Re: ASA 5506 - vpn up but no local internet

danielcaine · ‎09-11-2018

Hi All,

I'm trying to set up an asa5506-x with 3 local lan's and one of the lans connected via site-to-site vpn to azure

I have got the local configuration working ok. And after some trial and error have got a VPN config that works in as much as the VPN to azure comes up and passes traffic - i can see my azure servers.

BUT...after applying the VPN config my local networks no longer have internet access.

I'm sure i'm missing something very straightforward...

I think it's my NAT rules, but someone who knows this stuff well could same me a lot of troubleshooting

attached are the config files (not sanitised as this is all test environment for the time being)

Thanks

Ajay Saini · ‎09-11-2018

Hello,

I guess you have a route based vpn configured on your side vpn for Azure which means sending everything towards Azure and the first NAT statement matches and traffic gets blackholed.

First thing you need to do is to make the NAT statement more specific instead of 'any' objects:

nat (inside_1,outside) source static obj_any obj_any destination static obj_any obj_any no-proxy-arp route-lookup

the destination should be your Azure subnet range instead of any any. Also, the crypto acl has any, so you need to use vpn filter to decide what traffic should go to Azure and which traffic to internet. Since its a any type of crypto acl, add a filter to send only interested traffic to tunnel and send rest automatically to internet.

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

Last case scenario, you can use the below link details to configure policy based vpn instead of router based because of which you have to use any any type of crypto acl.

https://community.cisco.com/t5/firewalls/cisco-asa-9-9-ikev2-to-microsoft-azure/m-p/3695044#M172279

Regards,

Ajay

danielcaine · ‎09-11-2018

hi, thanks for your reply

i have tried various other nat statements, but it seems whatever i do i get the same result, either the vpn is up but nothing else works, of if i change the vpn/nat statements too much then the VPN doesn't come up

my local subnet is 172.16.1.0/24 and the azure is 10.1.0.0/16 10.1.0.0/24 and 10.1.2.0/24

any other ideas?

danielcaine · ‎09-11-2018

Ok, so i changed it to the second suggestion, turned on PolicyBasedTrafficSelectors and edited the sample config

Now i appear to have a tunnel that is up (although it seems to reconnect every minute), but no traffic passes over it and azure never says it is connected...

Any ideas? The sonicwalls and drayteks i have connected to azure have just worked!

ciscoasa# show crypto ikev2 sa

IKEv2 SAs:

Session-id:27778, Status:UP-IDLE, IKE count:1, CHILD count:0

Tunnel-id Local Remote Status Role
112239723 82.32.234.249/500 40.85.85.40/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA384, DH Grp:24, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/20 sec
ciscoasa#

ciscoasa# show vpn-sessiondb detail l2l

Session Type: LAN-to-LAN Detailed

Connection : 40.85.85.40
Index : 55788 IP Addr : 40.85.85.40
Protocol : IKEv2
Encryption : IKEv2: (1)AES256 Hashing : IKEv2: (1)SHA384
Bytes Tx : 0 Bytes Rx : 0
Login Time : 14:49:14 UTC Tue Sep 11 2018
Duration : 0h:00m:01s

IKEv2 Tunnels: 1

IKEv2:
Tunnel ID : 55788.1
UDP Src Port : 500 UDP Dst Port : 500
Rem Auth Mode: preSharedKeys
Loc Auth Mode: preSharedKeys
Encryption : AES256 Hashing : SHA384
Rekey Int (T): 86400 Seconds Rekey Left(T): 86399 Seconds
PRF : SHA384 D/H Group : 24
Filter Name :

ciscoasa#