0

Story: I have Cisco ASA 5515x in the HQ (10.9.1.0/24) connected via site-to-site VPN to office A [10.9.2.0/24 and 10.9.3.0/24].

Challenge: I need to connect Cisco ASA 5515x to AWS VPN to reach AWS private network (10.9.4.0/24) to end up having the following setup:

AWS private network <--> HQ <--> Office A

where HQ and Office A should be able to reach the private network in AWS and vice versa.

Problem: Cisco configuration file provided by AWS does not work with the previous scenario, I tried to change the config file to make it works but the tunnel still down, only Office A tunnel is up.

I'm aware that extra config required on Office A router and HQ router to connect all network together, but I still was not able to bring the tunnel up between ASA and AWS.

What should I do to add site-to-site VPN on existing ASA VPN?

Jubba Smail
  • 196
  • 7
  • 1
    *"the tunnel still down, only Office A tunnel is up."* You mean the tunnel from HQ to Office A, right? Office A isn't really relevant in troubleshooting your tunnel to AWS. Adding Office A should be done by modifying ASA config and adding a route table entry in VPC *after* you get the tunnel to AWS working. Focus on one part of the configuration at a time. What software version is the HQ ASA running? What steps have you take to troubleshoot the IPSec config in the ASA? – Michael - sqlbot Jul 20 '17 at 04:21
  • The VPN tunnel between the HQ and Office A already exist, I'm trying to add new tunnel between HQ and AWS. ASA version is 8.6, I don't know how to troubleshoot. – Jubba Smail Jul 20 '17 at 09:20

1 Answers1

0

I found the solution to my problem:

  • Take a backup of the current Cisco configuration, and save it on your desk and on the flash of the router.
  • Check the following video to get the steps of connecting clean Cisco ASA to AWS VPN: https://www.youtube.com/watch?v=GPPb2eHYciY
  • Download the router configuration file from AWS VPN.

  • Find the name of the inside and outside interface:

    CISCO-ASA# show interface

  • Find the current Crypto Map name on your Cisco router by executing this command in privileged mode:

    CISCO-ASA# show run crypto map

    The result shows the name is PNL-MAP and the sequence is 1:

    crypto map PNL-MAP 1 match address VPN-BACKUP-TRAFFIC

    • Edit the map name to your current map name ex PNL-MAP, then increase the sequance by 1 ex 2

    crypto map PNL-MAP 2 match address acl-amzn crypto map PNL-MAP 2 set pfs group2 crypto map PNL-MAP 2 set peer xx.xx.xx.xx yy.yy.yy.yy crypto map PNL-MAP 2 set transform-set transform-amzn crypto map PNL-MAP 2 set security-association lifetime seconds 3600

    • Edit the name of the inside and outside interface:

    nat (inside_interface,outside_interface) 2 source static obj-SrcNet obj-SrcNet destination static obj-amzn obj-amzn

    • Edit the configuration file to match yor AWS VPC network and your local netowrk.

    • The rest of the configuration file remain the same as in the step one video.

At the end you should be able to ping an AWS instanc from your local network and vise versa.

Jubba Smail
  • 196
  • 7