Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1251
Views
0
Helpful
0
Replies

ASAv in Azure - AnyConnect unable to reach on-prem resources

jf1134
Level 1
Level 1

‎06-01-2020 02:09 PM

I'm currently evaluating a Cisco ASAv in Azure. Right now, all that I am evaluating is client vpn using Anyconnect. When connected, I need it to be able to access resources in Azure as well as on-prem.

 

So far I have it setup to access the Azure part but I can't get to anything that's on-prem..

In Azure, I've setup the VNET peerings and the ASA VNET is set to use remote gateways and the Azure side is set to use gateway transit.

 

Is there another configuration that I am missing in order for the anyconnect client to access anything that is on the Virtual Network Gateway? I thought the peerings would be enough.

 

Thanks in advance for any help.

 

Here's the configuration.


ASA Version 9.14(1)
!
hostname ASA
enable password ***** pbkdf2
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
names
dns-guard
no mac-address auto
ip local pool VPN 10.100.100.2-10.100.100.254 mask 255.255.255.0

!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 10.10.1.4 255.255.255.0
!
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 10.10.2.4 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
no management-only
nameif management
security-level 0
ip address dhcp setroute
!
ftp mode passive
dns domain-lookup Outside
dns domain-lookup Inside
dns domain-lookup management
dns server-group DefaultDNS
name-server 168.63.129.16
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-inside
subnet 10.10.2.0 255.255.255.0
object network VPN-Pool
subnet 10.100.100.0 255.255.255.0
object network 172.16.0.0
subnet 172.16.0.0 255.255.0.0
object network obj-Net
subnet 172.16.0.0 255.255.0.0
access-list VPN_Split_Tunnel standard permit 10.250.0.0 255.255.0.0
access-list VPN_Split_Tunnel standard permit 10.100.100.0 255.255.255.0
access-list VPN_Split_Tunnel standard permit 172.16.0.0 255.255.0.0
access-list VPN_Split_Tunnel standard permit 172.16.128.0 255.255.128.0
access-list VPN_Split_Tunnel standard permit 10.10.0.0 255.255.0.0
pager lines 23
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (management,management) source static VPN-Pool VPN-Pool destination static VPN-Pool VPN-Pool
!
object network VPN-Pool
nat (any,management) dynamic interface dns
access-group Outside_access_in in interface Outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server AzureLDAP protocol ldap
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint ASDM_TrustPoint0
keypair ASDM_TrustPoint0
crl configure
crypto ca trustpool policy
auto-import
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 0509
308205b7 3082039f a0030201 02020205 09300d06 092a8648 86f70d01 01050500
3045310b 30090603 55040613 02424d31 19301706 0355040a 13105175 6f566164
6973204c 696d6974 6564311b 30190603 55040313 1251756f 56616469 7320526f
6f742043 41203230 1e170d30 36313132 34313832 3730305a 170d3331 31313234
31383233 33335a30 45310b30 09060355 04061302 424d3119 30170603 55040a13
1051756f 56616469 73204c69 6d697465 64311b30 19060355 04031312 51756f56
61646973 20526f6f 74204341 20323082 0222300d 06092a86 4886f70d 01010105
00038202 0f003082 020a0282 0201009a 18ca4b94 0d002daf 03298af0 0f81c8ae
4c19851d 089fab29 4485f32f 81ad321e 9046bfa3 86261a1e fe7e1c18 3a5c9c60
172a3a74 8333307d 615411cb edabe0e6 d2a27ef5 6b6f18b7 0a0b2dfd e93eef0a
c6b310e9 dcc24617 f85dfda4 daff9e49 5a9ce633 e62496f7 3fba5b2b 1c7a35c2
d667feab 66508b6d 28602bef d760c3c7 93bc8d36 91f37ff8 db1113c4 9c7776c1
aeb7026a 817aa945 83e205e6 b956c194 378f4871 6322ec17 6507958a 4bdf8fc6
5a0ae5b0 e35f5e6b 11ab0cf9 85eb44e9 f80473f2 e9fe5c98 8cf573af 6bb47ecd
d45c022b 4c39e1b2 95952d42 87d7d5b3 9043b76c 13f1dedd f6c4f889 3fd175f5
92c391d5 8a88d090 ecdc6dde 89c26571 968b0d03 fd9cbf5b 16ac92db eafe797c
adebaff7 16cbdbcd 252be51f fb9a9fe2 51cc3a53 0c48e60e bdc9b476 0652e611
13857263 0304e004 362b2019 02e874a7 1fb6c956 66f07525 dc67c10e 616088b3
3ed1a8fc a3da1db0 d1b12354 df44766d ed41d8c1 b222b653 1cdf351d dca1772a
31e42df5 e5e5dbc8 e0ffe580 d70b63a0 ff33a10f ba2c1515 ea97b3d2 a2b5bef2
8c961e1a 8f1d6ca4 6137b986 7333d797 969e237d 82a44c81 e2a1d1ba 675f9507
a32711ee 16107bbc 454a4cb2 04d2abef d5fd0c51 ce506a08 31f991da 0c8f645c
03c33a8b 203f6e8d 673d3ad6 fe7d5b88 c95efbcc 61dc8b33 77d34432 35096204
921610d8 9e2747fb 3b21e3f8 eb1d5b02 03010001 a381b030 81ad300f 0603551d
130101ff 04053003 0101ff30 0b060355 1d0f0404 03020106 301d0603 551d0e04
1604141a 8462bc48 4c332504 d4eed0f6 03c41946 d1946b30 6e060355 1d230467
30658014 1a8462bc 484c3325 04d4eed0 f603c419 46d1946b a149a447 3045310b
30090603 55040613 02424d31 19301706 0355040a 13105175 6f566164 6973204c
696d6974 6564311b 30190603 55040313 1251756f 56616469 7320526f 6f742043
41203282 02050930 0d06092a 864886f7 0d010105 05000382 0201003e 0a164d9f
065ba8ae 715d2f05 2f67e613 4583c436 f6f3c026 0c0db547 645df8b4 72c946a5
03182755 89787d76 ea963480 1720dce7 83f88dfc 07b8da5f 4d2e67b2 84fdd944
fc775081 e67cb4c9 0d0b7253 f8760707 4147960c fbe08226 93558cfe 221f6065
7c5fe726 b3f73290 9850d437 7155f692 2178f795 79faf82d 26876656 3077a637
78335210 58ae3f61 8ef26ab1 ef187e4a 5963ca8d a256d5a7 2fbc561f cf39c1e2
fb0aa815 2c7d4d7a 63c66c97 443cd26f c34a170a f890d257 a21951a5 2d9741da
074fa950 da908d94 46e13ef0 94fd1000 38f53be8 40e1b46e 561a20cc 6f588ded
2e458fd6 e9933fe7 b12cdf3a d6228cdc 84bb226f d0f8e4c6 39e90488 3cc3baeb
557a6d80 9924f56c 01fbf897 b0945beb fdd26ff1 77680d35 6423acb8 55a103d1
4d4219dc f8755956 a3f9a849 79f8af0e b911a07c b76aed34 d0b62662 381a870c
f8e8fd2e d3907f07 912a1dd6 7e5c8583 99b03808 3fe95ef9 3507e4c9 626e577f
a75095f7 bac89be6 8ea201c5 d666bf79 61f33c1c e1b9825c 5da0c3e9 d848bd19
a2111419 6eb2861b 683e4837 1a88b75d 965e9cc7 ef276208 e291195c d2f121dd
ba174282 97718153 31a99ff6 7d62bf72 e1a3931d cc8a265a 0938d0ce d70d8016
b478a53a 874c8d8a a5d54697 f22c10b9 bc5422c0 01506943 9ef4b2ef 6df8ecda
f1e3b1ef df918f54 2a0b25c1 2619c452 100565d5 8210eac2 31cd2e
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate 1af6cd4e853613a5fa496ccbf9c28bbc
30820639 30820521 a0030201 0202101a f6cd4e85 3613a5fa 496ccbf9 c28bbc30
0d06092a 864886f7 0d01010b 05003081 8f310b30 09060355 04061302 4742311b
30190603 55040813 12477265 61746572 204d616e 63686573 74657231 10300e06
03550407 13075361 6c666f72 64311830 16060355 040a130f 53656374 69676f20
4c696d69 74656431 37303506 03550403 132e5365 63746967 6f205253 4120446f
6d61696e 2056616c 69646174 696f6e20 53656375 72652053 65727665 72204341
301e170d 32303035 30343030 30303030 5a170d32 32303531 38323335 3935395a
301a3118 30160603 5504030c 0f2a2e69 6d697363 6c6f7564 2e636f6d 30820122
300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101 00c61b64
e3edcf65 d09c08da 48e7f5bf c3866c6c fa3062ba ce8536d3 14d65e39 48285d11
06c57ef8 d3f02717 0f672396 79a4c7a3 c6a737d9 4a7796ef a1fc9d23 9374ee59
77e7d8c4 1fe8b57c 960224ae daf4005e bb717fdd b4f849a4 87b995ad 0824168b
33582962 275a27ff bb42706e aaa46331 aa23a572 eea13d20 0c087f4e f7ebb4e1
0703455f a7e527bb 4b9d8150 f9772e1b c0f4490b c2a1b036 48b7012e 97664df1
46bb138e d889c4dd dd6641e1 33e70c61 f40afd2d 3d4528a2 72d4f4ed 39133c47
0689b114 eb4aa90f 6adcb385 a3e63056 707bf80d 721f6454 5c8886f1 143f824f
0d15faf7 46970ce1 4abba936 a94875b0 b318c366 416a0978 6aeeae4b 1b020301
0001a382 03033082 02ff301f 0603551d 23041830 1680148d 8c5ec454 ad8ae177
e99bf99b 05e1b801 8d61e130 1d060355 1d0e0416 0414365f d486e0de a42a7f6d
a997aadc eec5ba47 f286300e 0603551d 0f0101ff 04040302 05a0300c 0603551d
