0

My VPC is connected to Cisco ASA, tunnel is shown to be UP in the AWS console.

What is working:

  • The engineer on the Cisco side has successfully pinged my EC2 instance within my private 10.5.0.0/17 subnet range.
  • Cisco side SLA is working and pinging.
  • Tunnel is up.

What is not working:

  • I cannot ping their network within their subnet range 192.168.0.0/21.

AWS Configurations:

Route Table for the subnet:

Destination        Target                  Status   Propagated
0.0.0.0/0          nat-000b0728fc3ee1267   Active   No
10.2.0.0/16        pcx-0901efe0ec72e2727   Active   No
10.5.0.0/16 local                          Active   No
192.168.0.0/21     vgw-014d07635177a0b23   Active   Yes

Security group of AWS instances: Inbound:

Type          Protocol    Port Range    Source
All           IPv4        All  N/A      192.168.0.0/21

Security group of AWS instances: Outbound:

Type          Protocol    Port Range    Source
All           IPv4        All  N/A      0.0.0.0/0

Network ACL outbound:

Rule number Type        Protocol Port   Destination      Allow/Deny
100         All traffic All      All    0.0.0.0/0        Allow
200         All traffic All      All    192.168.0.0/21   Allow
*           All traffic All      All    0.0.0.0/0        Deny

Network ACL inbound:

Rule number Type           Protocol  Port   Source           Allow/Deny
100         All traffic    All       All    0.0.0.0/0        Allow
200         All traffic    All       All    192.168.0.0/21   Allow
*           All traffic    All       All    0.0.0.0/0        Deny

VPN Site-to-Site static route tab:

IP prefixes      State
192.168.0.0/21   Available

Tunnel Details:

Routing Type: Routing Static
Local IPv4 network CIDR: 192.168.0.0/21
Remote IPv4 network CIDR: 10.5.0.0/17

Security groups outbound:

Name Security group rule ID IP version Type Protocol Port range Destination
IPv4    All traffic All All 0.0.0.0/0

Security groups inbound:

Name Security group rule ID IP version Type Protocol Port Source
IPv4    All traffic All All 192.168.0.0/21

In short: Traffic outbound from my premises EC2 instance IP 10.5.55.214 never seems to reach the Cisco device (or at least that is what has been implied).

Other tests I have run:

Reachability Analyzer: Reachable

Name.   Path ID.  Reachability status.  Source.  Destination.  Destination port. Protocol
192.168.0.28    nip-0d2801c29eef99582   Reachable   i-0a11d82798368c646 vgw-014d07635177a0b2

Traceroute on EC2:

traceroute to 192.168.0.28 (192.168.0.28), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * *......
MarkK
  • 101
  • Hard to troubleshoot when we only get to see one side of the connection. The ASA is a complicated piece of equipment. No one is going to be able to solve your problem without seeing the configuration. End of story. Sorry. – Appleoddity Oct 14 '22 at 03:47
  • 1
    Firewall on the on-premises side? VPN Flow Logs would be my next step, to see if anything comes back at all. – Tim Oct 14 '22 at 19:01
  • @Appleoddity Thank you. Unfortunately, I don't have access to the other side of the VPN, the main thing I wanted to answer here is if on the AWS side anything seems incorrect or if i missed something obvious. – MarkK Oct 15 '22 at 12:05
  • 1
    @Tim Thanks. I will look into the VPN Flow Logs and update. – MarkK Oct 15 '22 at 12:06

0 Answers0