How to Setup a VPN Connection between CISCO ASA and AWS VPN?

Подписаться 31 тыс.

Просмотров 9 тыс.

50% 1

This tutorial you will learn how to properly setup a IPSEC VPN Connection between your Cisco ASA and the AWS VPN endpoints. Extend or migrate your office/datacenter in a matter of just a few minutes!
Cisco ASA is a security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. It provides proactive threat defense that stops attacks before they spread through the network.
AWS Virtual Private Network solutions establish secure connections between your on-premises networks, remote offices, client devices, and the AWS global network. AWS VPN is comprised of two services: AWS Site-to-Site VPN and AWS Client VPN. Each service provides a highly-available, managed, and elastic cloud VPN solution to protect your network traffic.
#VPN #AWSVPN #CISCOASA

Опубликовано:

12 сен 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 36

@johnkasonga6634 2 года назад

Very good tutorial. The best I've watched so far. Thanks. Please do more videos on VPNs.

@CloudGurus 2 года назад

Thanks, will do!

@stargategoku 2 года назад

thanks alot for sharing the post!

@CloudGurus 2 года назад

Thanks and welcome

@ObinnaEdmund 25 дней назад

Hello, Thank you for this. I Created a vp connnection with an On-premise device and the tunnel is up but when I ping the server on the on premise device from my ec2 instance, I dont get any response. Can you assist ?

@CloudGurus 25 дней назад

Thanks for the feedback. Please share the error code.

@jorgevaldos2976 9 месяцев назад

Hello AWS sets by default an inside ip address for the VTI I'm assuming will this configuration still work?

@CloudGurus 9 месяцев назад

Refer these links: docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html docs.aws.amazon.com/vpn/latest/s2svpn/VPNTunnels.html

@dabance 8 месяцев назад

what if there is a second subnet 10.0.0.0/16 behind aws gw. How to create the ACL.

@CloudGurus 8 месяцев назад

Yes we can do that.

@panashemadzudzo 9 месяцев назад

So where do you get your IP address for the AWS gateway?

@CloudGurus 9 месяцев назад

Follow the steps, you will get IP in the process.

@adetunjihabeeb3115 Год назад

Thank you for this. Please would the same step work if my ASA is in multi-context mode?

@CloudGurus Год назад

Yes it will work.

@adetunjihabeeb3115 Год назад

@@CloudGurus thanks for replying

@aravinthsathyamoorthy9830 Год назад

If there is slowness in traffic via s2s bw asa n AWS what might be the possible cause and.steps to tshoot. Good bandwidth, Mtu 1500, mss1380 set..

@CloudGurus Год назад

Refer this link: blog.apnic.net/2014/12/15/ip-mtu-and-tcp-mss-missmatch-an-evil-for-network-performance/

@JESUSistheGoodNews Год назад

Great Job, how do we test the failover? Just disable tunnel 1 on AWS?

@CloudGurus Год назад

Yes correct

@dannymorris4347 7 месяцев назад

When testing failover, the ASA shows "Duplicate entry alredy in Tunnel Manager". Any suggestions on how to make the backup tunnel function correctly?@@CloudGurus

@uninavas 2 года назад

Very nice video! I have set up the same scenario but I cannot get traffic to go from one lan to the other. Any ideas on how I can troubleshoot this? Thanks

@CloudGurus 2 года назад

Please share the error logs/code.

@uninavas 2 года назад

@@CloudGurus I am not really getting any errors. It's just that I cannot get traffic to go through the tunnel. I have a server inside my vpc and cannot access it from the ASA's LAN. And viceversa

@uninavas 2 года назад

@@CloudGurus I have noticed that the remote LAN does not show under my route table, but others do (I am currently connected via VPN to the ASA and it shows my IP as a route, but not the AWS VPC)

@aiakan 2 года назад

Nice work but I noticed at the end of your config you changed your NAT exemption to nat (inside) 0 access-list acl-amzn for the older version. I was able to get a tunnel going but not able to get to hit anything yet on the other subnets. My NAT was the first one but it fails on the last line: ERROR: % Invalid input detected at '^' marker - which seems to be at ob^j-amzn obj-amzn on the last part of that line. Not sure why it fails since it does create the network objects with their respective subnets so they are there. Any thoughts?

@CloudGurus 2 года назад

Will check and get back to you.

@aiakan 2 года назад

@@CloudGurus Thanks...let me know what you find out. Still trying to troubleshoot connectivity between subnets...currently I get a: access-list amzn-filter denied tcp for user '' MySubnet/My-External-ASA-IP(62515) -> Outside/10.10.100.9(3389) When I try to RDP to the 10.10.x.x network in AWS Not sure if that relates to the fact that the last nat rule was not applied but nothing I have added to the access list has worked.

@aiakan 2 года назад

@@CloudGurus Just to follow up, I think the aws filter was a problem, after permitting any, the packet tracer checks good to the VPC subnet but I still get no response from the AWS side. Again, I am unable to add that last line so no sure if thats the issue since I get no decaps when I do a sh crypto ipsec sa. So I assume AWS is the issue but its matched perfectly as yours was. Got the static route for the ASA subnet, Route Table looks good with route propagation to the GW, and security group allowing into my EC2. Is there anything I may be missing or would that Nat rule be required?

@mohammedmustafaali1049 2 года назад

is it for 9.6 OS,, I have 9.6 device but the AWS console now only offers 9.7 downloadable file?

@CloudGurus 2 года назад

Yes correct.

@JESUSistheGoodNews Год назад

OK, I am having problem on sla Monitor. I am using an IP that is remote available thru the tunnel on the VPC 10.27.1.136 but my sla never shows it is reachable even though I can generate traffic from behind the asa and bring the tunnel up. sh sla monitor operational-state Entry number: 5 Modification time: 15:17:18.982 PST Fri Jan 6 2023 Number of Octets Used by this Entry: 2056 Number of operations attempted: 30 Number of operations skipped: 30 Current seconds left in Life: Forever Operational state of entry: Active Last time this entry was reset: Never Connection loss occurred: FALSE Timeout occurred: TRUE Over thresholds occurred: FALSE Latest RTT (milliseconds): NoConnection/Busy/Timeout Latest operation start time: 15:22:08.983 PST Fri Jan 6 2023 Latest operation return code: Timeout RTT Values: RTTAvg: 0 RTTMin: 0 RTTMax: 0 NumOfRTT: 0 RTTSum: 0 RTTSum2: 0 CORP-DC/pri/act#

@JESUSistheGoodNews Год назад

6 Jan 06 2023 15:28:48 302020 24.249.x.x 2454 10.27.1.136 0 Built outbound ICMP connection for faddr 10.27.1.136/0 gaddr 24.249.x.x/2454 laddr 24.249.14.253/2454 type 8 code 0 6 Jan 06 2023 15:28:51 302021 10.27.1.136 0 24.249.x.x 2454 Teardown ICMP connection for faddr 10.27.1.136/0 gaddr 24.249.x.x/2454 laddr 24.249.14.253/2454 type 8 code 0

@CloudGurus Год назад

Yes correct.

@Kurts_Kitchen 10 месяцев назад

I followed your video step by step and I can't even get Phase 1 to start. When I run the show crypto isakmp SA it returns no ikev1 sa

@CloudGurus 10 месяцев назад

Please share the error code.

@Kurts_Kitchen 10 месяцев назад

@@CloudGurus there are no error codes, it's just that phase 1 isn't even attempting to connect. I tried to run some interesting traffic through the tunnel and it fails on phase 11-VPN with a drop due to "configured by ACL". Do you have somewhere offline I could possibly link up with you and discuss. I am completely new to AWS