Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
876
Views
0
Helpful
4
Replies

Routing Cisco VPN and Azure Private Endpoint

TU-Auxis
Level 1
Level 1

‎05-19-2022 12:17 PM

Hi, we recently added Azure vNET's and infrastructure across an Azure Express Route. We have also deployed Azure File Shares and integrated them into Active Directory and created Private Endpoints. We have successfully setup the DNS both at our datacenter and in Azure to route properly to the private endpoint through the Express Route. 

 

We cannot get users on the VPN (split-tunnel) to route properly to the Azure Private Endpoint, it will always attempt to route to the public IP of the Azure Storage Account. We implemented dynamic split-tunneling and have added both our internal domain and core.windows.net domain to the tunnel, but still resolves to public IP.

 

Any direction would be greatly appreciated.

Thank you

Tim

 

 

Labels:
0 Helpful
4 Replies 4

SinghRaminder
Level 1
Level 1

‎05-20-2022 05:28 AM

So I'm assuming you want to reach Azure over private connection but it's taking over public? 

Check what DNS servers you have configured for your VPN and if they are able to resolve the private address you created for certain FQDN

For example... Type nslookup from windows cmd and hit enter, enter the fqdn you want and observe the results and check what DNS server are giving you output, is it your company DNS servers you mentioned in the VPN policy or users local home router DNS. 

Thanks
Raminder
PS: If this answered your question, please don't forget to rate and select as validated answer
0 Helpful

TU-Auxis
Level 1
Level 1
In response to SinghRaminder

‎05-23-2022 06:26 AM

NSLOOKUP picks up the public nslookup information not the internal. The internal DNS servers are using conditional forwarding to route to "core.windows.net", but using our internal domain as the domain suffix, it will not pick up the conditional forwarder. Everything internal works without a problem.

0 Helpful

SinghRaminder
Level 1
Level 1
In response to TU-Auxis

‎05-23-2022 07:09 PM

Sorry, I misunderstood your reply

When you do the NSLOOKUP on the CMD , what is the responding SERVER you get? INTERNAL or USER LOCAL HOME DNS SERVER?

Thanks
Raminder
PS: If this answered your question, please don't forget to rate and select as validated answer
0 Helpful

SinghRaminder
Level 1
Level 1

‎05-23-2022 03:21 PM

Hi

I am not sure about that setup. What générally people do is either include the ip in the split tunnel or put them in dynamic split tunnel with the domain you want to include. 

What you have done is added internal ip of the Azure setup in your vpn split tunnel. That is fine but your VPN users are not able to get the Internal resolution and you haven't added the public IP in your split tunnel as well. I would suggest, add dynamic policy with that ip or add that public IP in your split tunnel as well. Mind you after making the changes, you need user to disconnect/reconnect. 

Thanks
Raminder
PS: If this answered your question, please don't forget to rate and select as validated answer
0 Helpful
Customers Also Viewed These Support Documents