Policy-based VPN?

josephvance · ‎04-20-2015

Is it possible to create a policy based VPN between a CSR and an ASA on AWS? I'm a little thrown off because on AWS, the public IP is NATed to the CSR, so I'm not sure how the shared key lookup is supposed to work.

I don't think I can use VTI, because I've got ASAs on the other end.

Any suggestions are appreciated.

Frank DeNofa · ‎04-23-2015

Joseph,

As ASA do not support any sort of tunnel-interface-based VPN, you're correct in thinking that you cannot use a VTI.

By "policy-based VPN" I'm assuming that you're referring to a crypto map? If so, here's a pretty good supportforums post which discusses building a tunnel between an IOS router (ie. your CSR) and an ASA. As for the pre-shared key, you should have these configured with whatever IP address will actually be seen by the device. For example, if the real IP address on your CSR is 10.1.1.1, but it's being NAT'd to 64.1.1.1, you should have the 64.1.1.1 address in the ASA configuration for your pre-shared key, crypto map peer, and tunnel group name. The same is true on the CSR if the ASA were to be behind NAT. (There is an exception to this if you choose to use ISAKMP profiles, but let's not complicate things).

You may want to consider taking a look at the general Security > VPN supportforums posts as they would probably be very helpful. While having a CSR in AWS is somewhat unique situations, the majority of "typical" VPN configuration and troubleshooting will apply here as well.

HTH,

Frank