S2S IP Sec vpn - Accessing local resource from internet

Question

Hello,

I've a local machine (on-premise in the office) with an ip address 192.168.1.x

I would like to access my local machine using the Azure Virtual Gateway : 20.74.131.55

Example , If I do RDP to 20.74.131.55: 3389, then it should connect me to a machine sitting on in my office (ip address: 192.168.1.x)

Note: Site to Site VPN tunnel is up and connected. I'm having Fortinet 100D FW at on-premise.

Scenario is I'm at home and I would like to do the RDP to 20.74.131.55 and it should connect me to 192.168.1.x

Can someone help what configuration i need do and if there is any additional resource I need to add to accomplish the goal.

Answer 1

Hi @Zakdxb ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to use Azure VPN gateway to establish RDP session to a OnPrem machine from your local machine.

There is a way to achieve this, but not the way you intend to.

Directly accessing the IP address of Azure VPN gateway, doing a NAT and connecting to an OnPrem resource is not possible.
We cannot make Azure VPN gateway listen on custom Ports and do any sort of NAT configuration.

Method #1

• You would need a Jump VM sitting in Azure Virtual Network (attached to the VPN gateway) with Public IP Address.
• You should RDP to this JumpVM normally, and from here, you can RDP to any of the require OnPrem resource

Method #2

• BGP is a must for this scenario
• Configure P2S and connect your local machine to Azure VPN
• About Point-to-Site VPN
• Post this, make sure you add the OnPrem routes in the "Additional Routes to Advertise" section of the P2S blade
• Refer : Advertise custom routes for P2S VPN clients
• You can skip the above for non-windows devices.
• This scenario is clearly explained under : One VNet and a branch office (BGP)

Alternative Method

• This does not use Azure VPN gateway, or Azure at all.
• If your OnPrem VPN device supports NATing, you can directly access the IP of the Firewall at OnPrem and make it NAT to the desired OnPrem device

I hope this explains the various possibilities.

Thanks,
Kapil

----------------------------------------------------------------------------------------------------------------

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.