Solved: OnPrem reachability issue from Azure-ASAv AnyConnect network

SatishJ11 · ‎01-17-2024

Hi All,

Recently I have migrated physical ASA Firewall to ASAv on Azure, however I'm facing challenges to reach OnPrem network after connecting AnyConnect.

As an temporary fix, below NAT has been added, so that all the AnyConnect traffic goes via Firewall Internal network, but the problem is when more users are connected to VPN I will not be able to ssh to Firewall to do any changes.

nat (Outside,Internal) source dynamic Anyconnect_Pool interface

ASA Version 9.19(1)22

Is anyone have some solution for this ?

Aref Alsouqi · ‎02-01-2024

Those default routes seem to have different metrics, one with 50 and another with 2, so the one with 50 wouldn't be used until the one with 2 fails.

View solution in original post

balaji.bandi · ‎01-18-2024

owever I'm facing challenges to reach OnPrem network after connecting AnyConnect.

how is your connection agreement between Azure and on prem network- VPN / Expresses route /etc ?

Make sure you have ACL allowed when the traffic coming from Azure network IP (VPN IP address range) to your on prem network

on your perimeter FW or Router.

if they are in same zone - same-security-traffic permit intra-interface

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

SatishJ11 · ‎01-18-2024

Connection agreement between Azure and on prem network is via peering

if they are in same zone - same-security-traffic permit intra-interface --> Yes this command is already applied.

balaji.bandi · ‎01-22-2024

check below example : make sure you make Object group adding the subnets :

https://docs.macstadium.com/docs/azure-preparing-the-vpn-configuration-for-input-into-cisco-asaasav

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Aref Alsouqi · ‎01-18-2024

How your on-prem networks are reachable from the ASAv? are they reachable out of the internal or outside interface? based on your description of the issue it could be caused by a wrong NAT rule, or maybe due to a missing route from your on-prem devices. For AnyConnect endpoints to be able to connect to your on-prem sourcing from their original IP addresses an identity NAT rule should be configured on the ASAv to keep both the source and destination IP addresses as they are, that rule should be placed above any other NAT rule that would affect this traffic flow. If that is not the issue, then probably AnyConnect traffic makes it to the on-prem networks but maybe there is no route in place from on-prem to send the traffic back to AnyConnect endpoints via the ASAv.

SatishJ11 · ‎01-22-2024

How your on-prem networks are reachable from the ASAv? are they reachable out of the internal or outside interface?
--- I can reach from internal

Could you please review the confirm and let me know the changes please.

Interface Name IP address Subnet mask Method
GigabitEthernet0/0 Transit 10.213.101.4 255.255.255.0 DHCP
Management0/0 Outside 10.213.100.4 255.255.255.0 DHCP

ip local pool ClientPool 10.213.102.5-10.213.102.200 mask 255.255.255.0

!
interface GigabitEthernet0/0
nameif Transit
security-level 100
ip address dhcp setroute
!

interface Management0/0
no management-only
nameif Outside
security-level 0
ip address dhcp setroute
!

dns domain-lookup Outside
dns server-group DefaultDNS
name-server 168.63.129.16
same-security-traffic permit intra-interface

object network AnyConnect_PAT
subnet 10.213.102.0 255.255.255.0

access-group Transit_access_in in interface Transit
access-group Outside_access_in in interface Outside

access-list Transit_access_in extended permit ip any any
access-list Outside_access_in extended permit ip any any

access-list OnPrem standard permit host 0.0.0.0
access-list OnPrem standard permit 10.0.0.0 255.0.0.0

object network AnyConnect_PAT
nat (Outside,Outside) dynamic interface

route Outside 0.0.0.0 0.0.0.0 10.213.100.1 1
route Transit 10.0.0.0 255.0.0.0 10.213.101.1 1

webvpn
enable Outside
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/cisco-secure-client-win-5.1.0.136-webdeploy-k9.pkg 1
anyconnect profiles ClientProfile disk0:/Anyconnect_client_profile.xml
anyconnect enable
cache
disable
error-recovery disable

group-policy GroupPolicy_ClientVPN internal
group-policy GroupPolicy_ClientVPN attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client
split-tunnel-policy excludespecified
split-tunnel-network-list value OnPrem
webvpn
anyconnect profiles value ClientProfile type user
dynamic-access-policy-record DfltAccessPolicy
username ******* password ***** pbkdf2 privilege 15

service-type remote-access
tunnel-group ClientVPN type remote-access
tunnel-group ClientVPN general-attributes
address-pool ClientPool
default-group-policy GroupPolicy_ClientVPN
tunnel-group ClientVPN webvpn-attributes
group-alias ClientVPN enable
group-url https://A.B.C.D enable

Aref Alsouqi · ‎01-22-2024

Firstly I would highly recommend to remove the allow IP any any that you applied to the outside interface.

For AnyConnect to be able to to reach Azure subnet, try this please:

object network Azure
subnet < Azure Subnet ID > < Azure Subnet Subnet Mask>

nat (Transit,Outside) source static Azure Azure destination static AnyConnect_PAT AnyConnect_PAT no-proxy-arp route-lookup

Also, you would need to ensure that Azure has a route back to AnyConnect pool via the same path which should hit back the ASAv.

SatishJ11 · ‎01-23-2024

Deleted any any under outside and below nat as well.

object network AnyConnect_PAT
nat (Outside,Outside) dynamic interface

And added the NAT suggested, but no luck.

When I have done the above changes I lost Internet access to VPN connected client and in task bar I am seeing Globe icon.

Aref Alsouqi · ‎01-23-2024

You shouldn't delete the NAT rule in your last post as that is the one that will allow AnyConnect clients to connect to the internet, it is the hairpinning NAT rule. Try please to keep that NAT rule and the one I suggested and see if it works.

SatishJ11 · ‎01-29-2024

object network AnyConnect_PAT
nat (Outside,Outside) dynamic interface

Added the above routes and then the Internet access is back, however I still have problem in reaching my OnPrem network after connecting to AnyConnect VPN.

Aref Alsouqi · ‎01-29-2024

Did you check if Azure has a route back to AnyConnect pool via the same path which should hit back the ASAv?

SatishJ11 · ‎01-29-2024

Thanks, let me cross check again with my Azure team and get back to you.

SatishJ11 · ‎01-29-2024

Routes are already there, still same problem

Aref Alsouqi · ‎01-29-2024

Ok, could you please run some packet capture on the "Transit" interface with the source of the test AnyConnect IP, and the destination something in Azure, as well as the way around and generate some traffic and share the output for review?

SatishJ11 · ‎02-01-2024

I could notice one more issue with route 0.0.0.0 pointing towards local gateway and towards IP as well.

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 172.20.10.1 172.20.10.9 50

0.0.0.0 0.0.0.0 10.213.102.1 10.213.102.5 2

10.213.102.0 255.255.255.0 On-link 10.213.102.5 257

I will get the requested data soon.