Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1304
Views
0
Helpful
1
Replies

External Network Pass through IPSec VPN between two Azure Subscriptions

microensure
Level 1
Level 1

‎05-28-2021 05:13 AM - edited ‎05-28-2021 06:17 AM

Scenario and Objective:

We have two Azure Subscriptions, In one Azure Subscription (Subscription 1), behind ASAv firewall (ASA04) there are two networks 192.168.10.0/24(inside) and 192.168.20.0/24(DMZ). In the second subscription (Subscription 2) behind ASAv firewall (ASA03) there are also two networks 10.50.10.0/24(inside) and 10.50.20.0/24(DMZ). We have a functional policy based IPSec Site to Site VPN tunnel between the two ASAv firewalls in two subscriptions. The IPSec tunnel is successfully passing traffic for the 192.168.0.0 and 10.50.0.0 networks. In Subscription 1, there is an additional network which is External to the ASAv firewall 192.168.50.0/24 and is connected to the VNet only. We want to pass this 192.168.50.0/24 network's traffic through the already established IPSec VPN site to site Tunnel so that it can communicate to and from 10.50.0.0 networks behind the firewalls in Subscription 2. Can it be possible with the current functional configuration, if so what additional changes can be made to achieve this.

 

Limitations:

The network 192.168.50.0/24 cannot be deployed behind firewall because ASA04 does not have any additional interfaces to accommodate this, nor does it have any sub interface capability.

 

Attached are the scenario design and truncated configurations for reference

Preview file
57 KB
Preview file
75 KB
0 Helpful
1 Reply 1

Jay Ponce
Cisco Employee
Cisco Employee

‎05-28-2021 11:25 AM - edited ‎05-28-2021 11:26 AM

Yes, you are able to pass a external network of the ASA over the Site-to-Site VPN by adding a NAT exemption and adding the network to the ACL.

 

  1. The NAT will be NAT exemption:
    • NAT (in,out) source static NET-A NET-A destination static NET-B NET-B
    • Where NET-A is 192.168.50.0/24 and NET-B is 10.50.0.0.
  2. Add network to the ACL
  3. Route the traffic on the computers to ASA external IP
    • This step is crucial to avoid routing loops

Even though you are able to setup external subnets over the VPN, it will be best practice to create another subnet and utilize route-tables to route the traffic to the inside or DMZ interface of the ASA.

Below links provides more information on creating subnet and custom routes.

https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-create-route-table-portal

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card