Yes, you're right, I will try that tomorrow, thanks.

Alright, I can now ping Internet, but I still have the "There are no ikev1 sa" error.

To see that output, you would need to enable some traffic. Try to ping a known destination across the sites and see if you can see that output.

-AJ

What do you mean by output?

I can ping the ASA from a host, I can also ping the gateway from the ASA and I can ping Internet from the ASA.

Thats not what I am saying. I meant that to make the ipsec tunnel live, you need to trigger some traffic. And that traffic needs to be from your subnet to the network on azure site.  

HTH

-

AJ

Alright, but I have already tried to ping from a host a VM in Azure, but it didn't work.

Could you please run a packet-tracer output using source as your subnet and destination as azure subnet. 

-

AJ

Like that: packet-tracer input inside icmp 172.18.64.2 8 0 10.0.1.4 ?

yeah, or try for tcp traffic like

packet-tracer input inside tcp 172.18.64.2 3344 10.0.1.4 80 det

Got it, I will try this tomorrow, thanks.

packet-tracer input inside icmp 172.18.64.2 8 0 10.0.1.4 detailed

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static onPremNetwork onPremNetwork destination static azureNetwork azureNetwork
Additional Information:
NAT divert to egress interface outside
Untranslate 10.0.1.4/0 to 10.0.1.4/0

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static onPremNetwork onPremNetwork destination static azureNetwork azureNetwork
Additional Information:
Static translate 172.18.64.2/0 to 172.18.64.2/0
 Forward Flow based lookup yields rule:
 in  id=0xb5bf78c8, priority=6, domain=nat, deny=false
        hits=3, user_data=0xb61ba6a0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=172.18.64.0, mask=255.255.255.0, port=0, tag=0
        dst ip/id=10.0.0.0, mask=255.255.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xb545a650, priority=0, domain=nat-per-session, deny=true
        hits=13, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xb5bb46d8, priority=0, domain=inspect-ip-options, deny=true
        hits=17, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xb61ab210, priority=70, domain=inspect-icmp, deny=false
        hits=5, user_data=0xb61a9ab8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xb5bb4178, priority=66, domain=inspect-icmp-error, deny=false
        hits=5, user_data=0xb5bb3798, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xb61ba398, priority=70, domain=encrypt, deny=false
        hits=4, user_data=0x342c, cs_id=0xb610aa18, reverse, flags=0x0, protocol=0
        src ip/id=172.18.64.0, mask=255.255.255.0, port=0, tag=0
        dst ip/id=10.0.0.0, mask=255.255.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=outside

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static onPremNetwork onPremNetwork destination static azureNetwork azureNetwork
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xb5779058, priority=6, domain=nat-reverse, deny=false
        hits=4, user_data=0xb5be9460, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=172.18.64.0, mask=255.255.255.0, port=0, tag=0
        dst ip/id=10.0.0.0, mask=255.255.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xb5777fc0, priority=70, domain=ipsec-tunnel-flow, deny=false
        hits=4, user_data=0x5fa4, cs_id=0xb610aa18, reverse, flags=0x0, protocol=0
        src ip/id=10.0.0.0, mask=255.255.0.0, port=0, tag=0
        dst ip/id=172.18.64.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xb545a650, priority=0, domain=nat-per-session, deny=true
        hits=15, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xb5b8cc28, priority=0, domain=inspect-ip-options, deny=true
        hits=21, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 23, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

show crypto ipsec sa peer 52.178.X.X

peer address: 52.178.X.X
    Crypto map tag: s2s-crypto-map, seq num: 1, local addr: 84.199.X.X

      access-list s2s-vpn-acl extended permit ip 172.18.64.0 255.255.255.0 10.0.0.0 255.255.0.0
      local ident (addr/mask/prot/port): (172.18.64.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
      current_peer: 52.178.X.X


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 84.199.X.X/0, remote crypto endpt.: 52.178.X.X/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: FE082EF0
      current inbound spi : EFB9A569

    inbound esp sas:
      spi: 0xEFB9A569 (4021921129)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 4096, crypto-map: s2s-crypto-map
         sa timing: remaining key lifetime (kB/sec): (97200000/3472)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xFE082EF0 (4261949168)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 4096, crypto-map: s2s-crypto-map
         sa timing: remaining key lifetime (kB/sec): (97200000/3472)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

I have added the nat command under the object group onPremNetwork, and like that, the tunnel seems to work.

The "show crypto ikev1 sa" command tells me that the tunnel is active now, but I still can't access to the azure Network.

Also, do I need to keep the dynamic NAT (PAT) since I'm not usign the firewall to access the Internet but only for accessing the VPN?

I have this ACL that I use with my crypto map : access-list s2s-vpn-acl extended permit ip object onPremNetwork object azureNetwork

But do I need to add a second ACL that permit the reverse : access-list s2s-vpn-acl extended permit ip object azureNetwork object onPremNetwork ?

EDIT : It works now, I have just to wait (a little bit much). Thanks for your help.

packet-tracer input inside tcp 172.18.64.2 3344 10.0.1.4 80 detailed

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static onPremNetwork onPremNetwork destination static azureNetwork azureNetwork
Additional Information:
NAT divert to egress interface outside
Untranslate 10.0.1.4/50 to 10.0.1.4/50

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static onPremNetwork onPremNetwork destination static azureNetwork azureNetwork
Additional Information:
Static translate 172.18.64.2/3344 to 172.18.64.2/3344
 Forward Flow based lookup yields rule:
 in  id=0xb5bf78c8, priority=6, domain=nat, deny=false
        hits=2, user_data=0xb61ba6a0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=172.18.64.0, mask=255.255.255.0, port=0, tag=0
        dst ip/id=10.0.0.0, mask=255.255.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xb5458090, priority=0, domain=nat-per-session, deny=false
        hits=22, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xb5bb46d8, priority=0, domain=inspect-ip-options, deny=true
        hits=16, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 5
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xb61ba398, priority=70, domain=encrypt, deny=false
        hits=3, user_data=0x342c, cs_id=0xb610aa18, reverse, flags=0x0, protocol=0
        src ip/id=172.18.64.0, mask=255.255.255.0, port=0, tag=0
        dst ip/id=10.0.0.0, mask=255.255.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=outside

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static onPremNetwork onPremNetwork destination static azureNetwork azureNetwork
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xb5779058, priority=6, domain=nat-reverse, deny=false
        hits=3, user_data=0xb5be9460, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=172.18.64.0, mask=255.255.255.0, port=0, tag=0
        dst ip/id=10.0.0.0, mask=255.255.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xb5777fc0, priority=70, domain=ipsec-tunnel-flow, deny=false
        hits=3, user_data=0x5fa4, cs_id=0xb610aa18, reverse, flags=0x0, protocol=0
        src ip/id=10.0.0.0, mask=255.255.0.0, port=0, tag=0
        dst ip/id=172.18.64.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xb5458090, priority=0, domain=nat-per-session, deny=false
        hits=24, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xb5b8cc28, priority=0, domain=inspect-ip-options, deny=true
        hits=20, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 22, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow