Azure Networking: Traffic through VPN to Virtual Machine dropped

0
votes

We are attempting to move our domain controller to the cloud to facilitate a distributed network. The crux of the problem we're having is that I am unable to send network traffic through the VPN to the VNet and VM domain controller I've created there.

The setup is as follows: (Main Office) SonicWALL NSA 220. (Branch Office 1) SonicWALL TZ105. (Branch Office 2) SonicWALL TZ105. (Azure) VNet with Site-to-Site networking enabled, VM residing within a subnet within the VNet. I've manually configured the VNet gateway to create the VPN connections to all three locations and have confirmed that the VPNs are live and operational and appear to be functioning correctly.

The VNet was created with a "dynamic" routing gateway, per SonicWALL documentation. The SonicWALLs are configured with "tunneled" VPNs and static routes created from each office to the VM subnet. I have not created any outgoing NAT translation rules because I am operating under the assumption that the VNet gateway performs that function. I've enabled incoming translation rules.

I've created the Windows 2012 R2 virtual machine and configured it as a domain controller. Disabled Windows Firewall (by turning it off in the control panel) and intend to install McAfee SaaS (but will not do so until I have everything working as intended). As of right now, the virtual machine can ping hosts on all three office networks (main office, branch office 1, and branch office 2) however the VM cannot be pinged from outside the subnet in Azure.

The Azure configuration looks like this:

Address Space: 192.168.0.0/21 Subnet 1: 192.168.1.0/16 Gateway: 192.168.0.0/29

Local Network 1: 192.168.10.0/16 Local Network 2: 192.168.11.0/16 Local Network 3: 192.168.12.0/16

Routing configuration is as follows:

Source: [Local Subnet] Destination: [Azure Subnet 1] Type: All Interface: VPN Tunnel

The Virtual Machine resides on Subnet 1 with a static IP address (e.g., 192.168.1.4) configured through Windows Azure Powershell.

Ping from the VM to our local networks works fine. Ping from our local networks to the VNet/VM does not work.

I have a feeling that the problem lies in NAT translation. I looked but was completely unable to find any documentation, discussion, information, or resources addressing how the Azure VNet gateway translates incoming and outgoing traffic. I've tried adding translation rules for incoming traffic from Azure to our local network to no avail.

Any ideas? I am not very familiar with network troubleshooting tools so if a response asks for creation of a log or use of any such tools please provide some detail as to how to do it.

Thanks,

Adam

1
azureroutingvpnnatazure-vpn

1 Answers

3
votes

With further troubleshooting I was able to solve the issue and I can now ping all systems from Azure to Local Network and from Local Network to Azure. The problem was with a default NAT rule on the SonicWALL which provided for use of our public IP address for all traffic originating inside our corporate network unless a more specific rule otherwise applies.

To solve the problem I added the following NAT rule:

Source: Original-Local Subnet Translated-Original Destination: Original-Azure Subnet Translated-Original Service: Original-Any Translated-Original Interface: Inbound-Any Outbound-Any

This rule corrected the scenario we were experiencing where our firewall was translating all traffic being sent to Azure as our public IP address which, obviously, would create a problem.