0

I am trying to establish a VPN connection from our on-premises rack to our Amazon VPC. The router/firewall that we have is a Cisco ASA 5505 running software version 9.1(7)23. According to Amazon's documentation, the 5505 is tested to work successfully for VPN connections and any software version above 8.2 is supported. But I am having some difficulties.

I have configured the ASA based on the sample configuration downloaded from the AWS site. And both AWS and the ASA report that the tunnel exists and is up and running. Yet I can't seem to get any traffic to actually flow through the tunnel. And looking at the routing table on the ASA, I'm not sure how it is supposed to know to route traffic for our VPC subnet over the VPN. I've been trying to research and look at documentation, but so far have not come up with a solution.

I am attaching the relevant lines from our ASA configuration (with IP addresses obscured). I can post our full configuration if anyone thinks it would be useful, but it is massive and unwieldy. Any help would be most appreciated!

Thanks.

EDITED TO ADD: I have added the one and only route statement from our ASA as well as the ASA's current route table. I have also added images of the route tables for the VPC. For some reason, there are two separate route tables connected to the VPC, with one marked as "Main".

ASA Config Items Related to VPN

object network obj-SrcNet
 subnet 0.0.0.0 0.0.0.0
object network obj-amzn
 subnet 10.47.0.0 255.255.0.0

access-list amzn_access_is extended permit ip host 18.x.x.x host 52.x.x.x
access-list amzn_access_is extended permit ip host 18.x.x.x host 52.x.x.x
access-list acl-amzn extended permit ip any 10.47.0.0 255.255.0.0
access-list amzn-filter extended deny ip any any
access-list amzn-filter extended permit ip 10.47.0.0 255.255.0.0 192.168.0.0 255.255.255.0

nat (inside,outside) source static obj-SrcNet obj-SrcNet destination static obj-amzn obj-amzn

icmp permit any outside

sysopt connection tcpmss 1379

sla monitor 1
 type echo protocol ipIcmpEcho 10.47.1.148 interface outside
 frequency 5
sla monitor schedule 1 life forever start-time now

crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec security-association replay window-size 128
crypto ipsec df-bit clear-df outside

crypto map amzn_vpn_map 11 match address acl-amzn
crypto map amzn_vpn_map 11 set pfs
crypto map amzn_vpn_map 11 set peer 18.x.x.x 18.x.x.x
crypto map amzn_vpn_map 11 set ikev1 transform-set transform-amzn
crypto map amzn_vpn_map 11 set security-association lifetime seconds 3600
crypto map amzn_vpn_map interface outside

crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 200
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 28800

crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac

tunnel-group 18.x.x.x type ipsec-l2l
tunnel-group 18.x.x.x general-attributes
 default-group-policy filter
tunnel-group 18.x.x.x ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive threshold 10 retry 10
tunnel-group 18.x.x.x type ipsec-l2l
tunnel-group 18.x.x.x general-attributes
 default-group-policy filter
tunnel-group 18.x.x.x ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive threshold 10 retry 10

group-policy filter internal
group-policy filter attributes
 vpn-filter value amzn-filter

Route Statement from ASA

route outside 0.0.0.0 0.0.0.0 54.144.x.x 1

Route Table from ASA

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 54.144.x.x to network 0.0.0.0

C    192.168.8.0 255.255.255.0 is directly connected, failover
C    52.144.x.x 255.255.255.240 is directly connected, outside
C    192.168.0.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 54.144.x.x, outside

VPC Route Table 1 (Marked as Main)

VPC Route Table 2

Ithizar
  • 1
  • 2
  • This is probably a routing issue. Do you really need to NAT to AWS? Also, can you include your route statements and the route table from your VPC? – Ron Trunk Sep 18 '20 at 15:24
  • I have added routing information from the ASA and VPC. Also, we are doing NAT for our internal subnet, and I was under the impression from reading the sample AWS configuration that we needed it for the VPN. But perhaps I'm mistaken? Thanks for your help! – Ithizar Sep 18 '20 at 22:03
  • UPDATE: With Amazon's help, I found the issue. It was a routing issue on the AWS side. The route table for the AWS VPN endpoint was pointing to a public subnet rather than to the private subnet of our on-premises network. Changing that resolved the issue. Thanks @RonTrunk for your help! – Ithizar Sep 19 '20 at 22:33
  • You should write your own answer to the question so others can learn from it. – Ron Trunk Sep 20 '20 at 00:28

0 Answers0