Story:
I have Cisco ASA 5515x in the HQ (10.9.1.0/24) connected via site-to-site VPN to office A [10.9.2.0/24 and 10.9.3.0/24].
Challenge:
I need to connect Cisco ASA 5515x to AWS VPN to reach AWS private network (10.9.4.0/24) to end up having the following setup:
AWS private network <–> HQ <–> Office A
where HQ and Office A should be able to reach the private network in AWS and vice versa.
Problem:
Cisco configuration file provided by AWS does not work with the previous scenario, I tried to change the config file to make it works but the tunnel still down, only Office A tunnel is up.
I'm aware that extra config required on Office A router and HQ router to connect all network together, but I still was not able to bring the tunnel up between ASA and AWS.
What should I do to add site-to-site VPN on existing ASA VPN?
Best Answer
I found the solution to my problem:
Find the name of the inside and outside interface:
Find the current Crypto Map name on your Cisco router by executing this command in privileged mode:
The result shows the name is PNL-MAP and the sequence is 1:
crypto map PNL-MAP 2 match address acl-amzn crypto map PNL-MAP 2 set pfs group2 crypto map PNL-MAP 2 set peer xx.xx.xx.xx yy.yy.yy.yy crypto map PNL-MAP 2 set transform-set transform-amzn crypto map PNL-MAP 2 set security-association lifetime seconds 3600
nat (inside_interface,outside_interface) 2 source static obj-SrcNet obj-SrcNet destination static obj-amzn obj-amzn
Edit the configuration file to match yor AWS VPC network and your local netowrk.
The rest of the configuration file remain the same as in the step one video.
At the end you should be able to ping an AWS instanc from your local network and vise versa.