130101ff 04023000 301d0603 551d2504 16301406 082b0601 05050703 0106082b
06010505 07030230 49060355 1d200442 30403034 060b2b06 010401b2 31010202
07302530 2306082b 06010505 07020116 17687474 70733a2f 2f736563 7469676f
2e636f6d 2f435053 30080606 67810c01 02013081 8406082b 06010505 07010104
78307630 4f06082b 06010505 07300286 43687474 703a2f2f 6372742e 73656374
69676f2e 636f6d2f 53656374 69676f52 5341446f 6d61696e 56616c69 64617469
6f6e5365 63757265 53657276 65724341 2e637274 30230608 2b060105 05073001
86176874 74703a2f 2f6f6373 702e7365 63746967 6f2e636f 6d302906 03551d11
04223020 820f2a2e 696d6973 636c6f75 642e636f 6d820d69 6d697363 6c6f7564
2e636f6d 30820181 060a2b06 010401d6 79020402 04820171 0482016d 016b0077
0046a555 eb75fa91 2030b5a2 8969f4f3 7d112c41 74befd49 b885abf2 fc70fe6d
47000001 71e1929e cc000004 03004830 46022100 c41b5f59 a10c30bf dffbfe15
1ed69344 63d01152 d0f5e129 34f4f0b8 a881f6bd 022100fa 06ef4174 6f8e91d1
89161b07 b02eaad0 c2f6ebac f8ae75f3 25d1404e e6fa2100 7700dfa5 5eab6882
4f1f6cad eeb85f4e 3e5aeacd a212a46a 5e8e3b12 c020445c 2a730000 0171e192
9ef20000 04030048 30460221 00875e52 1eb5127c 34ae2186 a13a4b85 a0ebdcee
078140ed 4cca9133 420790f2 f6022100 ee618d24 87304de2 2ceb558f bba06a06
e5a868c3 6e1198fc 3b4dabcf b8f45356 0077006f 5376ac31 f03119d8 9900a451
15ff7715 1c11d902 c1002906 8db2089a 37d91300 000171e1 929ec300 00040300
48304602 2100bc1b cbe03b00 b8dc9b74 6115ac76 4a0bea2d 7243c5c3 9942af0a
f6f53b7d 173c0221 00ee4695 7c0f1a54 ceded793 4acf8630 2104a703 0521bb85
6037d279 5ee37422 65300d06 092a8648 86f70d01 010b0500 03820101 0035e8c1
3815f272 3a2ad19f 68845059 72827515 0ff9decf 1fe7c9e9 1513ec01 74c90ff6
0bf2badc ceceec9b 7dbdb29f cce782df 75f5070d 924465f6 f4ca862c 60473049
70b1a475 dc39dfd2 556e6b46 97fedb89 ba970983 a6fb3c82 8c9597e5 1b350068
a1da8f81 9110368d b23cffd1 30ad6917 72085dfb c01ebddd 47b0773d 7fbf86ed
0880c220 ff3aae9b 5e72527e 6dc0d429 6f63d210 b204ca3b acbde5e2 bf920ff5
a43ee902 5a7bbeab 0ea151f7 e8de8fe8 d313cf15 52215730 049dd4e4 9b212038
206c28da e9421c65 6da04f79 7f987e40 42881857 dfbfd536 aa1f484b cf423a9e
f10990b1 c425ae00 65b1d85e e9d1972c ecd49a36 c1d36120 7fea9ae1 66
quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group14-sha256
ssh 10.10.0.5 255.255.255.255 management
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 Outside
ssl trust-point ASDM_TrustPoint0 Inside
ssl trust-point ASDM_TrustPoint0 management
webvpn
enable Outside
enable management
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnect-win-3.1.14018-k9.pkg 1
anyconnect profiles AzureVPN disk0:/azurevpn.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_AzureVPN internal
group-policy GroupPolicy_AzureVPN attributes
dns-server value
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Split_Tunnel
default-domain value .local
webvpn
anyconnect profiles value AzureVPN type user
anyconnect ask none default anyconnect
dynamic-access-policy-record DfltAccessPolicy
username asa_admin password ***** pbkdf2 privilege 15
username jfazio password ***** pbkdf2
tunnel-group Azure-VPN type remote-access
tunnel-group Azure-VPN general-attributes
address-pool VPN
authentication-server-group AzureLDAP
default-group-policy GroupPolicy_Azure-VPN
tunnel-group Azure-VPN webvpn-attributes
group-alias Azure-VPN enable
tunnel-group AzureVPN type remote-access
tunnel-group AzureVPN general-attributes
address-pool VPN
authentication-server-group AzureLDAP
default-group-policy GroupPolicy_AzureVPN
tunnel-group AzureVPN webvpn-attributes
group-alias AzureVPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect snmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
Cryptochecksum:b1994f371ec607e39d3dffbc3d4b9b88
: end
ASA#

0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card