AWS Transit Gateway with Cisco ASA Routing Issues

0

Hello,

We have setup a site to site VPN from our main office to and it's connected to our transit gateway in AWS. I'm able to ping our main VPC instances over the VPN tunnel. We have other accounts/VPC's that is connect to the transmit gateway but i am unable to ping those instances over the VPN. I have added the new network in our Cisco VPN profile but as soon as i add it, i lose connection to the main VPC and the new VPC instance starts pinging. It seems as if i'm only allowed to ping one VPC at a time. I talked with Cisco and they said it's because my VPN is policy based and not route based. Can anyone tell me how to create a route based VPN tunnel through the transit gateway or tell me if i'm missing a step?

Thanks

MJP
질문됨 3년 전1067회 조회
2개 답변
0

Hi,
an AWS site-to-site VPN tunnel is always route-based. You should configure the Cisco ASA end of the connection as route-based (https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/214230-configure-policy-based-and-route-based-v.html). In AWS, you should set both the "Local IPv4 Network Cidr" and "Remote IPv4 Network Cidr" settings to 0.0.0.0/0.

The reason why only one VPC is reachable at a time is that one AWS site-to-site VPN connection only permits one security association in each direction to be active at one time. When you configure a policy-based tunnel on the ASA with several IP networks configured in the encryption domain, the ASA will establish a separate security association for each combination of IP networks (traffic selectors) communicating over the tunnel.

For example, if you have the CIDR blocks 10.12.0.0/16 and 10.45.0.0/16 configured for your VPCs, and the site-to-site VPN connects them to a a single on-premises CIDR block 10.240.0.0/16, then traffic from on premises to the first VPC will cause a security association to be established from 10.240.0.0/16 to 10.12.0.0/16. When traffic is attempted to the other VPC, the first pair of SAs will be torn down and new ones established between 10.240.0.0/16 and 10.45.0.0/16. That's the phenomenon you are seeing.

When you configure a route-based VPN on the ASA, it will only establish one security association in each direction, with 0.0.0.0/0 on both sides of the tunnel. Regardless of how many VPCs and on-premises networks you have, they will all be reachable without having to establish additional SAs.

Note that the cryptographic settings in the examples in Cisco's article are seriously weak. AWS site-to-site VPN supports the most secure settings recognised by the ASA.

LeoMK
답변함 3년 전
0

Thanks for the response. So we torn down the static VPN and we are using BGP or Dynamic. When you setup a BGP tunnel, it keeps 2 tunnels active. What we are seeing now, is that traffic is going through one tunnel and coming back through the other which is resulting in sometimes not being able to ping some devices in some VPCs. Sometimes we can ping the device, sometimes we can't. Cisco seems to think that it's on AWS side with traffic trying to come back through the other tunnel. Have you seen this scenario?

mjpit
답변함 3년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인