We are looking to setup a Site to Site VPN connection between our internal data center and Azure. We use a CISCO ASA firewall but unfortunately it is behind a NAT. One of the requirements for Azure is that the public facing IP address is not behind a NAT.
There doesn't seem to be interest on our side to change our network topology and was wondering if anyone had any creative solutions to make it work? Couldn't find any creative workarounds on Google or on SO.
The VPN connection appears to be made in the Azure Portal but the connection doesn't work between on prem and Azure VM's. I'd post an image of the Azure Portal showing the connection being made but apparently I don't have enough of a repuptation to post images...
Creative ideas?
Your only choice would be to utilise a Point-to-Site VPN where a device behind your NAT does the termination. https://azure.microsoft.com/documentation/articles/vpn-gateway-point-to-site-create/
You'll be restricted in terms of what you can do with this VPN as it's designed primiarily as a server-to-Azure VPN solution.
There are a few posts floating about around getting VPN working via a NAT'd interface but your mileage may vary in that case and you'll be running an unsupported setup.
Related
We were trying to get rid of all our IP whitelisting and avoid using it as much as possible. The main 2 reasons for this were to make everything more secure and also simplify it. Instead of asking for the clients IP-address (that would change over time) and modifying it all the time we wanted use a P2S VPN to avoid whitelisting. And deciding with the AAD VPN who could use the VPN and who couldn’t was also a nice way to give people permission to make use of the P2S VPN.
We successfully added a Private Endpoint to the SQL Server were users can connect to the SQL Server while using SSMS trough the P2S VPN. But the options seems to be not available for the Azure Analysis Services. Is there another a way to give the AAS a private IP-address or a workaround to avoid whitelisting as much as possible?
I’ve talked about this with a AAS Support Engineer, I got told that currently in 2020 either to add the Azure Analysis Services to a VNET so the P2S VPN can connect to it or connecting the Azure Analysis Services to a Private Endpoint isn’t possible. I understood that there is no other option than whitelisting the clients in the AAS Firewall.
Hopefully this answer helps someone in a similar situation.
I have configured Azure P2S IKEv2 VPN and downloaded the VPN client (in machine it shows as PPP adapter) into 2 machines, one each in different countries. Say our IP addresses are 170.10.10.121 & 170.10.10.122 . From here on we'll call the site with .121 machine as site A.
My machine(.122) would like to use (.121) as a gateway, so that I could browse the internet in my computer using site A's public IP address. Is this possible or have I got this terribly wrong?
My end goal is that, we have multiple sites(B,C,D) that'd like to use the internal network as well as access public internet using site A. This site has dynamic IP address for public internet and port forwarding is not an option as ISP is non cooperative.
As shown in the below picture, machines PC-B-1,C-1,D-1 are trying to use the PC-A-1 as a gateway to access the internet through Site A.
Thanks.
what you need to do is installing the P2S on all PCs in all sites and setup a FW/NVA in Azure and route the traffic through that one or setup S2S from all sites to Azure and route the traffic to a FW/NVA in Azure. Basically you will need a NVA/FW in Azure to get the same IP for all computers. You cant use a P2S as a gateway.
Prefered solution is to setup S2S VPN with NVA to get the same IP.
So this is the setup I am using as a work around.
Since setting up a S2S is not an option for lack of infrastructure and lack of time,
As given in the question, I installed P2S VPN agents in all the machines that is involved, from the machine whose internet we wanted (in site A) to be used by others, to all the other machines (in B,C,D). Now that all the machines are in Azure Vnet, I installed WinGate application at Site A machine and activated proxy.
Then I configured proxy on the rest of the machines in sites B,C and D to proxy through the machine in Site A using its Azure Vnet ip address.
Machines involved are all Windows 10.
This might not be the best solution, but given the extraordinary list of limitations definitely this was the quickest and easiest.
Let's see if we can get better and quicker solutions for the same :)
Meanwhile thanks for all the suggestions :)
I received a call from a business owner. One of his services will only license and whitelist one public IP well he has three locations. When I got involved they were trying to spin up an OpenVPN appliance and have site to site vpns to the remote locations. Well the remote locations have Fortigate firewalls and this will not work I believe with the SSL VPN of OpenVPN.
I would like to recommend something with Azure or AWS but I am unclear on the best VPN setup with Azure. Essentially he will need all remote sites exiting to the internet through Azure.
Late last night tried to test with AWS VPC and a VPN back to the fortigate. Client later expressed he would rather not use AWS.
Also recommended this https://forum.fortinet.com/m/tm.aspx?m=148626&p=
but he did not want to bottlekneck one of his locations
All sites exiting Azure out of one IP address
If you have 3 sites in Azure, you can make all 3 sites exiting Azure with one VPN gateway IP for the same destination.
You need to configure VNET to VNET peering and enable Gateway Transit to make it work. Can you also elaborate your ask here with a Network Diagram ?
