Azure route from Windows VM to ASAv VPN pool, behind firewall Inside interface

Question

Hi,

I have the following scenario where the Anyconnect VPN Client (172.16.100.100) can't ping or establish a communication with the Windows Server (10.0.0.5).

Network Flow:

Anyconnect VPN Client (172.16.100.100/24) Internet -> outside ASA vpn inside (172.16.2.4) -> Vnet peering -> Windows Server (10.0.0.5/24)

I have a UDR on ASAv inside subnet, static route to 172.16.100.0/24 pointing to 172.16.2.4.

What is working:

1- Ping from ASAv inside interface (172.16.2.4) to Windows Server (10.0.0.5) = OK

What is not working:

2- Ping from ASAv VPN clients, like 172.16.100.100 to Windows Server (10.0.0.5) = Not OK

From the non-working scenario, I am running Wireshark in the Windows Server, from there I can see ICMP request and reply between 172.16.100.100 and 10.0.0.5.

I am not seeing the ICMP reply hitting the ASAv inside interface.

I guess it is something on Azure vnet side blocking it.

I have configure NSGs allowing ALL traffic, but that is not helping.

What I am missing here?

Thanks in advance.

Rodrigo

Answer 1

Hello Rodrigo Soares,

Thanks for posting your question in the Microsoft Q&A forum.

Azure routes traffic based on the Effective Routing Table, which combines system routes and User Defined Routes.

Add a UDR to the Windows Server’s subnet( Destination: 172.16.100.0/24 , Next Hop Type: Virtual appliance , Next Hop IP: 172.16.2.4)

Ensure the ASAv’s management NIC (Nic0) allows UDP/500 and UDP/4500 for VPN traffic, and the inside NIC (Nic3) permits traffic to 10.0.0.0/24

---

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful