How to Setup a VPN Connection between CISCO ASA and AWS VPN?
ฝัง
- เผยแพร่เมื่อ 12 ก.ย. 2024
- This tutorial you will learn how to properly setup a IPSEC VPN Connection between your Cisco ASA and the AWS VPN endpoints. Extend or migrate your office/datacenter in a matter of just a few minutes!
Cisco ASA is a security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. It provides proactive threat defense that stops attacks before they spread through the network.
AWS Virtual Private Network solutions establish secure connections between your on-premises networks, remote offices, client devices, and the AWS global network. AWS VPN is comprised of two services: AWS Site-to-Site VPN and AWS Client VPN. Each service provides a highly-available, managed, and elastic cloud VPN solution to protect your network traffic.
#VPN #AWSVPN #CISCOASA
Very good tutorial. The best I've watched so far. Thanks. Please do more videos on VPNs.
Thanks, will do!
thanks alot for sharing the post!
Thanks and welcome
Hello, Thank you for this.
I Created a vp connnection with an On-premise device and the tunnel is up but when I ping the server on the on premise device from my ec2 instance, I dont get any response. Can you assist ?
Thanks for the feedback. Please share the error code.
Hello AWS sets by default an inside ip address for the VTI I'm assuming will this configuration still work?
Refer these links: docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html
docs.aws.amazon.com/vpn/latest/s2svpn/VPNTunnels.html
what if there is a second subnet 10.0.0.0/16 behind aws gw. How to create the ACL.
Yes we can do that.
So where do you get your IP address for the AWS gateway?
Follow the steps, you will get IP in the process.
Thank you for this.
Please would the same step work if my ASA is in multi-context mode?
Yes it will work.
@@CloudGurus thanks for replying
If there is slowness in traffic via s2s bw asa n AWS what might be the possible cause and.steps to tshoot. Good bandwidth, Mtu 1500, mss1380 set..
Refer this link: blog.apnic.net/2014/12/15/ip-mtu-and-tcp-mss-missmatch-an-evil-for-network-performance/
Great Job, how do we test the failover? Just disable tunnel 1 on AWS?
Yes correct
When testing failover, the ASA shows "Duplicate entry alredy in Tunnel Manager". Any suggestions on how to make the backup tunnel function correctly?@@CloudGurus
Very nice video!
I have set up the same scenario but I cannot get traffic to go from one lan to the other.
Any ideas on how I can troubleshoot this?
Thanks
Please share the error logs/code.
@@CloudGurus I am not really getting any errors. It's just that I cannot get traffic to go through the tunnel. I have a server inside my vpc and cannot access it from the ASA's LAN. And viceversa
@@CloudGurus I have noticed that the remote LAN does not show under my route table, but others do (I am currently connected via VPN to the ASA and it shows my IP as a route, but not the AWS VPC)
Nice work but I noticed at the end of your config you changed your NAT exemption to nat (inside) 0 access-list acl-amzn for the older version. I was able to get a tunnel going but not able to get to hit anything yet on the other subnets. My NAT was the first one but it fails on the last line:
ERROR: % Invalid input detected at '^' marker - which seems to be at ob^j-amzn obj-amzn on the last part of that line. Not sure why it fails since it does create the network objects with their respective subnets so they are there. Any thoughts?
Will check and get back to you.
@@CloudGurus Thanks...let me know what you find out. Still trying to troubleshoot connectivity between subnets...currently I get a:
access-list amzn-filter denied tcp for user '' MySubnet/My-External-ASA-IP(62515) -> Outside/10.10.100.9(3389)
When I try to RDP to the 10.10.x.x network in AWS
Not sure if that relates to the fact that the last nat rule was not applied but nothing I have added to the access list has worked.
@@CloudGurus Just to follow up, I think the aws filter was a problem, after permitting any, the packet tracer checks good to the VPC subnet but I still get no response from the AWS side. Again, I am unable to add that last line so no sure if thats the issue since I get no decaps when I do a sh crypto ipsec sa. So I assume AWS is the issue but its matched perfectly as yours was. Got the static route for the ASA subnet, Route Table looks good with route propagation to the GW, and security group allowing into my EC2.
Is there anything I may be missing or would that Nat rule be required?
is it for 9.6 OS,, I have 9.6 device but the AWS console now only offers 9.7 downloadable file?
Yes correct.
OK, I am having problem on sla Monitor. I am using an IP that is remote available thru the tunnel on the VPC 10.27.1.136 but my sla never shows it is reachable even though I can generate traffic from behind the asa and bring the tunnel up.
sh sla monitor operational-state
Entry number: 5
Modification time: 15:17:18.982 PST Fri Jan 6 2023
Number of Octets Used by this Entry: 2056
Number of operations attempted: 30
Number of operations skipped: 30
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: TRUE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): NoConnection/Busy/Timeout
Latest operation start time: 15:22:08.983 PST Fri Jan 6 2023
Latest operation return code: Timeout
RTT Values:
RTTAvg: 0 RTTMin: 0 RTTMax: 0
NumOfRTT: 0 RTTSum: 0 RTTSum2: 0
CORP-DC/pri/act#
6 Jan 06 2023 15:28:48 302020 24.249.x.x 2454 10.27.1.136 0 Built outbound ICMP connection for faddr 10.27.1.136/0 gaddr 24.249.x.x/2454 laddr 24.249.14.253/2454 type 8 code 0
6 Jan 06 2023 15:28:51 302021 10.27.1.136 0 24.249.x.x 2454 Teardown ICMP connection for faddr 10.27.1.136/0 gaddr 24.249.x.x/2454 laddr 24.249.14.253/2454 type 8 code 0
Yes correct.
I followed your video step by step and I can't even get Phase 1 to start. When I run the show crypto isakmp SA it returns no ikev1 sa
Please share the error code.
@@CloudGurus there are no error codes, it's just that phase 1 isn't even attempting to connect. I tried to run some interesting traffic through the tunnel and it fails on phase 11-VPN with a drop due to "configured by ACL". Do you have somewhere offline I could possibly link up with you and discuss. I am completely new to AWS