By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Routing back to an ASAv in the private AZ

0

I have a Cisco ASAv with inside interface attatched to our private AZ. We then have a Cisco c1000v running dmvpn to all our remote offices. A jump box and the inside interface of the ASAv are able to ping a remote device in a remote office OK. Remote devices can also connect into the private AZ ok over DMVPN.

But my PC connected to the ASAv with an IP in the Anyconnect pool (a subnet within the /16 range we use for the VPC) Can not ping the remote device. I can RDP to the jump server in the private AZ OK.

I have done packet captures on the c1000v and can see the return traffic right up to there. It is just not making the final leg back to the firewall. Firewall packet capture on inside interface only shows request packets and no response. The private AZ has a route for the Anyconnect pool using the ENI of the ASAv inside interface as the next hop

Topics
Networking & Content DeliveryAWS Well-Architected Framework
Tags
Networking & Content DeliverySecurity
Language
English
RichardT
asked a year ago244 views
3 Answers
0

Are you doing SNAT on the ASAv? Most ClientVPN solutions use Source NAT which makes routing easy as the VPN endpoint becomes the source of the traffic destined towards VPN resources. Also, if you are doing any sort of NATing make sure to disable Source/Destination checks on the EC2 instance hosting ASAv. Lastly, the any-connect IP Pool is usually only locally significant and not a routable segment so I am not sure you would want to place an instance in that subnet. If none of this helps then I would suggest to reach out to Cisco TAC or AWS premium support for troubleshooting.

profile pictureAWS
EXPERT
Tushar_J
answered a year ago
  • rePost-User-7345168
    a year ago

    Yes we are doing src nat and the src/dest check is disabled. I had the any-connect pool set as a subnet on the VPC and then a route to the ASAv.

    I tried to remove the subnet and then just add the route, but I think becuse the any-connect pool is within the /16 for the VPC it would not let me add the route.

    So currently I am trying to use a different /16 range for the any-connect pool. The VPC does let me add this new route to the ASAv

0

have you enabled "same-security-traffic permit intra-interface" on the ASA?

AWS
zinal
answered a year ago
  • RichardT
    a year ago

    Yes we do have this.

    I have also now tried with a new subnet on the ASAv, one not in the same IP range as the AZ. This allows me to add a route to the ASAv on the VPC route table, without having to have a subnet for it.

    Still the same issue

0

OK, worked it out.

The CSR is a 1 arm router with its interface in the public AZ. The public AZ needed a route adding for 10.39.0.0 via the ASA inside interface

RichardT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content