There are very specific use cases where all the current available Aviatrix NAT features cannot address. I ran in one of few those where one of the possible solution was to use a 3rd party Firewall (ASAv) to terminate site-2-site VPN connections. The proposed design for lab-ing purposes looks like the one below:
The design relies on the feature called BGP over LAN that allows transit gateways to communicate with instances in different VNets in Azure without running any tunneling protocol such as IPsec or GRE.
The configuration workflow can be found at https://docs.aviatrix.com/HowTos/azure_bgpolan_multi_peer.html?highlight=bgpolan.
VNETs Creation
I’ll create three new VNETs for this lab:
Transit, “vnet” where i’m going to deploy an ASAv instance, and a spoke for testings.
Transit Deployment
The size of the VM depends on the number of interfaces required and capped to the current Azure limit of 8:
ASAv Deployment
ASAv is deployed from the marketplace and “injected” into the “asa-vnet”:
VNET Peering
BGPoLAN
The BGPoLAN is configured under Multi-Cloud Transit -> External Connection -> External Device -> BGP -> LAN:
Once the configuration is applied, the remote config can be downloaded from the Site2Cloud menu:
ASAv Configuration
interface GigabitEthernet0/0 nameif external security-level 0 ip address 172.16.41.20 255.255.255.240 ! interface GigabitEthernet0/1 nameif inside security-level 100 ip address 172.16.41.36 255.255.255.240 ! route internal 172.16.31.0 255.255.255.0 172.16.41.33 1 ! router bgp 65533 bgp log-neighbor-changes address-family ipv4 unicast neighbor 172.16.31.116 remote-as 65534 neighbor 172.16.31.116 ebgp-multihop 255 neighbor 172.16.31.116 timers 60 180 neighbor 172.16.31.116 activate redistribute connected maximum-paths 4 no auto-summary no synchronization exit-address-family
Checking
The ASAv learns the spoke route (172.16.31.0/24):
Spoke 30 learns the ASA advertised routes (172.16.41.0, 16, and 32):
Testing
ASAv at Aviatrix:
crypto ikev2 enable management ! crypto ikev2 policy 1 encryption aes integrity sha group 14 lifetime seconds 28800 ! crypto ipsec ikev2 ipsec-proposal SET1 protocol esp encryption aes protocol esp integrity sha-1 ! crypto ipsec profile PROFILE1 set ikev2 ipsec-proposal SET1 set security-association lifetime seconds 27000 set security-association lifetime kilobytes unlimited set pfs none ! tunnel-group 52.168.138.163 type ipsec-l2l tunnel-group 52.168.138.163 ipsec-attributes ikev2 local-authentication pre-shared-key cisco ikev2 remote-authentication pre-shared-key cisco ! interface tunnel 100 nameif vti ip address 169.254.0.1 255.255.255.252 tunnel source interface management tunnel destination 52.168.138.163 tunnel mode ipsec ipv4 tunnel protection ipsec profile PROFILE1 ! route vti 10.4.2.0 255.255.255.0 169.254.0.2
Remote ASAv:
crypto ikev2 enable management
crypto ikev2 policy 1
encryption aes
integrity sha
group 14
lifetime seconds 28800
!
crypto ipsec ikev2 ipsec-proposal SET1
protocol esp encryption aes
protocol esp integrity sha-1
!
crypto ipsec profile PROFILE1
set ikev2 ipsec-proposal SET1
set security-association lifetime seconds 27000
set security-association lifetime kilobytes unlimited
set pfs none
!
tunnel-group 13.68.220.32 type ipsec-l2l
tunnel-group 13.68.220.32 ipsec-attributes
ikev2 local-authentication pre-shared-key cisco
ikev2 remote-authentication pre-shared-key cisco
!
interface tunnel 100
nameif vti
ip address 169.254.0.2 255.255.255.252
tunnel source interface management
tunnel destination 13.68.220.32
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROFILE1
!
route vti 172.16.51.0 255.255.255.0 169.254.0.1References
https://docs.aviatrix.com/HowTos/azure_bgpolan_multi_peer.html?highlight=bgpolan
