Setting Up Azure Site-to-Site With Small Business Router (ISA500)

LIG Starting Network
Currently our network is like this :
Clearly its about as Vanilla as possible.
The DHCP Server assigns IPs for all users in the range. Servers have static IPs in the range (with Active Directory Servers at and

Our local router is currently an ISA550 but you could do this with any router that supports site-to-site VPN.

  • RV0*2
  • TPLink R600VPN

Look Capable too.

Go To New -> Network Services -> Virtual Network -> Custom Create

Custom Create

Azure Step 1

Give the Network A Name (I’m using the unoriginal AzureVPN) and click the Arrow

Azure Step 2

Azure Step 2

  1. We have two AD Servers on our LAN so I add them so AzureVMs can join the domain. I also Add A Public DNS Server so that AzureVMs can reach the internet if the VPN is down.
  2. Check the box that says “Configure a site-to-site VPN”
  3. Click the Advance Arrow

Azure Step 3

Azure Step 3
This is where you describe your current network.

  • Name : Local Network
    (or you can use something to describe where the LAN Is Like Florida Office)
  • VPN Device IP Address :
    (The public IP of the Router)
  • Address Space : /24
    (which is the ip address and network mask of the Local network)
  • Click Advance Arrow

Azure Step 4

This is where you describe the new network. Its going to automatically have the next available block after your LAN’s address

  • CIDR : /25
    (How Many Virtual Servers you could have. I think 128 would be enough)
  • Click add gateway subnet
  • Click Done CheckMark

Azure Step 5

Azure Step 5

  1. Go to the Network Dashboard
  2. Click Create Gateway
  3. Click Static Routing
  4. While its loading : Go Create a new VM
    (I like an extra small linux one just to make sure things are working)

Azure Step 6 : Creating the Test VM

  1. New-> Compute -> Virtual Machine -> From Gallery
  2. Choose an Image Give it a Name, Tier, Size, and setup a password then click the Advance Arrow ->
  4. It will pick the subnet automatically for you
    Create VM
  5. Back to Network Dashboard
  6. Wait for Gateway

Azure Step 7 : Gathering Info


Info to gather

  1. Write down / Save Gateway IP Address
  2. Download VPN Device Script :
    ASA 5500
    ASA Software 8.3
    The config file is very easy to read (its plain text)
  3. Shared KeyClick Manage Key -> Write down / Save The Key

Router Step 1

For mine (ISA500) :
I have a configure site-to-site VPN wizard.

Router Step 2 : VPN Peer Settings


  • Profile Name : AzureVPN (for reference no real reason)
  • Remote Address : (from the Saved Info from the dashboard The Gateway IP Address)
  • Pre Shared Key : Key copied from Step 7 : part 3
  • Next

Router Step 3 : IKE Policies

Router Step 3

Add IKE Policy

  • Name : AzureIKE (for reference no real reason)
  • Encryption : ESP AES 256 (from the .cfg file)
  • Hash: SHA1(from the .cfg file)
  • Authentication: PRE_Share(from the .cfg file)
  • D-H Group: Group 2(from the .cfg file)
  • Lifetime: 8 Hour 0 Min 0 Sec(from the .cfg file – 28800 seconds in hours )
  • Next

Router Step 4 : Transform Sets


Add IKE Policy

  • Name : AzureTransform (for reference no real reason)
  • Integrity: ESP_SHA1_HMAC(from the .cfg file)
  • Encryption : ESP_AES_256 (from the .cfg file)
  • Next

Router Step 5 : Local and Remote Networks


Add Local Subnet (We are Describing our LAN)

  • Name : LocNet (for reference no real reason)
  • Type: Network
  • IP Address :
  • NetMask :
  • Save

Add Remote Subnet (We are Describing the new Virtual Network)

  • Name : AzureNet (for reference no real reason)
  • Type: Network
  • IP Address :
  • NetMask :
  • Save

Next -> Save

If your router needs more settings do a search in the .cfg file and you will probably find it

Finalize and Test

I had to go to router website -> VPN->Site-to-site -> AzureVPN -> Connect

Go to the network dashboard and see the IP for the AzureVM ( Fire Up Putty and SSH to login and magic you are connected to the cloud.


  • Traffic Coming form your LAN -> Remote Network (10.10.2.*) is **not** subject to Azure Firewall so lock it down as you would any server on the LAN
  • VM still has a Public IP Address and is Accessible Publicly Using any of the Endpoints Configured in the VM Settings
  • Updated Network Map : NowExample - New Page (1)