We have a client who wants to connect their premises to Azure. Their main hindrance at this point is determining the best way to connect to Azure given their current connectivity configuration. They have two redundant ISP connections going to the head office for internet access. They want to be able to configure a VPN connection to Azure that would operate in a similar way i.e. if ISP A went down it would seamlessly use ISP B and vice versa. The normal multi-site VPN configuration does not fit this since there is one local network behind which means the network behind separate VPNs over each ISP would have overlapping IP address ranges which is not supported. Is such a configuration possible? (See diagram below)
Either that or is there a way to abstract the two ISP connections onto one VPN connection to Azure.
They’re currently considering using a Cisco ASA device to help with this. I’m not familiar with the features of this device so I cannot verify if it will solve their issue. I know there is also a Cisco ASAv appliance in the Azure marketplace don't know if that could also be a part of a possible solution if they went with such a device.
required vpn configuration
The Site-to-Site VPN capability in Azure does not allow for automatic failover between ISPs.
What you could do are the following
- Have automation task created that would re-create the local network and gateway connection upon failover. Manual and would take some RTO to get it up and running
- Use the Cisco CSRs to create a DMVPN mesh. You should be able to achieve the configuration you want using that option. You would use UDRs in Azure to ensure proper routing
I havent done it in Azure, but here is what you do in AWS (And I am sure there would be parallel in Azure)
Configure a "detached VGW" (virtual Private gateway) in aws. Use DMVPN cloud to connect CSRs to multi-site on-prem.
Also, for failover between ISPs you could have a look at DNS load balancing via a parallel to AWS's Route 53 in Azure.
Reference thread :
https://serverfault.com/questions/872700/vpc-transit-difference-between-detached-vgw-and-direct-ipsec-connection-csr100
On Azure, http://azure.microsoft.com/en-us/documentation/articles/virtual-networks-create-site-to-site-cross-premises-connectivity/
the following is stated in relation to site to site connectivity.
A VPN device with a public IPv4 address. You'll need the IP address in
order to complete the wizard.
The VPN device cannot be located behind a network address translator
(NAT) and must meet the minimum device standards.
I'm assuming this is accurate, but could anyone confirm? it seems very limiting, since my peer vpn device can support NAT-T. Does the Azure VPN g/w device support IPsec NAT-T?
Is the same restriction applicable to point to site, where my peer is the point and I want to connect/be connected to by the Azure VPN gateway device with VNet behind the Azure VPN g/w device.
thank you.
I don't see to be limiting at all. And yes, this is the case. It is on the official documentation before all.
When talk about Point-to-Site, I believe you missunderstand the service a bit. Azure Point-to-Site connectivity allows a single computer or laptop (named Point) to connect to Azure VPN Gateway (Site). In that case, the client only has to be connected to the internet.
When you connect to Azure VPN Gateway, you will be part of the whole Azure Virtual Network that Gateway connects.
To tell you the truth I am not sure that the Azure VPN gateway device supports IPSec NAT of any kind at all, whether Point-to-Site or Site-to-Site. Below are my findings. My best lead so far is finding #4.
In all my research over the past week, it seems like it’s presently impossible to achieve this with Azure. See https://social.msdn.microsoft.com/Forums/en-US/19eb5ac0-5fb1-4afa-8081-5afc32cb04fd/is-nat-supported-within-an-ipsec-vpn-connection?forum=WAVirtualMachinesVirtualNetwork. According to this, “At the moment there cannot be a IPSec VPN connection established when either of the devices involve NAT. . .you cannot have an on premise VPN device behind a NAT and this cannot be applied on a VNet gateway since customers will not have access to configuring such rules for a VPN gateway.” That was April 2017.
In fact, in February 2017, Microsoft seemed to discard any chances we have of applying NAT over VPN. On their feedback forum at https://feedback.azure.com/forums/217313-networking/suggestions/5525129-please-make-site-to-site-vpn-avaiable-for-devices, an Azure Networking Team member declines the possibility of Site-to-Site VPN for devices behind a NAT. So Site-to-Site is not expected, which is where it makes the most sense because it would help resolve common subnet overlap issues between a cloud virtual network and an on-premises hardware network. I'm not so sure how NAT over VPN would benefit a Point-to-Site situation (what's the application?)
Then, contradictorily as of December 2017 (later that year), Microsoft seems to announce they’re just now in the planning stages to implement this for Azure (see https://feedback.azure.com/forums/217313-networking/suggestions/15488244-offer-nat-as-a-service).
Only on http://nullsession.com/2015/02/02/connecting-to-your-azure-site-to-site-vpn-over-nat/, I found a method from 2017 that is, “unsupported by Microsoft – but works according to RFC.” I’m still processing this but I’m not convinced I should try it because it’s unsupported.
Let me know what you think because I am personally trying to get a satisfactory solution for this too.