Create Azure Site-to-Site VPN Solution using Cisco Pix 501

    Windows Azure contains configuration Sample for Cisco ASA and Juniper Firewall to Create A Site-to-Site VPN Solution , In my Case I only Have Cisco PIX 501 and I needed to build this VPN Solution . It toke me Some time figuring out how to Do the configuration on PIX. 🙂

    In this Article I’m building a solution that span Azure Network , where some VMS are on Azure and other on local Network , below Steps that I have made for this configuration:

    Create Storage Account to Store you VM Vhd files , creating a storage Account helps assign a meaningful name to the storage location and selecting MS Data Center that will host your VHD and VM files. Select the Storage icon form the right Site then click create A Storage Account


Name your storage Account and Location , if you have multiple subscriptions you can choose the one you want to use , also you can Enable Geo-replication If needed. (don’t Do it for SQL VMS)


Create affinity groups to Keep VMs in the Same Group


Create local network , You will need to add your Firewall External Adapter Public IP address to act as VPN Gateway


Add Local Network IP address range this Defines the IP address range at your on-primes Network


Register Local DNS Server


Create Virtual Network


Select your DNS Server , Local network and Configure Site-to-Site VPN


Define Azure VMs networks and Azure gateway Network


Create static routing Gateway


Confirm Gateway Creation , it take 15 Minute to create Gateway


    Confirm gateway creation , you will need the public IP address assigned by Azure for PIX Configuration


Copy The Shared key by clicking manage Key


Configure the Cisco PIX Firewall

    object-group network RP_AzureNetwork


    object-group network RP_OnPremiseNetwork


    access-list 10 permit ip object-group RP_OnPremiseNetwork object-group RP_AzureNetwork

    nat (inside) 0 access-list 10

    sysopt connection tcpmss 1350

    sysopt connection permit-ipsec

    crypto ipsec transform-set RPAzure esp-aes-256 esp-sha-hmac

    crypto ipsec security-association lifetime seconds 3600 kilobytes 102400000

    crypto map RP_Azmap 20 ipsec-isakmp

    crypto map RP_Azmap 20 match address 10

    crypto map RP_Azmap 20 set peer 137.Azure.Public.IP

    crypto map RP_Azmap 20 set transform-set RPAzure

    crypto map RP_Azmap interface outside

    isakmp enable outside

    isakmp key ******** address 137.Azure.Public.IP netmask

    isakmp policy 20 authentication pre-share

    isakmp policy 20 encryption aes-256

    isakmp policy 20 hash sha

    isakmp policy 20 group 2

    isakmp policy 20 lifetime 28800

Confirm VPN Connection Status


    Done your Now connected to Azure


About Hikmat Kanaan

I’m big fan of technology; I have worked almost with every MS windows OS up to Windows 8 and server 2012 including OS deployment, AD and almost every MS OS service included major MS products ISA ,TMS, Exchange, System center ,Sharepoint ,SQL , Storage system, Networking, security, Cisco, HP, and Checkpoint products. Designing and Architecting IT solutions and infrastructure . I do admire automation and working based on best practices toward building highly reliable solution that provide the required services to Business. I also run the Jordan IT professionals user Group
This entry was posted in Azure, Private cloud, Tips and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s