Azure VPN does not work if NAT-T is involved

Question

Azure VPN does not work if NAT-T is involved

NewToAzure 11

Hi all,
I have a Cisco ASA firewall, where if I created a Route Based VPN " gtwy, local connection and connection, I can get both a policy based and route based working on the ASA side to my Azure VPN.

My issue is, I have a ISP route with a new ISP and the peer IP is on this router. So it is doing a one to one NAT and when I do a Azure peering to this IP, where NAT-T is in use, I cannot get it to work.
Phase 1 and 2 come up on the ASA, and I see my packets being encrypted and sent through the tunnel, but I get no replies from the Azure side, even though the Connection shows Connected.

If I look at the effective routes on my test Azure VM server, I see the routes to my OnPrem subnet pointing to the Virtual gateway, and I am allowing ping through my NSG and Windows firewall, but I see no traffic hit my ASA.

Reminder, if I change this back to the IP address on my ASAs outside interface, it comes up fine and xmt and rcv works fine.
Only issue is when NAT-T is involved.
MS docs say NAT-T is supported, but I cant get it to work.

NewToAzure 11 Reputation points

2022-06-08T14:38:44.383+00:00

Thanks. I am out of office till next week but will try these when back.

2 answers

Your answer

NewToAzure 11 Reputation points

2022-06-08T14:38:44.383+00:00

Thanks. I am out of office till next week but will try these when back.

Answer 1

Jackson Martins 10,606 MVP Volunteer Moderator

Hi!
I need to ask a few questions, but the first is: what SKU are you using in Vpngw? Second, based on my understanding, your scenario looks like the below

don`t work
Host 1 -> ASA -> ISP NAT -> Public IP <> Azure GW <- vnet <- host

works fine
Host 1 -> ASA -> ISP Public IP <> Azure GW <- vnet <- host

did you create any nat rules in azure?

NewToAzure 11 Reputation points

2022-06-06T23:33:03.967+00:00

Appreciate you jumping in. I've tried VpnGw1, VpnGw2 and VpnGw2AZ, creating a new resource group, vnet, gateway etc for each.
They all act the same.

My scenario is the pic above.
works fine, regardless if I create a policy based or route based VPN on the ASA ... the Azure GTWY is a Route Based.
Host 1 -> ASA -> goes out ASA outside interface ISP 1 IP peer IP( no NAT-T UDP 500 ) <> Azure GW <- vnet <- test Windows VM

Does not work
Host 1 -> ASA -> Fatpipe ISP Load Balancer ISP 2 IP peer IP, which is one to one NATed Fatpipe to ASA outside interface ( NAT-T UDP 500 then UDP 4500 ) <> Azure GW <- vnet <- test Windows VM

See pic above
NewToAzure 11 Reputation points

2022-06-06T23:40:34.14+00:00

no nat rules in Azure.
On my test Windows VM in Azure, I check the effective routes, the the route to the OnPrem subnet is there, and points to the Azure GTWY.

When Azure peers to the ASA outside interface, where NAT-T is not in use, works fine, regardless if I create a policy based or route based VPN on the ASA ... the Azure GTWY is a Route Based.

It is only when I have Azure peer with the ISP IP on the Fatpipe ISP Load Balancer, where it is one to one NATing to the ASA outside interface, where Phase 1 and 2 appear to be UP on the ASA, but no traffic returns from Azure. I can see traffic incrementing to Azure, just see no return traffic.

Keep in mind, I have Checkpoints, Palo Altos, Cisco Firepower, Cisco IOS routers and ASAs VPN peering to the Fatpipe ISP, and they all work fine.
It is only Azure where it is not working.
On Palo Alto, and IOS router, you need/could add an identity address, since the peer is ISP 2, but the actual IP address is the ASA outside interface IP.
The ASA by default supports NAT-T.
But I don't know of any command in Azure, where I would say the peer is ( ISP 2 IP address ) but the VPNs identity address is ( the ASA outside interface IP address ).
Jackson Martins 10,606 Reputation points MVP Volunteer Moderator

2022-06-07T14:34:04.04+00:00

you said the two sides are connected but the communication doesn't happen, and you don't see the packet arriving at the ASA right?
Can you see packets sent through the ASA arriving at azure?
maybe you can try to create an outbound nat rule in Vpngw

reference: https://learn.microsoft.com/en-us/azure/vpn-gateway/nat-overview

NAT-T is supporte on Vpngw, maybe the packet is being dropped because it doesn't have the declared network,.

If the packet is not arriving at the asa, you will have to see it hop by hop, try to see in the Fatpipe ISP Load Balancer ISP if it is arriving, see in azure the packet arriving and with which address

Please capture the packet following instructions bellow

https://learn.microsoft.com/en-us/azure/vpn-gateway/packet-capture

Answer 2

Chuck Chitchalerntham 1

Hello,

NAT-T works with Azure VPN. On your Firewall, make sure you add route of the Azure VPNGW public IP via ISP2, since all traffic goes out default route ISP1. Otherwise the return packet will never reach ISP2 FW interface - sample diagram, not sure of your requirements.

sample. say my Azure VPN GW is 20.20.20.20

route ISP 0.0.0.0 0.0.0.0 ISPGW 1
route ISP2 20.20.20.20 255.255.255.255 ISP2GW 1

Share via

Azure VPN does not work if NAT-T is involved

2 answers

Your answer