Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1287
Views
0
Helpful
4
Replies

Forcing all traffic from Azure through Cisco ASA

johnplizarazo
Level 1
Level 1

‎08-01-2018 06:44 PM

Hey everyone, was wondering if anyone out there has been able to get this to work? Currently have a site to site route based tunnel from Azure to our on-premise Cisco ASA using a VTI interface. The goal is to route all traffic from Azure through the tunnel and then either a) out to the internet through the ASA or b) continue into the on-premise network.

 

Originally had a 0.0.0.0/0 route point to Azure's VPN gateway (according to this doc https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-forced-tunneling-rm) but after speaking to azure support they recommended having the next hop point to a on-premise server with IP forwarding enabled.. tried that, didn't work.

 

I was convinced it was a routing issue on the ASA but running a packet capture on the VTI shows no internet-bound traffic from Azure reaching the interface (any traffic destined to on-premise hosts works fine however).

 

I guess my question is are there any other troubleshooting steps that I can try to make sure it's not an issue on the ASA and if there's anyone out there who has been able to get this working?

Labels:
0 Helpful
4 Replies 4

jmperlewitz
Level 1
Level 1

‎08-01-2018 06:57 PM

Have you tried creating a BGP neighbor realtionship with your Vnet?  Then you can advertise your default route via BGP.  We have multiple IPSec tunnels where we create BGP HA mesh with our Azure Vnets.   We can control what we advertisde to them from onprem, and then from Azure we advertise our vnet IP range and the Azure gateway range as well.

0 Helpful

johnplizarazo
Level 1
Level 1
In response to jmperlewitz

‎08-02-2018 05:31 AM

Hi, thanks for replying. We haven't tried enabling BGP yet but that is something I'll look into doing right away! Hoping it solves our issues :). I just don't understand why on-prem-bound traffic is captured on the ASA's VTI but internet-bound traffic from Azure is not.. very strange. After asking around a little bit someone else suggested talking to our ISP so I'll give that a shot as well.

0 Helpful

jmperlewitz
Level 1
Level 1
In response to johnplizarazo

‎08-02-2018 01:46 PM

Azure onprem networks are built into the IPSec conifguration so it knows that the next hop is your onprem endpoint.  Anything else will be routed through the Azure backbone out to the internet.  Hence, why you have to try to force the issue.

0 Helpful

johnplizarazo
Level 1
Level 1
In response to jmperlewitz

‎08-02-2018 02:13 PM

Interesting, so even by adding a user defined route in azure pointing 0.0.0.0/0 to the vnet vpn gateway still wouldn't be enough to force traffic through the vpn tunnel? that seems to make sense.

0 Helpful
Customers Also Viewed These Support Documents