Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,258 questions
Unable to access P2S VPN resources after disabling SNAT in Azure Firewall
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 21%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIM%3C/text%3E%3C/svg%3E)
Ijaz Muhammad
61
Reputation points
I have configured Point-to-site VPN connection. I configured the network in HUB and Spoke architecture, and Hub and Spoke is peered .
Also, I have disabled SNAT in Azure Firewall. When it was enabled, we didnt face any issues. We disabled SNAT to preserve the source IP.
In Hub, I have Azure firewall. So my question is that when I connect VM to the Spoke Vnet I couldn't take SSH to that VM, but I have ping and telnet to the SSH port of this VM. I have configured the Azure Route table (Propagate gateway routes: YES).
Upon checking firewall logs, it shows that traffic is allowed.
Could you explain why I couldn't connect to spoke Vnet resources over ssh, when I disabled SNAT?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 24,231 Reputation points Microsoft Employee2024-06-07T16:24:14.0933333+00:00 Thank you for reaching out.
As documented here By default Azure Firewall doesn't SNAT when the destination IP address is a private IP range
In order to help troubleshoot the issue
- Can you share more information on SNAT behavior set-up?
- It is not clear from your question above, is the ping and telnet to the SSH port of this VM working successfully? If yes, then this will remove the chance of any routing issue.
- Perform a packet capture on your spoke VM and validate if you are receiving the SSH traffic.
Thanks
Sign in to comment