I have a VLAN setup (Vlan20) with the IP 192.168.2.x, connected to Azure using a tunnel on my Cisco ISR. Azure is setup to accept clients from the 192.168.2.x as well as 10.12.0.x networks. My ISR is also setup to have a secondary IP in the VLAN20 address space, at 10.12.0.1, however, when computers from the 10.12.0.x try to ping a machine on Azure, I get no responses.... switch back to the 192.168.2.x address space, and it works.
I have my access-list's setup properly for both ranges... I'm not entirely sure what else I could be missing. Here is my configuration:
crypto ikev2 proposal azure-proposal encryption aes-cbc-256 aes-cbc-128 3des integrity sha1 group 2 ! crypto ikev2 policy azure-policy proposal azure-proposal ! crypto ikev2 keyring azure-keyring peer 52.237.36.248 <- Azure IP address address 52.237.36.248 <- Azure IP address pre-shared-key xxxxxxxxxxxxxxxxxxxxxxx ! peer 52.237.34.217 <- Azure IP address address 52.237.34.217 <- Azure IP address pre-shared-key xxxxxxxxxxxxxxxxxxxxxxx ! crypto ikev2 profile azure-profile match address local interface GigabitEthernet0/0/0 match identity remote address 52.237.36.248 255.255.255.255 match identity remote address 52.237.34.217 255.255.255.255 authentication local pre-share authentication remote pre-share keyring local azure-keyring ! zone security INSIDE description All interfaces on the INSIDE of the network, including VPN tunnel interfaces zone-pair security ZP-INSIDE-TO-OUTSIDE source INSIDE destination OUTSIDE service-policy type inspect POLICY-INSIDE-TO-OUTSIDE zone-pair security ZP-OUTSIDE-TO-INSIDE source OUTSIDE destination INSIDE service-policy type inspect POLICY-OUTSIDE-TO-INSIDE ! crypto ipsec transform-set azure-ipsec-proposal-set esp-aes 256 esp-sha-hmac mode tunnel ! crypto ipsec profile azure-vti set transform-set azure-ipsec-proposal-set set ikev2-profile azure-profile ! interface Loopback0 description BGP Peer IP address ip address 192.168.255.1 255.255.255.255 ! interface Port-channel1 description Po0 to Core Switch Po4 no ip address no negotiation auto ! interface Port-channel1.20 description Production VLAN20 Subinterface encapsulation dot1Q 20 ip address 192.168.2.1 255.255.255.0 secondary ip address 10.12.0.1 255.255.252.0 ip nat inside zone-member security INSIDE ! interface Tunnel2 description Tunnel to Azure Canada Central Gateway 1 ip address 169.254.0.1 255.255.255.0 zone-member security INSIDE ip tcp adjust-mss 1350 tunnel source GigabitEthernet0/0/0 tunnel mode ipsec ipv4 tunnel destination 52.237.36.248 <- Azure IP address tunnel protection ipsec profile azure-vti ! interface Tunnel3 description Tunnel to Azure Canada Central Gateway 2 ip address 169.254.1.1 255.255.255.0 zone-member security INSIDE ip tcp adjust-mss 1350 tunnel source GigabitEthernet0/0/0 tunnel mode ipsec ipv4 tunnel destination 52.237.34.217 <- Azure IP address tunnel protection ipsec profile azure-vti ! interface GigabitEthernet0/0/0 description Interface to Internet ip address xxxxxxxxxxxxx 255.255.255.248 ip nat outside ip nbar protocol-discovery zone-member security OUTSIDE negotiation auto ! interface Vlan1 ip address xxxxxxxxxxxxx 255.255.255.240 ip nat outside zone-member security OUTSIDE ! interface Vlan20 no ip address ip helper-address 10.12.0.20 ! router bgp 65002 bgp log-neighbor-changes network 192.168.2.0 network 192.168.3.0 network 192.168.5.0 neighbor 192.168.207.6 remote-as 65001 neighbor 192.168.207.6 ebgp-multihop 255 neighbor 192.168.207.6 update-source Loopback0 neighbor 192.168.207.7 remote-as 65001 neighbor 192.168.207.7 ebgp-multihop 255 neighbor 192.168.207.7 update-source Loopback0 ! ip nat inside source static tcp 192.168.2.81 443 xxx<my public ip>xxx 443 extendable ip nat inside source static tcp 192.168.3.9 80 xxx<my public ip>xxx 80 extendable ip nat inside source static tcp 192.168.3.9 443 xxx<my public ip>xxx 443 extendable ip nat inside source static tcp 192.168.2.73 21000 xxx<my public ip>xxx 21000 extendable ip nat inside source static tcp 192.168.2.73 21001 xxx<my public ip>xxx 21001 extendable ip nat inside source static tcp 192.168.2.73 22000 xxx<my public ip>xxx 22000 extendable ip nat inside source list NAT_LIST interface GigabitEthernet0/0/0 overload ip nat inside source list NAT_LIST_SMTP interface Vlan1 overload ip forward-protocol nd ip http server ip http authentication local ip http secure-server ip tftp source-interface GigabitEthernet0 ip route 0.0.0.0 0.0.0.0 xxx<my public ip>xxx ip route 192.168.207.6 255.255.255.255 Tunnel2 ip route 192.168.207.7 255.255.255.255 Tunnel3 ! ip ssh version 2 ! ip access-list standard SSH_MANAGEMENT permit 191.234.35.42 remark List of addresses that can manage this device via SSH permit 192.168.0.0 0.0.255.255 permit any ! ip access-list extended ACCESS_TO_DR_PORTAL permit ip any host 192.168.3.9 ip access-list extended NAT_LIST deny ip any host 67.226.181.231 permit ip 192.168.2.0 0.0.0.255 any permit ip 192.168.3.0 0.0.0.255 any permit ip 192.168.5.0 0.0.0.255 any permit ip 192.168.8.0 0.0.0.127 any permit ip 192.168.9.0 0.0.0.255 any permit ip 10.10.0.0 0.0.0.255 any permit ip 10.12.0.0 0.0.0.255 any permit ip 10.13.0.0 0.0.0.255 any permit ip 10.14.0.0 0.0.0.255 any permit ip 10.15.0.0 0.0.0.255 any permit ip 10.18.0.0 0.0.0.255 any permit ip 10.19.0.0 0.0.0.255 any
Thoughts? Most of this is existing configuration, not mine - so some of it may be wrong. They're using Classic Azure which has it's own set of challenges when it comes to configuration... but I believe it's setup correctly... just having issues connecting.
No comments:
Post a Comment