Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1276
Views
0
Helpful
3
Replies

CiscoAnyconnect "HairPin" with S2S VPN RouteBased to Azure

Go to solution
Herald Sison
Level 3
Level 3

‎11-12-2021 07:01 AM

Hi I have followed this certain article online on how to configure a S2S VPN from on Prem Cisco Firewall to Azure Environment using Routebased (IKEv2) with VTI. After finishing the setup the S2S VPN is properly working but i cannot find any way on how to setup my cisco anyconnect to access azure using "Hairpin" since there is no connection profile, no cyrpto maps created.

 

is there other way to let my cisco anyconnect users to access azure?

 

here is the setup i followed from a blog.

 

!
crypto ipsec ikev2 ipsec-proposal AZURE-PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha-384 sha-256 sha-1
!
crypto ipsec profile AZURE-PROFILE
set ikev2 ipsec-proposal AZURE-PROPOSAL
!
Interface Tunnel1
no shutdown
nameif AZURE-VTI01
ip address  169.254.225.1 255.255.255.252
tunnel destination 40.115.49.202
tunnel source interface outside
tunnel protection ipsec profile AZURE-PROFILE
tunnel mode ipsec ipv4
!
group-policy AZURE-GROUP-POLICY internal
group-policy AZURE-GROUP-POLICY attributes
vpn-tunnel-protocol ikev2
!
tunnel-group 40.115.49.202 type ipsec-l2l
tunnel-group 40.115.49.202 general-attributes
default-group-policy AZURE-GROUP-POLICY
tunnel-group 40.115.49.202 ipsec-attributes
peer-id-validate nocheck
ikev2 local-authentication pre-shared-key supersecretpassword
ikev2 remote-authentication pre-shared-key supersecretpassword
isakmp keepalive threshold 10 retry 2
!
route AZURE-VTI01 10.0.0.0 255.255.255.0 169.254.225.2 1
!
crypto ikev2 enable outside
crypto ikev2 notify invalid-selectors
!
sysopt connection tcpmss 1350
sysopt connection preserve-vpn-flows
!
crypto ikev2 policy 10
  encryption aes-256
  integrity sha256
  group 2
  prf sha
  lifetime seconds 28800
crypto ikev2 policy 20
  encryption aes-256
  integrity sha
  group 2
  prf sha
  lifetime seconds 28800
!
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Herald Sison
Level 3
Level 3
In response to Rob Ingram

‎11-12-2021 11:43 AM

Hi Sir, Thank you for your response.

* I have already tried the command same-security-traffic permit intra-interface

* also tried adding the Azure subnet IP's to the split tunnel access list

access-list SPLIT-TUNNEL line 3 permit 10.0.3.0 255.255.255.0

* also added the Azure subnet IP's to the Cisco AnyConnect VPN local Network

 

* also added NAT

nat (outside,outside) source static OBJ-REMOTE-VPN_CLIENTS 
OBJ-REMOTE-VPN_CLIENTS destination static OBJ-AZURE OBJ-AZURE no-proxy-arp 
route-lookup

 

You would also need to ensure there is a route on the Azure side to route the AnyConnect VPN pool networks via the tunnel. - on this part i have not yet checked on this. where should i place this config? is this on the local network gateway or virtual network gateway?

 

do you have sample configuration on the cisco and azure part? especially without the crypto and connection profile. i am really new to using route based (ikev2). 

 

thank you so much sir, really appreciate it.

 

View solution in original post

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Herald Sison

‎11-12-2021 11:52 AM

@Herald Sison your destination interface in the NAT rule is incorrect, the destination interface is the VTI, you need to use "any" as you cannot specify the VTI's interface in a NAT rule.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎11-12-2021 07:07 AM

@Herald Sison you will need to configure the command same-security-traffic permit intra-interface to allow hairpinning.

If you are using split tunneling you would need to ensure that you are tunneling the azure networks in the AnyConnect VPN tunnel. Also check NAT to ensure the traffic from the AnyConnect VPN pool is not unintentially translated.

You would also need to ensure there is a route on the Azure side to route the AnyConnect VPN pool networks via the tunnel.

0 Helpful

Go to solution
Herald Sison
Level 3
Level 3
In response to Rob Ingram

‎11-12-2021 11:43 AM

Hi Sir, Thank you for your response.

* I have already tried the command same-security-traffic permit intra-interface

* also tried adding the Azure subnet IP's to the split tunnel access list

access-list SPLIT-TUNNEL line 3 permit 10.0.3.0 255.255.255.0

* also added the Azure subnet IP's to the Cisco AnyConnect VPN local Network

 

* also added NAT

nat (outside,outside) source static OBJ-REMOTE-VPN_CLIENTS 
OBJ-REMOTE-VPN_CLIENTS destination static OBJ-AZURE OBJ-AZURE no-proxy-arp 
route-lookup

 

You would also need to ensure there is a route on the Azure side to route the AnyConnect VPN pool networks via the tunnel. - on this part i have not yet checked on this. where should i place this config? is this on the local network gateway or virtual network gateway?

 

do you have sample configuration on the cisco and azure part? especially without the crypto and connection profile. i am really new to using route based (ikev2). 

 

thank you so much sir, really appreciate it.

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Herald Sison

‎11-12-2021 11:52 AM

@Herald Sison your destination interface in the NAT rule is incorrect, the destination interface is the VTI, you need to use "any" as you cannot specify the VTI's interface in a NAT rule.

0 Helpful
Customers Also Viewed These Support Documents