Azure site to site vpn to CISCO ASA 5550 using azure public ip addresses

Question

I have a VPN with a gateway to connect to another network (a local mobile operator) which are using CISCO ASA 5550 Version 8.0(3), on azure side i would like advertise the public ip instead of the local azure network since the mobile operator security policy does not accept private ips on their configurations.

The tunnel phase 1 is coming up and the second phase fails with an error saying that the ip is not allowed which is the azure local network.

From the server (with public ip allowed in the network operator) i can ping the mobile operator network gateway but i cannot ping any server in their network.

I am not sure what can be done but am guessing a NAT (Not sure how to do this either) can do it or something i dont know?

NOTE: All resources have been setup using Azure resource manager

Answer 1

I have been able to achieve this by setting up a VPN with public IP address, Azure allows using public ip addresses in the VNet (Note that these a treated as private ip addresses inside the VPN).

The same public addresses was configured on CISCO router instead of private ip addresses.

See resources below

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-public-ip-within-vnet

https://github.com/Azure/Azure-vpn-config-samples/blob/master/Cisco/Current/ASA/Site-to-Site_VPN_using_Cisco_ASA.md

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal#values

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices