Setting Up Azure Site-to-Site With Small Business Router (ISA500)

LIG Starting Network
Currently our network is like this :
Clearly its about as Vanilla as possible.
The DHCP Server assigns IPs for all users in the 10.10.1.100-254 range. Servers have static IPs in the 10.10.1.10-25 range (with Active Directory Servers at 10.10.1.11 and 10.10.1.16).

Our local router is currently an ISA550 but you could do this with any router that supports site-to-site VPN.

  • RV0*2
  • TPLink R600VPN

Look Capable too.


https://manage.windowsazure.com/

Go To New -> Network Services -> Virtual Network -> Custom Create

Custom Create

Azure Step 1

Give the Network A Name (I’m using the unoriginal AzureVPN) and click the Arrow
AzureVPN

Azure Step 2

Azure Step 2

  1. We have two AD Servers on our LAN so I add them so AzureVMs can join the domain. I also Add A Public DNS Server so that AzureVMs can reach the internet if the VPN is down.
  2. Check the box that says “Configure a site-to-site VPN”
  3. Click the Advance Arrow

Azure Step 3

Azure Step 3
This is where you describe your current network.

  • Name : Local Network
    (or you can use something to describe where the LAN Is Like Florida Office)
  • VPN Device IP Address : 13.37.13.37
    (The public IP of the Router)
  • Address Space : 10.10.1.0 /24
    (which is the ip address and network mask of the Local network)
  • Click Advance Arrow

Azure Step 4

AzureStep4
This is where you describe the new network. Its going to automatically have the next available block after your LAN’s address

  • CIDR : /25
    (How Many Virtual Servers you could have. I think 128 would be enough)
  • Click add gateway subnet
  • Click Done CheckMark

Azure Step 5

Azure Step 5

  1. Go to the Network Dashboard
  2. Click Create Gateway
  3. Click Static Routing
  4. While its loading : Go Create a new VM
    (I like an extra small linux one just to make sure things are working)

Azure Step 6 : Creating the Test VM

  1. New-> Compute -> Virtual Machine -> From Gallery
  2. Choose an Image Give it a Name, Tier, Size, and setup a password then click the Advance Arrow ->
  3. Choose A “REGION/AFFINITY GROUP/VIRTUAL NETWORK” of “AzureVPN” SelectVM
  4. It will pick the subnet automatically for you
    Create VM
  5. Back to Network Dashboard
  6. Wait for Gateway

Azure Step 7 : Gathering Info

FullNetworkDashboard

Info to gather

  1. Write down / Save Gateway IP Address
  2. Download VPN Device Script :
    ASA 5500
    ASA Software 8.3
    The config file is very easy to read (its plain text)
  3. Shared KeyClick Manage Key -> Write down / Save The Key


Router Step 1

For mine (ISA500) :
I have a configure site-to-site VPN wizard.
RouterStep1

Router Step 2 : VPN Peer Settings

RouterStep2

  • Profile Name : AzureVPN (for reference no real reason)
  • Remote Address : 23.100.26.55 (from the Saved Info from the dashboard The Gateway IP Address)
  • Pre Shared Key : Key copied from Step 7 : part 3
  • Next

Router Step 3 : IKE Policies

Router Step 3

Add IKE Policy

  • Name : AzureIKE (for reference no real reason)
  • Encryption : ESP AES 256 (from the .cfg file)
  • Hash: SHA1(from the .cfg file)
  • Authentication: PRE_Share(from the .cfg file)
  • D-H Group: Group 2(from the .cfg file)
  • Lifetime: 8 Hour 0 Min 0 Sec(from the .cfg file – 28800 seconds in hours )
  • Next

Router Step 4 : Transform Sets

RouterStep4

Add IKE Policy

  • Name : AzureTransform (for reference no real reason)
  • Integrity: ESP_SHA1_HMAC(from the .cfg file)
  • Encryption : ESP_AES_256 (from the .cfg file)
  • Next

Router Step 5 : Local and Remote Networks

RouterStep5

Add Local Subnet (We are Describing our LAN)

  • Name : LocNet (for reference no real reason)
  • Type: Network
  • IP Address : 10.10.1.0
  • NetMask : 255.255.255.0
  • Save

Add Remote Subnet (We are Describing the new Virtual Network)

  • Name : AzureNet (for reference no real reason)
  • Type: Network
  • IP Address : 10.10.2.0
  • NetMask : 255.255.255.0
  • Save

Next -> Save

If your router needs more settings do a search in the .cfg file and you will probably find it

Finalize and Test

I had to go to router website -> VPN->Site-to-site -> AzureVPN -> Connect

Go to the network dashboard and see the IP for the AzureVM (10.10.2.4). Fire Up Putty and SSH to 10.10.2.4 login and magic you are connected to the cloud.

Notes

  • Traffic Coming form your LAN -> Remote Network (10.10.2.*) is **not** subject to Azure Firewall so lock it down as you would any server on the LAN
  • VM still has a Public IP Address and is Accessible Publicly Using any of the Endpoints Configured in the VM Settings
  • Updated Network Map : NowExample - New Page (1)