Any ideas on how to assign Azure public ip and subnet mast to cisco asav

Garth Taylor 20

I have been asked to setup and Cisco asav on azure, so I can assign the public interface on the cisco firewall but it does not like /32 for a single public ip. Anyone know what subnet to configure on my external inferface so it keeps the firewall happy. Thanks

Silvia Wibowo 3,991 Reputation points Microsoft Employee

2024-01-28T23:16:34.2166667+00:00

Hi @Garth Taylor , could you please clarify what firewall policy - the Cisco ASAV firewall policy or Azure Firewall?

Accepted answer

Silvia Wibowo 3,991 Reputation points Microsoft Employee

2024-02-01T00:22:48.54+00:00
Hi @Garth Taylor, there are 2 sets of routing:

Azure Virtual Network routing -> this is applied as Route Table on the subnets. Once you've created vnet peering, there will by system-injected routes that complement the Route Table to inform about routes to the other vnet. Since you've created vnet peering, I think your setup is already good for this.

Routing in Cisco ASAv -> you need to set default route to Outside interface.
Please sign in to rate this answer.

1 person found this answer helpful.
Garth Taylor 20 Reputation points

2024-02-01T08:41:22.3066667+00:00

thanks
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

1 additional answer

GitaraniSharma-MSFT 49,591 Reputation points Microsoft Employee

2024-01-30T13:02:59.2566667+00:00

Hello @Garth Taylor ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you would like to know how to assign an Azure public IP and subnet to cisco asav firewall during its deployment.

You can find more information about the Prerequisites and deployment options for the Cisco ASAv in the below docs:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asav/quick-start-book/asav-98-qsg/asav-azure.html

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asav/quick-start-book/asav-98-qsg/asav-azure.html#id_48477

You can also refer this blog for detailed instructions with screenshots:

Anyone knows what subnet to configure on my external interface, so it keeps the firewall happy.

The smallest supported IPv4 subnet in Azure is /29, and the largest is /2 (using CIDR subnet definitions).

Refer: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#how-small-and-how-large-can-virtual-networks-and-subnets-be

So, you need to make sure that the subnet you define is either /29 or larger such as /28, /27 and so on.

Kindly let us know if the above helps or you need further assistance on this issue.

Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.
Please sign in to rate this answer.
Garth Taylor 20 Reputation points

2024-01-30T13:22:46.79+00:00

Thanks for the info, i've been through the deployment docs and have already deployed. I've assigned all interfaces on the asa using azure dhcp. Which is working fine. I'm still stuck trying to configure my external interface from azure public ip. So I'm trying to figure out what subnet mask to use. My Cisco device does not take /32 for a single ip - so not sure still?If I post my configuration of my azure vnet setup and my cisco asav would you be able to help me out?

GitaraniSharma-MSFT 49,591 Reputation points Microsoft Employee

2024-01-30T13:33:50.8566667+00:00

Hello @Garth Taylor , I'm not sure I understand your issue clearly. It would help if you could share the screenshots of your Azure and Cisco setups and where exactly the issue is.

Garth Taylor 20 Reputation points

2024-01-30T14:38:54.9566667+00:00

az1.PNG This is my cisco asa config all interfaces are getting correct dhcp from Azure, I've been asked to configure a vpn and I've been trying to add the public ip (posted) below. The firewall wont accept any subnets. Or does azure some sort of nat so i dont need to configure anything? I have also posted my azure networking, as I need to configure the asa to communicate to both subnets. I'm new to this, so not sure how to configure this on Azure, I've been through the docs but dont understand how to configure the routing so that remote users can vpn and access resources on the different azure subnets.

Garth Taylor 20 Reputation points

2024-01-30T14:40:35.6866667+00:00

Garth Taylor 20 Reputation points

2024-01-30T14:41:06.9433333+00:00

Garth Taylor 20 Reputation points

2024-01-30T14:41:49.0066667+00:00

Garth Taylor 20 Reputation points

2024-01-30T14:42:12+00:00

Garth Taylor 20 Reputation points

2024-01-30T14:42:41.22+00:00

Garth Taylor 20 Reputation points

2024-01-30T14:43:26.9533333+00:00

Garth Taylor 20 Reputation points

2024-01-30T14:46:25.7666667+00:00

Any help on how to configure this for my setup would be greatly appreciated

Garth Taylor 20 Reputation points

2024-01-30T14:59:33.0233333+00:00

I cant use /32 for a single ip, so this is the 1st place im stuck. Then I need to configure the asa for my azure setup. Is this something your able to show me?

GitaraniSharma-MSFT 49,591 Reputation points Microsoft Employee

2024-01-30T15:04:57.2966667+00:00

Hello @Garth Taylor , the Azure Internet gateway will handle the NAT translations (Public IPs to private IP address & vice-versa). You don't need to configure this within the VM's OS.

Refer: https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections

Do not add any public IP addresses to the virtual machine operating system.

Refer: https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/virtual-network-network-interface-addresses?tabs=nic-address-portal#add-ip-addresses

how to configure the routing so that remote users can vpn and access resources on the different azure subnets.

Are these subnets in the same Vnet as the Cisco ASA or in a different Vnet?

Garth Taylor 20 Reputation points

2024-01-30T15:15:55.0766667+00:00

no, so the vnet-shared is one vnet with the asa subnets

Garth Taylor 20 Reputation points

2024-01-30T15:17:23.1733333+00:00

This is the other vnets i need to communicate with

GitaraniSharma-MSFT 49,591 Reputation points Microsoft Employee

2024-01-30T15:23:51.51+00:00

Hello @Garth Taylor , to enable communication/connectivity between 2 Vnets, you need to enable Vnet peering between them.

Virtual network peering enables you to seamlessly connect two or more Virtual Networks in Azure. The virtual networks appear as one for connectivity purposes. The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure. Like traffic between virtual machines in the same network, traffic is routed through Microsoft's private network only.

Refer: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

https://learn.microsoft.com/en-us/azure/virtual-network/tutorial-connect-virtual-networks-portal

Garth Taylor 20 Reputation points

2024-01-30T15:28:13.8233333+00:00

no, so the asa-mgmt is on 10.1.7.0/24 the adds-prod snet on 10.1.5.0/24 those are both in one vnet and need to communicate. The other shorter list is a different subnet which I need the ASA to communicate with so our vpn users can connect to those services so for example snet-pri-data on 10.2.6.0 I'm trying to configure my asa with vpn - which have vpn pools already configured. I hope Im making sense, so you can help me

Garth Taylor 20 Reputation points

2024-01-30T15:31:23.19+00:00

I have already setup peering between the vnets so that part is ok, its the cisco part I don't understand. I know this is a microsoft forum but i cant find anywhere how to configure routing on the asa to communicate with different subnents
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.