Re: site to central site vpn with Azure

mbluemel · ‎10-24-2019

I have a route based VPN from my central site to Azure which is working well. We have a number of remote sites that are connected to the central site with ipsec site to site vpns and would like the sites to have connection to the Azure network via those links. Has anyone done this successfully? I can see traffic getting to the central site that is destined for Azure but doesn't seem to get across the link from there. Any thoughts would be gratefully received even if its 'no it wont work' so I dont waste too much time on it.

Rob Ingram · ‎10-24-2019

Hi,
If the remote site traffic is getting to the central site, I see no reason why the traffic could not be routed to Azure.
Does the Azure configuration have routes for the remote sites to route back to the central site?

What device are you using? ASA or IOS router? Do you have any NAT rules in place that could unintentionally be natting the traffic?
HTH

mbluemel · ‎10-24-2019

Thanks for the reply
I have a cisco 891 ISR at the remote site which connects to an ASA5512 at the central site. There is then a route based vpn from the ASA to Azure which works perfectly.
If I initiate traffic to Azure from the remote site it gets to the ASA but I don't see it going any further. There are no NAT rules for the link to Azure.
I do have the Azure subnet on the cryptomap and nat rules from the remote site to the ASA but not on the Azure link.

Rob Ingram · ‎10-24-2019

Run packet-tracer from the CLI and provide the output.
What about a packet capture on the Azure end? If you initiate traffic from there does it get to your central site?

mbluemel · ‎10-24-2019

Just to update you. I checked with the people who were configuring the Azure end and they had used the incorrect subnet. As soon as they changed it everything started working. Thanks for your replies.