Allow remote VPN client connecting to on premises to acess Azure cloud server.

Atouray used Ask the Experts™
Am assign to configure a VPN that will interconnect both my premises Cisco ASA and Azure cloud series with side to site VPN which I have achieve. Secondly On the azure cloud server to only allow my premises Public IP network from IIS which is working fine.

My challenge is how to allow does connected remotely using Cisco VPN point to site client to connect to my premises network and then access our azure cloud server.

Your support is highly appreciated

Thank you.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

You need to provide Static IP for site to site VPN to work properly. Where you have dynamic IP addressing (that is, not-Static), look at the services provided by DynDNS to provide the appearance of Static IP to the VPN setup.
If your dynamic VPN uses a different IP pool from your main site, then you need to add the IP pool to the tunnel settings for the Azure connection (at both your premises  and on the Azure side).
Sales & Systems Engineer
Once you configure the site to site from the ASA to Azure you need to basically configure a hub & spoke VPN design to allow your mobile VPN user through the ASA to Azure.

Assuming that your mobile VPN users are assigned via the IP local pool on a unique subnet, you'll need to configure a 'no-nat' statement on the Azure side to permit the Azure network to the mobile VPN users network and an ACL as well. You'll also need to configure, within the same ACL grouping, an ACL on the ASA to allow the mobile VPN network to connect to the Azure network. Because the source traffic (Mobile VPN network) is entering and exiting on the same interface on your ASA (presumably the 'outside' interface) you'll need to setup:

same-security-traffic permit intra-interface

You do not need a separate 'no-nat' statement on the ASA between the mobile VPN subnet and the Azure subnet.

Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!


My issues is not about dynamic IP. the issues am facing is how to access the Azure could server by connecting to on premises network remotely using Cisco VPN client knowing that only my on premises Public IP is allowed on the cloud.
So you want to hairpin the VPN traffic to go back out the outside interface?

What version is your ASA running?

Here are configuration examples for 9.x:
Michael OrtegaSales & Systems Engineer


Please see my post. That should allow you to do what you need.


Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial