Monday, November 9, 2020

Azure ASA Virtual - VPN Subnet Routing

Hello All,

A great thanks again to all the wonderful help I've gotten in this subreddit. I've leared a lot here! I have another one that I'm stuck on, though.

I have an ASA Virtual in Azure. That ASA Virtual allows clients to connect on an SSL VPN for access into the environment. I want those VPN Clients to be able to route to my on-prem, which is facilitated via Azure Tunnels and BGP.

The inside interface of the ASA can ping all those on-prem resources fine, and that connectivity works great. However... I can only get the SSL VPN Clients to be able to talk with on-prem resources if I NAT their IP to the inside interface of the ASA. The problem there is that the communication has to be initiated by the client of course. I want devices in my on-prem to be able to initiate the conversation (for stuff the IT team does) to an SSL VPN Client device.

If I tracert to a client IP Address from an on-prem device, I show it going through my core switch and into the Cisco ISR I use for the Azure tunnels, but I never see the traffic hit the ASA in the logs (I can see ICMP hit the inside interface if I choose to ping that instead).

I'm starting to think this is due to Azure not knowing where to send traffic for that subnet. So I created a static route in my ISR pointing to that Client VPN subnet with the inside interface of the ASAv as a next-hop. I also made sure there is a route to the VPN subnet in every single Route Table for the ASAv (all 4 interfaces).

Still no luck, and I can't see anything hitting the logs. I've enabled all the logging I think I need to from this page (https://community.cisco.com/t5/network-security/asa-real-time-logging-viewer-gt-not-seeing-icmp-from-acl/td-p/2664850) and again, I see ICMP hitting from on-prem to the inside interface, and even see route lookup failures if I try to ping the Management interface (not meant to be routable) so it seems like the logging should pick it up if the traffic was actually making it to the ASA.

Has anyone come across this issue when using the ASA Virtual in Azure?



No comments:

Post a Comment