I have set up a site-to-site VPN between our on-premise Cisco ASA 5510 and Azure, we used the Azure generated script for configuration settings. We have successfully connected and have a green tunnel in the Azure manage portal, both the ASA and the Azure dashboard are recording data out but no data in.
On my Azure tenancy I have one virtual network with 4 subnets (plus a 5<sup>th</sup> gateway subnet) the VNET has an address range of 10.1XX.0.0/21, subnet1 is 10.1XX.1.0/24, subnet 4 is 10.1XX.4.0/24. I have not configured network security groups yet (although I have created them and subsequently deleted them)
I have created two windows VMs VM1 on subnet1 (10.1XX.1.4) and VM2 on subnet 4 (10.144.4.4)
I RDPed onto one of the VM and found that it is not possible to ping from VM2 to VM1 using the 10.1XX.. (result is “Request timed out”). However, it possible to use PSPING (a TCP ping utility) whilst specifying the RDP port. So traffic flows between machines on the Azure VNET.
I have then tried to PSPING from a client machine on my local network to VM1 by IP address on port 3389, this does not work and returns the following: “This operation returned because the timeout period expired.” Ping returns a request timed out from my client machine.
I have used tracert and it shows the first hop to our firewall that is between the Cisco ASA and my computer but no further successful hops. Our firewall is configured to route traffic to the 10.1XX.0.0/21 address range through the Cisco ASA.
I have runStart-AzureVNetGatewayDiagnostics.I have done this at two separate times, once when not sending requests to the Azure network and I have run the same and run psping and tracert to VM1. The first shows very little gateway diagnostic log, as expected, because I am not trying to use the VPN tunnel. The latter generates some gateway logs. This suggests to me that our network this end is routing traffic to Azure successfully.
I have checked that NAT-T is enabled on the Cisco ASA, taken down the VPN tunnel and recreated it.
Is there any documentation on the right configuration for setting up a VPN that works between a Cisco ASA and Azure?