Hi Dennis,

 

I have internet access from inside, at least here have been no problems there.

 

Below is my config:

 

Result of the command: "show running-config"

: Saved

: 
: Serial Number: <snip />
: Hardware:   ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cores)
:
ASA Version 9.7(1)4 
!
hostname <snip />-asa
domain-name <snip />.org
enable password <snip />
names

!
interface GigabitEthernet1/1
 description Main outside interface
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 172.16.2.1 255.255.255.0 
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
dns server-group DefaultDNS
 domain-name <snip />.org
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object service SMB30
 service tcp source eq 445 destination eq 445 
 description SMB30
object-group service Microsoft tcp
 description Microsoft Specific Services
 port-object eq 445
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any
 nat (any,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
http server enable
http 172.16.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint_SelfSigned
 enrollment self
 fqdn vpn.<snip />.org
 subject-name CN=vpn.<snip />.org
 keypair SSL-<snip />-KEYPAIR
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint_SelfSigned
 <snip />
  quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 8.8.8.8 8.8.4.4
dhcpd domain <snip />.org
!
dhcpd address 172.16.2.100-172.16.2.254 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint_SelfSigned outside
webvpn
 enable outside
 cache
  disable
 error-recovery disable
dynamic-access-policy-record DfltAccessPolicy
username <snip /> password <snip />
tunnel-group <snip />.org type remote-access
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:<snip />
: end

Config looks pretty clean to me; here's what I would do:
- replace that "too broad/general" NAT config
object network obj_any
nat (any,outside) dynamic interface

with
object network obj-lan
subnet 172.16.2.0 255.255.255.0
nat (inside,outside) source dynamic obj-lan interface

I always like to have tight control over access or NAT policies. This is just a config "improvement".

Next assuming Azure sits "outside" your ASA I would run a packet tracer command and post here the results:

packet-tracer input inside tcp 172.16.2.10 5555 AZURE_public_IP 445 detailed

Hi Florin,

 

Thank you for the config advice.  It will be applied once I get the port issue resolved.  Below is the result of the requested test:

 

Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x2aaad774bba0, priority=1, domain=permit, deny=false
	hits=2883186, user_data=0x0, cs_id=0x0, l3_type=0x8
	src mac=0000.0000.0000, mask=0000.0000.0000
	dst mac=0000.0000.0000, mask=0100.0000.0000
	input_ifc=inside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop <snip /> using egress ifc  outside

Phase: 3
Type: NAT
Subtype: 
Result: ALLOW
Config:
object network obj_any
 nat (any,outside) dynamic interface
Additional Information:
Dynamic translate 172.16.2.10/5555 to <snip />/5555
 Forward Flow based lookup yields rule:
 in  id=0x2aaad7e3e080, priority=6, domain=nat, deny=false
	hits=382769, user_data=0x2aaad77809b0, cs_id=0x0, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
	input_ifc=any, output_ifc=outside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x2aaad69ae3d0, priority=0, domain=nat-per-session, deny=false
	hits=76363, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
	input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x2aaad7754740, priority=0, domain=inspect-ip-options, deny=true
	hits=388040, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
	input_ifc=inside, output_ifc=any

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) after-auto source dynamic any interface
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x2aaad805a2a0, priority=6, domain=nat-reverse, deny=false
	hits=373191, user_data=0x2aaad7783950, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
	input_ifc=inside, output_ifc=outside

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x2aaad69ae3d0, priority=0, domain=nat-per-session, deny=false
	hits=76365, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
	input_ifc=any, output_ifc=any

Phase: 8
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x2aaad76d1870, priority=0, domain=inspect-ip-options, deny=true
	hits=365024, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
	input_ifc=outside, output_ifc=any

Phase: 9
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 380588, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow