Re: ASAv Azure: VPN client traffic doesn't pass unless hide NAT to ins

ronnie.shih · ‎01-18-2022

We have an ASAv deployed in Azure, running code 9.14(2)15 . For the record, this ASAv was deployed by a consultant, not me originally. The inside and outside interfaces sit in the same Azure vnet, I believe this has to be the case? We have a public IP address assigned to the "outside" interface. End users are able to anyconnect vpn in from the internet, however, unless the VPN subnet of 10.180.8.0/21 is configured to hide NAT behind the inside interface of the ASAv, no traffic from the VPN client can pass anywhere.

Basically:

nat (outside,inside) source dynamic VPN-Subnet interface

With "VPN-subnet" being 10.180.8.0/21

We are in the process of deploying a NAC solution and basically need the NAC appliance to reach the actual VPN IP address of vpn-ed in endpoints. Right now, this is not possible with hide NAT of the client vpn tool in-place.

thought? thank you!

Rob Ingram · ‎01-18-2022

@ronnie.shih you need a NAT exemption rule to ensure the traffic is not unintentially translated. Example

https://integratingit.wordpress.com/2022/01/16/asa-nat-exemption/

ronnie.shih · ‎01-26-2022

It is a one-armed vpn concentrator and we do not have a dynamic PAT back out for Azure vm's in Azure vNets for internet access, therefore, NAT exemption for the vpn client pool range from inside to outside interface is not required. We do not use this as an internet egress point for Azure network.

I am being told this is a limitation of the Azure vnet design and an Azure Routeserver needs to sit in between the ASAv and the vNet.

ASAv Azure: VPN client traffic doesn't pass unless hide NAT to inside