I have a site to site VPN between ASA 5510 and Windows Azure cloud. There is an Anyconnect VPN connecting to the ASA. I enabled hairpinning and allowed the Anyconnect VPN pool over the site to site tunnel at both ends. The ASA internal network can reach the IPs in Azure cloud, however the Anyconnect IPs can't.
Packet tracer output is given below:
packet-tracer input outside icmp 10.224.44.16 0 0 10.224.32.4 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac14b1e8, priority=1, domain=permit, deny=false
hits=6336225801, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,outside) source static AZURE-DMZ AZURE-DMZ destination static VPN-POOL VPN-POOL no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 10.224.32.4/0 to 10.224.32.4/0
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in_1 in interface outside
access-list outside_access_in_1 extended permit icmp any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacc7ff68, priority=13, domain=permit, deny=false
hits=177578, user_data=0xa99bbd00, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac14efd8, priority=0, domain=inspect-ip-options, deny=true
hits=83222459, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac2eda20, priority=79, domain=punt, deny=true
hits=1041, user_data=0xab8e0b50, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.224.44.16, mask=255.255.255.255, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae810058, priority=70, domain=inspect-icmp, deny=false
hits=1206452, user_data=0xae709af0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 8
Type: WEBVPN-SVC
Subtype: in
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad7a31b8, priority=70, domain=svc-ib-tunnel-flow, deny=false
hits=1378, user_data=0x259f000, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=10.224.44.16, mask=255.255.255.255, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
