Cisco ASA to Azure VPN tunnel – Route Based

October 12, 2018

So, I’ve had a problem converting the ASA’s site 2 site tunnels from Policy Based to Route Based – when trying to create the tunnel from the Azure side, the cryptomap presented from Azure is local: remote:, and if you make a VPN tunnel on your ASA with this crypto map, the ofc. all traffic will go into the tunnel, and you cannot acces the internet anymore, unless that breaks out in Azure.

So the setup need to be changed on the ASA to support a any/any crypto map and only route the traffic that actually resides in Azure through that tunnel. Looking at how routers do this, is by creating a Tunnel interface and route traffic towards Azure through this interface – so I will show here, how i mirrored that approach to the ASA.

Azure details, will be short and without screenshots:

Create a new Virtual Network Gateway
Atleast VpnGw1 SKU
Route Based

Create a Local network gateway
IP Address: WAN IP of you local ASA
Adress Space: On-Prem subnets

Create the VPN
Go to Virtual Network Gateway -> Connections and Add a new
Connection Type: Site-to-Site (IPSec)
PSK: Set this to whatever you choose – and remember it for the ASA config

The ASA:

(Guide currectly only for ASDM)

Configuration -> Site-to-Site VPN -> Advanced -> IPSEC Proposals (Transform Sets)

Add a new IKE v2 IPsec Proposal

Add a new IPsec Profile


Go to Configuration -> Device Setup -> Interface Settings -> Interfaces

Add new VTI interface


Go to Configuration -> Site-to-Site VPN -> Group Policies

Create a new Group Policy


Go to Configuration -> Site-to-Site VPN -> Advanced -> Tunnel Groups

Add a new Tunnel Group


Go to Configuration -> Device Setup -> Routing -> Static Routes

Add a new static route

Apply and Save Configuration


Microsoft recommends 2 additional settings:

Go to Configuration -> Firewall -> Advanced -> TCP Options

Set this

Go to Configuration -> Site-to-Site VPN -> Advanced -> System Options

Set this



No comments

You must be logged in to post a comment.