09-26-2017 09:44 AM - edited 03-08-2019 12:10 PM
Hi All,
I have worked through what others have written with Hairpinning traffic back out the same interface but it just doesn't seem to work for me...
Simply I am just trying to get my Anyconnect VPN users to connect to some Azure VMs.
I have a site to site VPN to Azure and this stays up and works fine for any internal users.
They cannot Ping, Remote Desktop or access any web interfaces on the servers.
I have a gone a little overboard with the ACLs below, but nothing seems to work, and they are all permits anyway. there is only 1 deny, and it is at the end of ACL: outside_in
That I've seen you can't use Packet-Tracer to test from a VPN address to a Site to Site address without it complaining (since it wouldn't be encrypted)
And I can't see anything in the logs that look relevant, but i'm missing something..
Also just seen that anyconnect users cannot ping each other, not that this is an issue, but may help with diagnosis?
Hopefully someone can help.
Thanks,
-Tim Jeens
#Pertinent Config
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
ip local pool VPNpool 192.168.100.2-192.168.100.250
#Objects
object network objvpnpool
description Anyconnect VPN users
subnet 192.168.100.0 255.255.255.0
object-group network azure-networks
description Azure-Virtual-Network
network-object 10.0.0.0 255.255.255.0
#Access Lists
access-list outside_in extended permit ip object objvpnpool object-group azure-networks
access-list outside_in extended permit tcp object objvpnpool object-group azure-networks
access-list outside_in extended permit icmp object objvpnpool object-group azure-networks
access-list outside_in extended permit icmp object-group azure-networks object objvpnpool
access-list outside_in extended permit tcp object-group azure-networks object objvpnpool
access-list outside_in extended permit ip object-group azure-networks object objvpnpool
access-list azure-vpn-acl extended permit tcp object objvpnpool object-group azure-networks
access-list azure-vpn-acl extended permit ip object objvpnpool object-group azure-networks
access-list azure-vpn-acl extended permit icmp object objvpnpool object-group azure-networks
access-list azure-vpn-acl extended permit tcp object-group azure-networks object objvpnpool
access-list azure-vpn-acl extended permit ip object-group azure-networks object objvpnpool
access-list azure-vpn-acl extended permit icmp object-group azure-networks object objvpnpool
access-list splittunnel standard permit 192.168.0.0 255.255.240.0 (internal Network)
access-list splittunnel standard permit 10.0.0.0 255.255.255.0 (Azure Network)
#NATing
nat (outside,outside) source static objvpnpool objvpnpool destination static azure-networks azure-networks no-proxy-arp route-lookup
nat (outside,outside) source static azure-networks azure-networks destination static objvpnpool objvpnpool route-lookup
#Crypto Map
crypto ipsec ikev1 transform-set azure-ipsec-proposal-set esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
crypto ipsec security-association pmtu-aging infinite
crypto map azure-crypto-map 1 match address azure-vpn-acl
crypto map azure-crypto-map 1 set peer "IP of Azure Network"
crypto map azure-crypto-map 1 set ikev1 transform-set azure-ipsec-proposal-set
crypto map azure-crypto-map interface outside
crypto ca trustpoint ASDM_TrustPoint1
Solved! Go to Solution.
09-27-2017 09:16 AM
Hi,
In the site-to-site VPN config of Azure firewall, is the network objvpnpool added to VPN encyption domain? Otherwise the azure fw will not know where to route the traffic of 192.168.100.0/24.
We have implemented few configs similar to this scenario, it works.
Regards,
Kias
09-26-2017 10:52 AM
Hello,
at first glance it looks like your NAT for the VPN pool is not correct. Try the below:
nat (outside,outside) source static objvpnpool objvpnpool destination static objvpnpool objvpnpool no-proxy-arp route-lookup
If that doesn't work, post the full config...
09-27-2017 09:16 AM
Hi,
In the site-to-site VPN config of Azure firewall, is the network objvpnpool added to VPN encyption domain? Otherwise the azure fw will not know where to route the traffic of 192.168.100.0/24.
We have implemented few configs similar to this scenario, it works.
Regards,
Kias
10-03-2017 03:19 AM
So, sheepishly, it turns out you are correct, I needed to add the subnet to the Azure configuration.
It only had my local subnet, and not the VPN users subnet.
Fortunately, my Cisco Config seems to be correct.
Thanks for all your help.
-Tim
10-03-2017 03:23 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide