02-13-2019 07:15 PM - edited 02-21-2020 08:48 AM
So i have been playing around with a basic scenario of a linux ec2 vm on the inside subnet of the ASAv. A vpn to the VPC and a static route to my remote subnet (opposite side of the vpn). I have tried custom route tables, routes on the ec2 vm, and route tables directly to an interface. Nothing works! It appears that the initial packet goes around the ASA to the ec2 vm then the return syn ack comes through the inside interface from the vm and is dropped because it was never initiated through the outside beings it went around it. What is the trick in order to force it through the outside and not around the firewall. My test was not from within the VPC but from the remote side of the vpn.
02-13-2019 08:15 PM
02-14-2019 04:09 AM
So the tunnel is up and works perfectly. It appears as if the syn goes through the tunnel into AWS bu is going around the ASAv connecting to the device that is supposed to be behind inside. The syn ack is coming from the EC2 but actually goes in the inside interface of the ASAv. ASAv sees this and drops it because the initial connection never originated from outside to inside. So effectively its bypassing outside.Almost feels like a routing issue where i need to force packets into the outside interface of the ASA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide