Azure to ASA to Internet

dylan.su18@gmail.com · ‎10-28-2019

Hi,

I have successfully created the site to site between our ASA to Azure.

Azure can see our internal traffic and use the resources.

My question is, how can I make Azure goes through our ASA for internet?

Azure > ASA > Internet?

I have added it into our site to site connection for i.e the Azure VM. However it still didn't work - i have added into the ACL too.

Do I need a return ACL / NAT for it to work?

Georg Pauwen · ‎10-29-2019

How did you configure that NAT ? Post the running config of your ASA and indicate which networks on the Azure side need Internet access through the ASA...

dylan.su18@gmail.com · ‎10-29-2019

object-group network obj-local

network-object 10.0.0.0 255.255.0.0

network-object 106.10.248.151 255.255.255.255

exit

object-group network obj-remote

network-object 10.100.0.0 255.255.0.0

exit

nat (inside,outside-isp1) 1 source static obj-local obj-local destination static obj-remote

----------------------------------

Azure (10.100.0.1) should connect to site to site to reach 106.10.248.151

Georg Pauwen · ‎10-29-2019

Hello,

do you have more than one ISP ? If not, make sure you have:

same-security-traffic permit intra-interface

configured on your ASA...

Otherwise, post the full running config of your ASA...

dylan.su18@gmail.com · ‎10-29-2019

Thanks, i already have both

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

However it is still not working and I have multiple ISPs

Georg Pauwen · ‎10-29-2019

Hello,

post the full running config of your ASA, otherwise it is just guesswork. Is the interface where the VPN terminates the same as the outgoing ISP you want to use for Internet access ?

Georg Pauwen · ‎10-29-2019

Hello,

try the below:

object-group network obj-remote

network-object 10.100.0.0 255.255.0.0
nat (inside,outside-isp1) source dynamic obj-remote

dylan.su18@gmail.com · ‎10-29-2019

@Georg Pauwen wrote:
Hello,

try the below:

object-group network obj-remote
network-object 10.100.0.0 255.255.0.0
nat (inside,outside-isp1) source dynamic obj-remote

done but still not working

dylan.su18@gmail.com · ‎10-29-2019

Is the interface where the VPN terminates the same as the outgoing ISP you want to use for Internet access ?

Yup it is

Georg Pauwen · ‎10-29-2019

Hello,

since the incoming interface is the same as the outgoing, you actually do need hairpinning. Add:

nat (outside-isp2,outside-isp2) source dynamic obj-remote

dylan.su18@gmail.com · ‎10-29-2019

Thanks.

I have added both

nat (inside,outside-isp1) source dynamic obj-remote interface

nat (outside-isp2,outside-isp2) source dynamic obj-remote interface

However, it is still not working..

Georg Pauwen · ‎10-29-2019

Hello,

remove this entry:

nat (inside,outside-isp1) source dynamic obj-remote interface

and just leave the other one in there...

dylan.su18@gmail.com · ‎10-29-2019

nope, still not working.

Georg Pauwen · ‎10-29-2019

Hello,

post the output of:

show xlate

dylan.su18@gmail.com · ‎10-29-2019

NAT from inside:10.0.0.0/16, 106.10.248.151,
106.10.248.151 to outside-isp2:10.0.0.0/16,
106.10.248.151, 106.10.248.151
flags sIT idle 0:00:04 timeout 0:00:00

NAT from outside-isp2:10.100.0.0/17 to inside:10.100.0.0/17
flags sIT idle 0:00:04 timeout 0:00:00

NAT from inside:10.0.0.0/16 to outside-isp1:10.0.0.0/16
flags sIT idle 0:00:16 timeout 0:00:00