cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
640
Views
0
Helpful
26
Replies

Azure to ASA to Internet

Hi, 

 

I have successfully created the site to site between our ASA to Azure.

Azure can see our internal traffic and use the resources.

 

My question is, how can I make Azure goes through our ASA for internet?

Azure > ASA > Internet?

 

I have added it into our site to site connection for i.e the Azure VM. However it still didn't work - i have added into the ACL too.

 

Do I need a return ACL / NAT for it to work?

26 REPLIES 26
Georg Pauwen
VIP Expert

How did you configure that NAT ? Post the running config of your ASA and indicate which networks on the Azure side need Internet access through the ASA...

object-group network obj-local

network-object 10.0.0.0 255.255.0.0

network-object 106.10.248.151 255.255.255.255

exit

 

object-group network obj-remote

network-object 10.100.0.0 255.255.0.0

exit

 

nat (inside,outside-isp1) 1 source static obj-local obj-local destination static obj-remote

----------------------------------

Azure (10.100.0.1) should connect to site to site to reach 106.10.248.151

Hello,

 

do you have more than one ISP ? If not, make sure you have:

 

same-security-traffic permit intra-interface

 

configured on your ASA...

 

Otherwise, post the full running config of your ASA...

Thanks, i already have both

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

 

However it is still not working and I have multiple ISPs

Hello,

 

post the full running config of your ASA, otherwise it is just guesswork. Is the interface where the VPN terminates the same as the outgoing ISP you want to use for Internet access ?

Hello,

 

try the below:

 

object-group network obj-remote

network-object 10.100.0.0 255.255.0.0
nat (inside,outside-isp1) source dynamic obj-remote


@Georg Pauwen wrote:

Hello,

 

try the below:

 

object-group network obj-remote

network-object 10.100.0.0 255.255.0.0
nat (inside,outside-isp1) source dynamic obj-remote


done but still not working

 Is the interface where the VPN terminates the same as the outgoing ISP you want to use for Internet access ?

Yup it is

 

Hello,

 

since the incoming interface is the same as the outgoing, you actually do need hairpinning. Add:

 

nat (outside-isp2,outside-isp2) source dynamic obj-remote

 

 

Thanks.

 

I have added both

 

nat (inside,outside-isp1) source dynamic obj-remote interface

nat (outside-isp2,outside-isp2) source dynamic obj-remote interface

 

However, it is still not working..

Hello,

 

remove this entry:

 

nat (inside,outside-isp1) source dynamic obj-remote interface

 

and just leave the other one in there...

nope, still not working. 

Hello,

 

post the output of:

 

show xlate

NAT from inside:10.0.0.0/16, 106.10.248.151,
106.10.248.151 to outside-isp2:10.0.0.0/16,
106.10.248.151, 106.10.248.151
flags sIT idle 0:00:04 timeout 0:00:00

NAT from outside-isp2:10.100.0.0/17 to inside:10.100.0.0/17
flags sIT idle 0:00:04 timeout 0:00:00

NAT from inside:10.0.0.0/16 to outside-isp1:10.0.0.0/16
flags sIT idle 0:00:16 timeout 0:00:00