Allow remote VPN client connecting to on premises to acess Azure cloud server.

Am assign to configure a VPN that will interconnect both my premises Cisco ASA and Azure cloud series with side to site VPN which I have achieve. Secondly On the azure cloud server to only allow my premises Public IP network from IIS which is working fine.

My challenge is how to allow does connected remotely using Cisco VPN point to site client to connect to my premises network and then access our azure cloud server.

Your support is highly appreciated

Thank you.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
You need to provide Static IP for site to site VPN to work properly. Where you have dynamic IP addressing (that is, not-Static), look at the services provided by DynDNS to provide the appearance of Static IP to the VPN setup.
If your dynamic VPN uses a different IP pool from your main site, then you need to add the IP pool to the tunnel settings for the Azure connection (at both your premises  and on the Azure side).
Michael OrtegaSales & Systems EngineerCommented:
Once you configure the site to site from the ASA to Azure you need to basically configure a hub & spoke VPN design to allow your mobile VPN user through the ASA to Azure.

Assuming that your mobile VPN users are assigned via the IP local pool on a unique subnet, you'll need to configure a 'no-nat' statement on the Azure side to permit the Azure network to the mobile VPN users network and an ACL as well. You'll also need to configure, within the same ACL grouping, an ACL on the ASA to allow the mobile VPN network to connect to the Azure network. Because the source traffic (Mobile VPN network) is entering and exiting on the same interface on your ASA (presumably the 'outside' interface) you'll need to setup:

same-security-traffic permit intra-interface

You do not need a separate 'no-nat' statement on the ASA between the mobile VPN subnet and the Azure subnet.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

AtourayAuthor Commented:
My issues is not about dynamic IP. the issues am facing is how to access the Azure could server by connecting to on premises network remotely using Cisco VPN client knowing that only my on premises Public IP is allowed on the cloud.
So you want to hairpin the VPN traffic to go back out the outside interface?

What version is your ASA running?

Here are configuration examples for 9.x:
Michael OrtegaSales & Systems EngineerCommented:

Please see my post. That should allow you to do what you need.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.