Re: Question on ASA to Azure IPsec and Why...

PJ123 · ‎05-16-2024

Hello Everyone,

I just fixed a problem that has been quite the issue for weeks; I think I understand why, but if someone could explain it a bit more for me if I'm wrong, I would greatly appreciate it.

Basically, we have a S2S Tunnel to Azure from an ASA FP1000 Series (in ASA Mode)...Tunnel was up but no internal traffic to any of the Azure VM's (Servers) would pass. I finally fixed it by adding a NAT Rule (inside, outside, -> Azure Subnet.

My question is, if NAT in this case, needs to be Exempt for the S2S, why did I need to create that NAT Rule?

I understand that for 8.2 and below I would have to do a NO-NAT, but I'm not so sure for this issue.

I THINK it's because after the tunnel is established, I still needed a NAT for the Inside Network Subnet to translate to the Inside Azure Network Subnet.....is that accurate and true?

Thank You Very Much for any insight....

PJ

ccieexpert · ‎05-17-2024

It all depends on what was the interesting traffic for VPN - the source subnet on the FP/ASA side.. It possible it was the the NATed subnet...

The right way to configure is to use NO nat for VPN traffic so it is possible to have bi-directional traffic. Please take a look at this sample.

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-3rdparty-device-config-cisco-asa

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/214230-configure-policy-based-and-route-based-v.html

Technoxi

MHM Cisco World · ‎05-17-2024

your run S2S route-based VPN?

MHM