ASAv in AWS with 1 management 1 outside and 1 inside interface

babiojd01 · ‎02-13-2019

So i have been playing around with a basic scenario of a linux ec2 vm on the inside subnet of the ASAv. A vpn to the VPC and a static route to my remote subnet (opposite side of the vpn). I have tried custom route tables, routes on the ec2 vm, and route tables directly to an interface. Nothing works! It appears that the initial packet goes around the ASA to the ec2 vm then the return syn ack comes through the inside interface from the vm and is dropped because it was never initiated through the outside beings it went around it. What is the trick in order to force it through the outside and not around the firewall. My test was not from within the VPC but from the remote side of the vpn.

Mohammed al Baqari · ‎02-13-2019

Where is the sync packet coming from? If from remote side, then tunnel
should be already up and route is present.

You can use ip sla between peers to keep the tunnel up, route installed
because of active interface and then traffic will flow without interruption

babiojd01 · ‎02-14-2019

So the tunnel is up and works perfectly. It appears as if the syn goes through the tunnel into AWS bu is going around the ASAv connecting to the device that is supposed to be behind inside. The syn ack is coming from the EC2 but actually goes in the inside interface of the ASAv. ASAv sees this and drops it because the initial connection never originated from outside to inside. So effectively its bypassing outside.Almost feels like a routing issue where i need to force packets into the outside interface of the ASA.