Add AWS VPN to Cisco ASA 5515x where a VPN to another office exist

amazon-web-servicescisco-asacisco-vpnsite-to-site-vpn

Story:
I have Cisco ASA 5515x in the HQ (10.9.1.0/24) connected via site-to-site VPN to office A [10.9.2.0/24 and 10.9.3.0/24].

Challenge:
I need to connect Cisco ASA 5515x to AWS VPN to reach AWS private network (10.9.4.0/24) to end up having the following setup:

AWS private network <–> HQ <–> Office A

where HQ and Office A should be able to reach the private network in AWS and vice versa.

Problem:
Cisco configuration file provided by AWS does not work with the previous scenario, I tried to change the config file to make it works but the tunnel still down, only Office A tunnel is up.

I'm aware that extra config required on Office A router and HQ router to connect all network together, but I still was not able to bring the tunnel up between ASA and AWS.

What should I do to add site-to-site VPN on existing ASA VPN?

Best Answer

I found the solution to my problem:

Take a backup of the current Cisco configuration, and save it on your desk and on the flash of the router.
Check the following video to get the steps of connecting clean Cisco ASA to AWS VPN: https://www.youtube.com/watch?v=GPPb2eHYciY
Download the router configuration file from AWS VPN.
Find the name of the inside and outside interface:

CISCO-ASA# show interface
Find the current Crypto Map name on your Cisco router by executing this command in privileged mode:

CISCO-ASA# show run crypto map

The result shows the name is PNL-MAP and the sequence is 1:

crypto map PNL-MAP 1 match address VPN-BACKUP-TRAFFIC
- Edit the map name to your current map name ex PNL-MAP, then increase the sequance by 1 ex 2
crypto map PNL-MAP 2 match address acl-amzn crypto map PNL-MAP 2 set pfs group2 crypto map PNL-MAP 2 set peer xx.xx.xx.xx yy.yy.yy.yy crypto map PNL-MAP 2 set transform-set transform-amzn crypto map PNL-MAP 2 set security-association lifetime seconds 3600
- Edit the name of the inside and outside interface:
nat (inside_interface,outside_interface) 2 source static obj-SrcNet obj-SrcNet destination static obj-amzn obj-amzn
- Edit the configuration file to match yor AWS VPC network and your local netowrk.
- The rest of the configuration file remain the same as in the step one video.

At the end you should be able to ping an AWS instanc from your local network and vise versa.

Related Solutions

How to forward ALL traffic over a site-to-site VPN on Cisco ASA

From what I can see you're routing 0.0.0.0 0.0.0.0 (everything) to a IP across your VPN. Everything looks correct.

Cisco – site-to-site VPN between cisco ASA and 870 cannot ping remote network

Remove the following from your ASA

route outside 172.16.20.0 255.255.255.0 a.a.a.a 1

By having this route statement in place the ASA will not be able to send or return traffic through the tunnel.

Additionally, you define your "to protect/interesting" traffic in the following ACL which is referenced in your crypto map.

access-list outside_1_cryptomap extended permit ip 172.16.10.0 255.255.255.0 172.16.20.0 255.255.255.0

Your nat exemption/identity is interesting when looking at the crypto map match ACL above.

object-group network DM_INLINE_NETWORK_1
 network-object 172.16.20.0 255.255.255.0
 network-object 172.16.200.0 255.255.255.0
access-list 80 extended permit ip 172.16.10.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 
access-list 80 extended permit ip 172.16.10.0 255.255.255.0 172.16.20.0 255.255.255.0 
nat (inside) 0 access-list 80

Your access-list 80 has redundant matches in it. Line 1 of the ACL, when the object-group is expanded -- will match line 2 of the ACL. Redundant and should probably be fixed, but not likely the cause of any problems here.

Best Answer

Related Solutions

How to forward ALL traffic over a site-to-site VPN on Cisco ASA

Cisco – site-to-site VPN between cisco ASA and 870 cannot ping remote network

Related Topic