Hi All,

I have worked through what others have written with Hairpinning traffic back out the same interface but it just doesn't seem to work for me...

Simply I am just trying to get my Anyconnect VPN users to connect to some Azure VMs.

I have a site to site VPN to Azure and this stays up and works fine for any internal users.

They cannot Ping, Remote Desktop or access any web interfaces on the servers.

I have a gone a little overboard with the ACLs below, but nothing seems to work, and they are all permits anyway.  there is only 1 deny, and it is at the end of ACL: outside_in

That I've seen you can't use Packet-Tracer to test from a VPN address to a Site to Site address without it complaining (since it wouldn't be encrypted)

And I can't see anything in the logs that look relevant, but i'm missing something..

Also just seen that anyconnect users cannot ping each other, not that this is an issue, but may help with diagnosis?

Hopefully someone can help.

Thanks,

-Tim Jeens

#Pertinent Config

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

ip local pool VPNpool 192.168.100.2-192.168.100.250

#Objects
object network objvpnpool
description Anyconnect VPN users
subnet 192.168.100.0 255.255.255.0

object-group network azure-networks
description Azure-Virtual-Network
network-object 10.0.0.0 255.255.255.0

#Access Lists
access-list outside_in extended permit ip object objvpnpool object-group azure-networks
access-list outside_in extended permit tcp object objvpnpool object-group azure-networks
access-list outside_in extended permit icmp object objvpnpool object-group azure-networks
access-list outside_in extended permit icmp object-group azure-networks object objvpnpool
access-list outside_in extended permit tcp object-group azure-networks object objvpnpool
access-list outside_in extended permit ip object-group azure-networks object objvpnpool

access-list azure-vpn-acl extended permit tcp object objvpnpool object-group azure-networks
access-list azure-vpn-acl extended permit ip object objvpnpool object-group azure-networks
access-list azure-vpn-acl extended permit icmp object objvpnpool object-group azure-networks
access-list azure-vpn-acl extended permit tcp object-group azure-networks object objvpnpool
access-list azure-vpn-acl extended permit ip object-group azure-networks object objvpnpool
access-list azure-vpn-acl extended permit icmp object-group azure-networks object objvpnpool

access-list splittunnel standard permit 192.168.0.0 255.255.240.0 (internal Network)
access-list splittunnel standard permit 10.0.0.0 255.255.255.0 (Azure Network)

#NATing
nat (outside,outside) source static objvpnpool objvpnpool destination static azure-networks azure-networks no-proxy-arp route-lookup
nat (outside,outside) source static azure-networks azure-networks destination static objvpnpool objvpnpool route-lookup

#Crypto Map
crypto ipsec ikev1 transform-set azure-ipsec-proposal-set esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
crypto ipsec security-association pmtu-aging infinite
crypto map azure-crypto-map 1 match address azure-vpn-acl
crypto map azure-crypto-map 1 set peer "IP of Azure Network"
crypto map azure-crypto-map 1 set ikev1 transform-set azure-ipsec-proposal-set
crypto map azure-crypto-map interface outside
crypto ca trustpoint ASDM_TrustPoint1