Step 1. Open ASDM and jumb to Configuration mode:


Step 2. Click Add, choose Network Object… (Found in the Right side panel)


Step 3.
Ip address: type the Inside ipaddress of the pc/server
check Add Automatic Address Translation Rules
Type: static
Translated Addr: choose the WAN interface (default it is outside)
Click Advanced


Step 4.
Souce Interface: Choose the interface which the pc/server is connected
Destination Interface: Choose the WAN interface (default it is outside)
Protocol: tcp
Real Port and Mapped Port: Type smtp og the port nummer your want to open


Step 5. Create a Access Rule, click Add, and choose Add Access Rule…


Step 6.
Interface: Outsite
Action: Permit
Source: Any
Destination: The object we just created

Allow PPTP traffic through ASA

Insert the following in the configuration:

class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect pptp
!
service-policy global_policy global