Force tunneling Azure traffic through on-prem ASA5525

johnplizarazo · ‎07-10-2018

Hello, I'm looking for assistance in routing traffic from our Azure environment through our on-prem ASA5525 and then out to the internet or to other internal hosts. I currently have a VPN tunnel working, so pinging between any hosts on Azure and on-prem is successful, however when I route all Azure host's traffic (not just our on-prem subnet) to Azure's VPN gateway and then to our ASA5525, there is no internet connection on the Azure host (whereas if I leave default route to exit Azure's local internet gateway, there is internet connection).

I'm not sure what configuration change needs to be made as there is a default route on the ASA5525 to exit its outside interface. I thought that when Azure traffic would hit the ASA5525, it would route right back out the local outside interface. Am I missing something?

Any help would be appreciated, thanks!

Francesco Molino · ‎07-10-2018

Hi Johnplizarazo

First, I'm not very familiar with azure more aws...

Then i would ask what type of vpn do you have? Policy based vpn or route based vpn?

On route based vpn, you can add a default route going through tunnel interface.

On policy based vpn, you have to do a full tunnel which means on your crypto acl, you need to add the 0.0.0.0/0 statement.

Then for both of them, the traffic arrives on outside interface and i bet you're using the same interface to access Internet, am i right?

If so you need to allow traffic coming in and going out the same interface using the command same-security-traffic permit intra-interface. Then you'll need to nat this traffic and for this you'll need to do u-turn nat config. Afterwards, adapt your ACLs if needed to allow them accessing internet.

After these changes on your asa, you'll be able to access Internet from azure.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question