11-20-2018 06:55 AM - edited 02-21-2020 09:30 PM
Hi All,
Ok, here is my issue. We have a single S2S VPN tunnel setup from our local prem subnets below to our Azure Subnets. I can ping them etc fine when I am on a local prem sub: IE 10.1.60.22, but when I try to ping to/from the Azure subs via our Anyconnect subnet (172.17.255.0/24), I cannot from some reason. Is there something I need to do in particular for the Anyconnect VPN sub to be able to connect to Azure subnets? Thanks in advance.
Anyconnect subnet (172.17.255.0/24)
(Local Prem subnets)
10.1.60.0/24
10.1.70.0/24
10.1.80.0/24
(Azure subnets)
10.210.0.0/16
10.211.0.0/16
10.212.0.0/16
10.213.0.0/16
10.214.0.0/16
11-20-2018 07:07 AM
some things to consider:
is the anyconnect subnet in the local & remote crypto acl?
anyconnect subnet would also need to be in the nat exemption statement if asa is configured for pat
is there a route for the anyconnect clients to azure subnets?
if anyconnect traffic is entering & exiting the same outside interface -
you will need cmd - same-security-traffic permit intra-interface
see below for some extra reading:
regards, mk
please rate if helpful or solved :)
11-20-2018 10:48 AM
Hi Mate,
See below:
is the anyconnect subnet in the local & remote crypto acl?
- the annyconnect sub (172.17.255.0) is in the onprem crypto with my prem subs on the ASA. I beleive the Azure side has it allowed on their end. Do I need it anywhere else?
anyconnect subnet would also need to be in the nat exemption statement if asa is configured for pat
- see the attached for the NAT rule
is there a route for the anyconnect clients to azure subnets?
- Static route is: interface:inside / IP address: 10.211.0.0/16 / Gateway: 10.211.20.1
if anyconnect traffic is entering & exiting the same outside interface -
you will need cmd - same-security-traffic permit intra-interface
- this is in the runnig config - same-security-traffic permit intra-interface
Let me know if it looks like I am missing anything?
11-20-2018 05:05 PM
When I do the packet trace for ping (echo-reply) from 172.17.255.13 to 10.211.20.30, it gets all the way through until WEBVPN-SVC then it drops.
What could I be missing?
Thanks in advance.
11-20-2018 07:52 PM - edited 11-20-2018 07:53 PM
This might be a really stupid question, but if I am doing a packet trace with a VPN ip that is in use, will that make a difference? Cause when I do a packet trace from the outside interface to the inside interface using an IP that isnt in use it gives me the below result:
Pinging from 172.17.255.15 ---> 10.211.20.30 comes back allowed.
TCP from 172.17.255.15 ---> 10.211.20.30 via 3389 (RDP) comes back allowed.
So should I now be able to ping and rdp to/from the Azure subnets via the Anyconnect subnets??
Thanks in advance fellas.. this one is doing head in..lol :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide