Re: When VPN Connection is up I get no Internet traffic to home network

jjwarr · ‎06-14-2018

Hey Guys,

Firewall ASA5506-X

I am baffled and can't figure out why when the VPN is up to azure I lose all internet traffic on my home network. (I am complete noob to Cisco so excuse my ignorance and i hope its something simple.

I have a Site to site vpn - home network to azure. I used the config script provided by azure to configure the asa with the vpn settings

Running conifg below:

Result of the command: "show running-config"

ASA Version 9.7(1)4
!

interface GigabitEthernet1/1
nameif outside
security-level 0
pppoe client vpdn group Test
ip address pppoe
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network internal-lan
subnet 192.168.1.0 255.255.255.0
object network Outside
subnet 0.0.0.0 0.0.0.0
object network Network1
subnet 192.168.1.0 255.255.255.0
object network Azure
subnet 10.1.0.0 255.255.0.0
object-group service DM_INLINE_SERVICE_1
object-group service DM_INLINE_SERVICE_2
object-group service DM_INLINE_SERVICE_3
object-group service DM_INLINE_SERVICE_4
object-group network AzureNetworksANY
description Azure-Virtual-Network_ANY[0/0]_Representation
network-object 0.0.0.0 0.0.0.0
object-group network OnpremisesNetworksANY
description Onpremises-Network_ANY[0/0]_Representation
network-object 0.0.0.0 0.0.0.0
object-group network DM_INLINE_NETWORK_1
network-object object internal-lan
network-object object obj_any
object-group network DM_INLINE_NETWORK_2
network-object object Azure
network-object object obj_any
access-list Default standard permit 192.168.1.0 255.255.255.0
access-list Azure-ACL extended permit ip object obj_any object obj_any log notifications
access-list outside_cryptomap_1 extended permit ip object internal-lan object Azure
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (any,outside) source dynamic Network1 interface
nat (inside,outside) source static obj_any obj_any destination static obj_any obj_any no-proxy-arp route-lookup
nat (inside,outside) source static internal-lan internal-lan destination static Azure Azure no-proxy-arp route-lookup
nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 212.30.7.8 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
sysopt connection tcpmss 1350
sysopt connection preserve-vpn-flows
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal Azure-Ipsec-Tunnel-Home-40.117.138.5
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association pmtu-aging infinite
crypto ipsec inner-routing-lookup
crypto map outside_map 1 match address Azure-ACL
crypto map outside_map 1 set peer 40.117.138.5
crypto map outside_map 1 set ikev2 ipsec-proposal Azure-Ipsec-Tunnel-Home-40.117.138.5
crypto map outside_map 1 set ikev2 pre-shared-key *****
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 40.117.138.5
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 28800
crypto ikev2 enable outside
crypto ikev1 enable outside
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group GSY request dialout pppoe
vpdn group GSY localname *****
vpdn group GSY ppp authentication chap
vpdn group VDSL request dialout pppoe
vpdn group VDSL localname ******
vpdn group VDSL ppp authentication chap
vpdn group Test request dialout pppoe
vpdn group Test localname *******
vpdn group Test ppp authentication chap
vpdn username ******* password *****
vpdn username ******* password *****

dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd dns 8.8.8.8 4.4.4.4 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev2 l2tp-ipsec ssl-clientless
group-policy AzureGroupPolicy internal
group-policy AzureGroupPolicy attributes
vpn-tunnel-protocol ikev2
dynamic-access-policy-record DfltAccessPolicy
tunnel-group 40.117.138.5 type ipsec-l2l
tunnel-group 40.117.138.5 general-attributes
default-group-policy AzureGroupPolicy
tunnel-group 40.117.138.5 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
no tunnel-group-map enable peer-ip
tunnel-group-map default-group 40.117.138.5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:8be36f92542fdeda5023057b770e912a
: end

Florin Barhala · ‎06-14-2018

That's because the site-to-site to AZURE uses this ACL for ENCryption:

access-list Azure-ACL extended permit ip object obj_any object obj_any log notifications

meaning all your traffic will be encrypted and sent to the IPSEC tunnel with Azure.
You just have to rewrite that ACL and specify precise source and destinations you need.

jjwarr · ‎06-14-2018

Thanks for the response Florin and narrowing down where to look, i am new to ACL's so forgive me, are you suggesting in the Azure-ACL i add another rule or edit the current one and allow http and https traffic.

The source and destination networks are correct in that rule from what i can see(home network 'source' and Azure as 'destination')

Florin Barhala · ‎06-15-2018

That ACL refers obj_any ; is this what you really need towards Azure?

Marvin Rhoads · ‎06-16-2018

It looks like you've tried a few different things with the config and didn't clean up all the bits that didn't work. Primarily, you have two crypto maps to the same peer:

crypto map outside_map 1 match address Azure-ACL
crypto map outside_map 1 set peer 40.117.138.5 
<snip>
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 40.117.138.5

The first one will take precedence. The ACL it calls is "Azure-ACL":

access-list Azure-ACL extended permit ip object obj_any object obj_any log notifications

What you need is the second one:

access-list outside_cryptomap_1 extended permit ip object internal-lan object Azure

Ideally the ACL in the second one would be named "Azure-ACL" for clarity.

In any case, that first acl is matching all traffic and sending it down the tunnel as @Florin Barhala noted.

Once your non-Azure traffic gets to the Azure cloud it will not be handled properly because even if Azure knows to route it back out to the public Internet, it likely doesn't have a NAT rule for it to translate your home private IP addresses to the public ones.