cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
944
Views
0
Helpful
4
Replies

S2S VPN from Cisco ASA to Azure established but cant ping etc from Anyconnect VPN subnet.

virtuali1151
Level 1
Level 1

Hi All,

 

Ok, here is my issue.  We have a single S2S VPN tunnel setup from our local prem subnets below to our Azure Subnets. I can ping them etc fine when I am on a local prem sub: IE 10.1.60.22, but when I try to ping to/from the Azure subs via our Anyconnect subnet (172.17.255.0/24), I cannot from some reason.  Is there something I need to do in particular for the Anyconnect VPN sub to be able to connect to Azure subnets?  Thanks in advance.

 

Anyconnect subnet (172.17.255.0/24)

(Local Prem subnets)

10.1.60.0/24

10.1.70.0/24

10.1.80.0/24

(Azure subnets)

10.210.0.0/16

10.211.0.0/16

10.212.0.0/16

10.213.0.0/16

10.214.0.0/16

4 Replies 4

mkazam001
Level 3
Level 3

some things to consider:

is the anyconnect subnet in the local & remote crypto acl?

anyconnect subnet would also need to be in the nat exemption statement if asa is configured for pat

is there a route for the anyconnect clients to azure subnets?

if anyconnect traffic is entering & exiting the same outside interface -

you will need cmd - same-security-traffic permit intra-interface

see below for some extra reading:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html

regards, mk

please rate if helpful or solved :)

Hi Mate,


See below:

is the anyconnect subnet in the local & remote crypto acl?

- the annyconnect sub (172.17.255.0) is in the onprem crypto with my prem subs on the ASA.  I beleive the Azure side has it allowed on their end.  Do I need it anywhere else?

anyconnect subnet would also need to be in the nat exemption statement if asa is configured for pat

- see the attached for the NAT rule

is there a route for the anyconnect clients to azure subnets?

- Static route is: interface:inside / IP address: 10.211.0.0/16 / Gateway: 10.211.20.1

if anyconnect traffic is entering & exiting the same outside interface -

you will need cmd - same-security-traffic permit intra-interface

- this is in the runnig config - same-security-traffic permit intra-interface

 

Let me know if it looks like I am missing anything?

When I do the packet trace for ping (echo-reply) from 172.17.255.13 to 10.211.20.30, it gets all the way through until WEBVPN-SVC then it drops.

 

What could I be missing?

 

Thanks in advance.

This might be a really stupid question, but if I am doing a packet trace with a VPN ip that is in use, will that make a difference? Cause when I do a packet trace from the outside interface to the inside interface using an IP that isnt in use it gives me the below result:

 

Pinging from 172.17.255.15 ---> 10.211.20.30 comes back allowed.
TCP from 172.17.255.15 ---> 10.211.20.30 via 3389 (RDP) comes back allowed.

 

So should I now be able to ping and rdp to/from the Azure subnets via the Anyconnect subnets??

 

Thanks in advance fellas.. this one is doing head in..lol :)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: