11-12-2021 07:01 AM
Hi I have followed this certain article online on how to configure a S2S VPN from on Prem Cisco Firewall to Azure Environment using Routebased (IKEv2) with VTI. After finishing the setup the S2S VPN is properly working but i cannot find any way on how to setup my cisco anyconnect to access azure using "Hairpin" since there is no connection profile, no cyrpto maps created.
is there other way to let my cisco anyconnect users to access azure?
here is the setup i followed from a blog.
! crypto ipsec ikev2 ipsec-proposal AZURE-PROPOSAL protocol esp encryption aes-256 protocol esp integrity sha-384 sha-256 sha-1 ! crypto ipsec profile AZURE-PROFILE set ikev2 ipsec-proposal AZURE-PROPOSAL ! Interface Tunnel1 no shutdown nameif AZURE-VTI01 ip address 169.254.225.1 255.255.255.252 tunnel destination 40.115.49.202 tunnel source interface outside tunnel protection ipsec profile AZURE-PROFILE tunnel mode ipsec ipv4 ! group-policy AZURE-GROUP-POLICY internal group-policy AZURE-GROUP-POLICY attributes vpn-tunnel-protocol ikev2 ! tunnel-group 40.115.49.202 type ipsec-l2l tunnel-group 40.115.49.202 general-attributes default-group-policy AZURE-GROUP-POLICY tunnel-group 40.115.49.202 ipsec-attributes peer-id-validate nocheck ikev2 local-authentication pre-shared-key supersecretpassword ikev2 remote-authentication pre-shared-key supersecretpassword isakmp keepalive threshold 10 retry 2 ! route AZURE-VTI01 10.0.0.0 255.255.255.0 169.254.225.2 1 ! crypto ikev2 enable outside crypto ikev2 notify invalid-selectors ! sysopt connection tcpmss 1350 sysopt connection preserve-vpn-flows ! crypto ikev2 policy 10 encryption aes-256 integrity sha256 group 2 prf sha lifetime seconds 28800 crypto ikev2 policy 20 encryption aes-256 integrity sha group 2 prf sha lifetime seconds 28800 !
Solved! Go to Solution.
11-12-2021 11:43 AM
Hi Sir, Thank you for your response.
* I have already tried the command same-security-traffic permit intra-interface
* also tried adding the Azure subnet IP's to the split tunnel access list
access-list SPLIT-TUNNEL line 3 permit 10.0.3.0 255.255.255.0
* also added the Azure subnet IP's to the Cisco AnyConnect VPN local Network
* also added NAT
nat (outside,outside) source static OBJ-REMOTE-VPN_CLIENTS
OBJ-REMOTE-VPN_CLIENTS destination static OBJ-AZURE OBJ-AZURE no-proxy-arp
route-lookup
You would also need to ensure there is a route on the Azure side to route the AnyConnect VPN pool networks via the tunnel. - on this part i have not yet checked on this. where should i place this config? is this on the local network gateway or virtual network gateway?
do you have sample configuration on the cisco and azure part? especially without the crypto and connection profile. i am really new to using route based (ikev2).
thank you so much sir, really appreciate it.
11-12-2021 11:52 AM
@Herald Sison your destination interface in the NAT rule is incorrect, the destination interface is the VTI, you need to use "any" as you cannot specify the VTI's interface in a NAT rule.
11-12-2021 07:07 AM
@Herald Sison you will need to configure the command same-security-traffic permit intra-interface to allow hairpinning.
If you are using split tunneling you would need to ensure that you are tunneling the azure networks in the AnyConnect VPN tunnel. Also check NAT to ensure the traffic from the AnyConnect VPN pool is not unintentially translated.
You would also need to ensure there is a route on the Azure side to route the AnyConnect VPN pool networks via the tunnel.
11-12-2021 11:43 AM
Hi Sir, Thank you for your response.
* I have already tried the command same-security-traffic permit intra-interface
* also tried adding the Azure subnet IP's to the split tunnel access list
access-list SPLIT-TUNNEL line 3 permit 10.0.3.0 255.255.255.0
* also added the Azure subnet IP's to the Cisco AnyConnect VPN local Network
* also added NAT
nat (outside,outside) source static OBJ-REMOTE-VPN_CLIENTS
OBJ-REMOTE-VPN_CLIENTS destination static OBJ-AZURE OBJ-AZURE no-proxy-arp
route-lookup
You would also need to ensure there is a route on the Azure side to route the AnyConnect VPN pool networks via the tunnel. - on this part i have not yet checked on this. where should i place this config? is this on the local network gateway or virtual network gateway?
do you have sample configuration on the cisco and azure part? especially without the crypto and connection profile. i am really new to using route based (ikev2).
thank you so much sir, really appreciate it.
11-12-2021 11:52 AM
@Herald Sison your destination interface in the NAT rule is incorrect, the destination interface is the VTI, you need to use "any" as you cannot specify the VTI's interface in a NAT rule.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide