Having issue routing return traffic from Azure Firewall to ASAv address pool

David Beitler (A) 1 Reputation point
2021-05-14T14:32:37.323+00:00

We have a configuration where the Azure Firewall is our main firewall. All traffic passes through it on its way somewhere else. We have also installed a Cisco ASAv HA solution for a particular VPN need.

Internet -> ASA vpn -> Azure Firewall -> various servers -> and then back again

The routing is working, up to a point. But the return path stops at the Azure Firewall, as if it did not know what to do with it. This can be corrected by adding a route in the Az firewall that points to the inside IP of the primary ASA. But this breaks HA.

The inside interface of the Asa is on a subnet that includes the address pool, so I'm not sure why the firewall cannot determine a path back to it.
And the problem is specifically in regards to the ASA address pool that clients use to get an address. The ASAs have no issues currently getting to where they need to go.

Looking for any hints or ideas on how to make this work. Or something that would provide the same function.

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
662 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. David Beitler (A) 1 Reputation point
    2021-05-18T18:55:57.767+00:00

    Ok. I answered my own question. Since all the directions seem to presume a simple environment, I realized that what it needed to do, was add a route to the route table for the Azure firewall, so it knows how to get back to the active unit. In particular, where to get back to the client address pool addresses. The rest of the route table mangling appears unnecessary.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.