I have two ASA's setup.
One 5520 on our premises and one ASAv in Azure
On-premise inside range is 10.33.0.0/16 outside ip 12.x.x.x
Azure range is 10.39.0.0/16 outside ip 13.x.x.x
I'm able to establish a VPN session between the two units
but if I try and ping an on-premise IP from azure I'm getting this error on the on-premise ASA
On the Azure ASAv I have this access list
access-list management_cryptomap_1 extended permit ip any object 10.33.0.0
On the on-premises ASA I have this access list
access-list outside_cryptomap extended permit ip any object 10.39.0.0
I'm at a loss what at what I'm doing wrong. Could someone point me in the error of my ways?
Solved! Go to Solution.
Your ACL should be between 10.33.0.0 and 10.39.0.0 networks and vice versa. You currently have ACL's defined between "any" and 10.33.0.0 and "any" and 10.39.0.0. Change it so that the ACL reflects only the traffic that you want to send across the tunnel.
So your local ASA is getting a proposal to build a tunnel with ASAv side (remote) proxy as 10.39.100.100/32 and Local proxy as 12.x.x.x/32.
Group = 13.x.x.x, IP = 13.x.x.x, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.39.100.100/255.255.255.255/0/0 local proxy 12.x.x.x/255.255.255.255/0/0 on interface outside
If this is how you want the proxies to be, then your local ASA should have the ACL with the same proxies like below:
access-list outside_cryptomap extended permit ip host 12.x.x.x host 10.39.100.100
Thanks for all your help. I've got both side connected to the vpn tunnel now.
From the azure site I'm able to ping our on-premise computers but I can't to the reverse.
on the 10.39.0.0 ASAv I'm able to ping 10.33.40.10 but from the remote 10.33.0.0 asa I can't ping that same IP.
I'm not seeing any failures on either log.
Routes are currently 0.0.0.0 0.0.0.0 "next hop" outside
I'm so close to being done with this project, I'm just not sure where I'm going wrong.
attached are excerpts from the current configs on both systems
Did you ever figure this one out? I am having the exact same problem, tunnel is up, I can ping both sides of it from the azure asa, but for the life of me I cannot get traffic to pass. I've set up two L2L tunnels in the last two weeks with no problem, but I double checked and triple checked and everything is exactly the same on both sides but I can't get it to work...