VPN clients cannot get out to the internet

Solved
KitCheng
Here to help

VPN clients cannot get out to the internet

Hello All,

 

We have a hybrid network, on prem and Azure connected with a site to site VPN.  Both side is a MX100, of course the vMX100 on Azure side.

 

We have vpn clients connecting to the on prem MX100 for a few years now and everything works fine.  They can access the network resources and get to the internet.  They can even connect to the on prem MX100 and access resources in Azure.

 

Recently, we have setup a vMX100 as the gateway in Azure.  We are now trying to switch vpn users to hit the vMX100 instead of the on prem one.  All (except for 2 DCs) of our resources have been moved to Azure so we want to users to go Azure first and remove the on prem as a critical path to the production resources.  However, when we connect to the vMX100, we can access all network resources, even get all the way back to the on prem resources, but cannot get out to the internet.

 

I've match the vpn settings on the vMX100 and the MX100.  All the routes and network security group look right.  I'm lost.  Any help is greatly appreciated.

 

Thanks

Kit

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

Azure does not alow remote subnets to use its Internet connection for outbound connections.  Azure blocks this.

View solution in original post

2 Replies 2
PhilipDAth
Kind of a big deal
Kind of a big deal

Azure does not alow remote subnets to use its Internet connection for outbound connections.  Azure blocks this.

KitCheng
Here to help

Hello PhillpDATh,

 

Thanks for your reply.  I believe you and it actually make sense but can you point me to any Microsoft document or article that talks about this?  It will help me in presenting and explaining to the group when I tell them cant' be done.

 

Thanks

Kit

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels