We have a cisco ASA 5510 connecting to Windows Azure cloud via a site to site VPN. We wanted the remote access VPN users connecting to the ASA access the Azure cloud over the site to site VPN. I configured VPN hairpinning using the command "same-security-traffic permit intra-interface" command. Also added the remote access VPN IP pool in the Local Network in Azure end VPN tunnel
When I tried to ping from the remote VPN client machine, I don't get a response back from the Azure cloud virtual network. Debug on ASA shows that the ICMP traffic is being sent out, but no response.
Packet tracer command output is given below:
packet-tracer input outside icmp 10.224.44.20 0 0 10.224.32.4 detai$Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac14b1e8, priority=1, domain=permit, deny=false
hits=6403431539, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,outside) source static AZURE-DMZ AZURE-DMZ destination static VPN-POOL VPN-POOL no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 10.224.32.4/0 to 10.224.32.4/0
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in_1 in interface outside
access-list outside_access_in_1 extended permit icmp any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacc7ff68, priority=13, domain=permit, deny=false
hits=178694, user_data=0xa99bbd00, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac14efd8, priority=0, domain=inspect-ip-options, deny=true
hits=83989276, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xa83b8728, priority=79, domain=punt, deny=true
hits=31, user_data=0xab8e0b50, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.224.44.20, mask=255.255.255.255, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae810058, priority=70, domain=inspect-icmp, deny=false
hits=1226143, user_data=0xae709af0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 8
Type: WEBVPN-SVC
Subtype: in
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae9788c8, priority=70, domain=svc-ib-tunnel-flow, deny=false
hits=33, user_data=0x263e000, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=10.224.44.20, mask=255.255.255.255, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule