Showing results for 
Search instead for 
Did you mean: 
Herald Sison

CiscoAnyconnect "HairPin" with S2S VPN RouteBased to Azure

Hi I have followed this certain article online on how to configure a S2S VPN from on Prem Cisco Firewall to Azure Environment using Routebased (IKEv2) with VTI. After finishing the setup the S2S VPN is properly working but i cannot find any way on how to setup my cisco anyconnect to access azure using "Hairpin" since there is no connection profile, no cyrpto maps created.


is there other way to let my cisco anyconnect users to access azure?


here is the setup i followed from a blog.


crypto ipsec ikev2 ipsec-proposal AZURE-PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha-384 sha-256 sha-1
crypto ipsec profile AZURE-PROFILE
set ikev2 ipsec-proposal AZURE-PROPOSAL
Interface Tunnel1
no shutdown
nameif AZURE-VTI01
ip address
tunnel destination
tunnel source interface outside
tunnel protection ipsec profile AZURE-PROFILE
tunnel mode ipsec ipv4
group-policy AZURE-GROUP-POLICY internal
group-policy AZURE-GROUP-POLICY attributes
vpn-tunnel-protocol ikev2
tunnel-group type ipsec-l2l
tunnel-group general-attributes
default-group-policy AZURE-GROUP-POLICY
tunnel-group ipsec-attributes
peer-id-validate nocheck
ikev2 local-authentication pre-shared-key supersecretpassword
ikev2 remote-authentication pre-shared-key supersecretpassword
isakmp keepalive threshold 10 retry 2
route AZURE-VTI01 1
crypto ikev2 enable outside
crypto ikev2 notify invalid-selectors
sysopt connection tcpmss 1350
sysopt connection preserve-vpn-flows
crypto ikev2 policy 10
  encryption aes-256
  integrity sha256
  group 2
  prf sha
  lifetime seconds 28800
crypto ikev2 policy 20
  encryption aes-256
  integrity sha
  group 2
  prf sha
  lifetime seconds 28800
Rob Ingram
VIP Mentor

@Herald Sison you will need to configure the command same-security-traffic permit intra-interface to allow hairpinning.

If you are using split tunneling you would need to ensure that you are tunneling the azure networks in the AnyConnect VPN tunnel. Also check NAT to ensure the traffic from the AnyConnect VPN pool is not unintentially translated.

You would also need to ensure there is a route on the Azure side to route the AnyConnect VPN pool networks via the tunnel.

Hi Sir, Thank you for your response.

* I have already tried the command same-security-traffic permit intra-interface

* also tried adding the Azure subnet IP's to the split tunnel access list

access-list SPLIT-TUNNEL line 3 permit

* also added the Azure subnet IP's to the Cisco AnyConnect VPN local Network


* also added NAT

nat (outside,outside) source static OBJ-REMOTE-VPN_CLIENTS 
OBJ-REMOTE-VPN_CLIENTS destination static OBJ-AZURE OBJ-AZURE no-proxy-arp 


You would also need to ensure there is a route on the Azure side to route the AnyConnect VPN pool networks via the tunnel. - on this part i have not yet checked on this. where should i place this config? is this on the local network gateway or virtual network gateway?


do you have sample configuration on the cisco and azure part? especially without the crypto and connection profile. i am really new to using route based (ikev2). 


thank you so much sir, really appreciate it.


@Herald Sison your destination interface in the NAT rule is incorrect, the destination interface is the VTI, you need to use "any" as you cannot specify the VTI's interface in a NAT rule.

Recognize Your Peers
Content for Community-Ad