I was able to connect 2 Azure Hub in different regions using Azure VPN Gateway, I was able to establish ICMP and Windows RDP connections between VMs in both regions. My issue is after introducing ingress NAT in site 1 I can ping from VMs in site 2 using the external mapping IP but can't RDP or access any other open ports. I can still ping and RDP using the non NAT IP i.e. accessing site 1 VMs using the internal mapping IP. I have an Azure firewall in site 1 that allows ICMP, RDP and port 80 for testing for all traffic originating from a VM in site 2 to VMs in site1 and I can see from logs that traffic is allowed when site 2 VM is accessing site 1 VM using the external mapping IPs. Am I missing something? Are there any other configuration required for Azure VPN Gateway NAT rules? Thanks in advance.

@Danny Chuah , Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well. I am afraid I did not quite understand your setup here. I see you are planning to use NAT feature of VPN Gateway Without understanding what Type and Mode of NAT you are using on either sides, it will be difficult to troubleshoot. What are the original address ranges of both of the sites. Are you using NAT on only one site (site1) or both the sites (site1 as well as site2) I see site1 has Ingress NAT What is the " Internal Mappings " and " External Mappings " for this site? Are you using Static NAT or Dynamic NAT in site1? If you are using NAT in site2 as well, what are the " Internal Mappings " and " External Mappings "? Are you using Static NAT or Dynamic NAT in site2 (if you are using)? Cheers, Kapil

Can Only Ping After Setting up Azure VWAN VPN NAT

Accepted answer

KapilAnanth-MSFT 35,246 Reputation points Microsoft Employee

2024-04-22T06:11:59.1366667+00:00
@Danny Chuah ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I am afraid I did not quite understand your setup here.

I see you are planning to use NAT feature of VPN Gateway

Without understanding what Type and Mode of NAT you are using on either sides, it will be difficult to troubleshoot.

What are the original address ranges of both of the sites.

Are you using NAT on only one site (site1) or both the sites (site1 as well as site2)

I see site1 has Ingress NAT

What is the "Internal Mappings" and "External Mappings" for this site?

Are you using Static NAT or Dynamic NAT in site1?

If you are using NAT in site2 as well, what are the "Internal Mappings" and "External Mappings"?

Are you using Static NAT or Dynamic NAT in site2 (if you are using)?

Cheers,

Kapil
Please sign in to rate this answer.

1 person found this answer helpful.
Danny Chuah 20 Reputation points

2024-04-22T06:23:20.31+00:00

HI Kapil, thanks for gettin back to me.

I'm only using static NAT without BGP on site1, internal mapping is 10.2.1.4/32 and external mapping is 172.16.1.4/32. I've added the external mapping in VPN site 2.

The VPN connection was successful, but I couldn't ping 172.16.1.4 from a VM in site 2 until I added 10.2.1.4 as an external mapping in VPN site 2, I was then able to ping 172.16.1.4 and also 10.2.1.4 from the VM, when pinging 172.16.1.4 I get a successful response but the IP that responded back is from 10.2.1.4, not sure if this is the expected result?

Ping now works but RDP don't work with the external mapping IP 172.16.1.4 but works with when trying to connect to the internal mapping IP 10.2.1.4.

KapilAnanth-MSFT 35,246 Reputation points Microsoft Employee

2024-04-22T06:43:55.1033333+00:00

@Danny Chuah ,

Thanks for the info.

I am confused as when you say "I've added the external mapping in VPN site 2".

Do you mean you have configured NAT on site 2 as well?

Or no?

Instead you are talking about the local site (LNG) configuration of vWAN VPN 2?

Cheers,

Kapil

KapilAnanth-MSFT 35,246 Reputation points Microsoft Employee

2024-04-22T08:49:45.64+00:00

@Danny Chuah ,

The configuration seems to be correct.

Wrt, "when pinging 172.16.1.4 I get a successful response but the IP that responded back is from 10.2.1.4"

No, this is not.

This could indicate there is a asymmetric routing and the return traffic maybe coming in via a different tunnel altogether.

Can you please confirm if there are any other redundant connections other than this VPN?

In the VM 10.2.1.4,

Please check the Effective Routes - steps mentioned here

Can you confirm if the next Hop for Site2's range is showing as VNet Gateway?

Is there any specific reason you are using a /32 prefix?

I would suggest you use the entire VNET or at least subnet's range.

i.e., either /16 or /24 depending on your VNET and map it accordingly.

E.g. 10.2.1.0/24 to 172.16.1.0/24

For testing, please try this and let us know how this goes.

Cheers,

Kapil

Danny Chuah 20 Reputation points

2024-04-23T02:37:38.24+00:00

HI Kapil, thanks again for your assistance, I've tried what you've mentioned but still not getting any joy,

Below are my findings,

Here are the effective routes for VMs in site 1 (EastUS) and site 2 (WestUS)

VM in site 1 (IP 10.2.1.4)

VM in site 2 (10.20.1.4)

vhub effective route, site 1

vhub effective route, site 2

VPN Site 1, EastUS

VPN site 2, WestUS

NAT rule, ingress, linked to VPN connection to WUS

I've allowed ping and RDP ports on all VMs but still not getting any joy. Are there any logs I can look at for NAT translation and network flow?

KapilAnanth-MSFT 35,246 Reputation points Microsoft Employee

2024-04-23T05:57:26.44+00:00

@Danny Chuah ,

From your architecture,

You want the address space 10.2.1.4/32 to translate to 172.16.1.4

i.e. Traffic 10.2.1.4/32 EastUS should NAT to 172.16.1.4 when entering WestUS

In this case, you should use EgressNAT.

Please try this configuration and let us know.

Cheers,

Kapil.

Danny Chuah 20 Reputation points

2024-04-23T06:02:31.8+00:00

Hi Kapil, I require traffic originating from WestUS to be NAT'd from external IP 172.16.1.4 to internal IP 10.2.1.4 and 172.16.2.4 to 10.2.2.4. I believe Ingress rule should work.

KapilAnanth-MSFT 35,246 Reputation points Microsoft Employee

2024-04-23T06:55:49.4433333+00:00

@Danny Chuah ,

I am afraid this observation is incorrect.

By your statement,

"traffic originating from WestUS to be NAT'd from external IP 172.16.1.4 to internal IP 10.2.1.4"

So before NAT,
Source IP : 10.20.1.4
Destination IP : 172.16.1.4

Focus on the direction (indicated by " " ) in the below definitions.

IngressSNAT :

An IngressSNAT rule defines the translation of the "source IP" addresses coming "into" the Azure VPN gateway from the on-premises network. It also handles the translation of the destination IP addresses leaving from the VNet to the same on-premises network.

By the definition above, your source IP "10.20.1.4" will be translated

Which is not what you want, instead, you want the destination IP to be NATed.

EgressSNAT :

An EgressSNAT rule defines the translation of the source IP addresses leaving the Azure VPN gateway to on-premises networks. It also handles the translation of the "destination IP" addresses for packets coming "into" the VNet via those connections with the EgressSNAT rule.

By the definition above, your destination IP "172.16.1.4" will be translated

Which is what you want exactly.

Please give it a try and let us know how it goes.

Cheers,

Kapil

Danny Chuah 20 Reputation points

2024-04-23T08:23:41.1666667+00:00

Thank you Kapil, this has resolved my issues.
Sign in to comment

Can Only Ping After Setting up Azure VWAN VPN NAT

0 additional answers