Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2433
Views
0
Helpful
4
Replies

AWS ASAv - Site to Site VPN Tunnel using Public IP as encryption domain

enriquecaballero
Level 1
Level 1

‎01-10-2019 04:56 PM - edited ‎02-21-2020 08:38 AM

Hello,

 

I am trying to figure it out the way to handle it for a client requesting this:

 

IPSec Peer IP Address ASAv-AWS: 53.1.2.3

IPSec Peer IP Address ASA-Client: 107.1.2.3

 

Encryption Domain ASAv-AWS: NAT PUBLIC (?)

Encryption Domain ASA-Client: 107.4.5.6

 

In my end I have 3 ENI (Inside / Outside / Management), but i am not sure how to handle the 2nd Public IP (Encryption Domain) in my end since i have some limitations on # of ENI attached on AWS ASAv, anyone did something similar on AWS ASAv?

 

Any help / clarification will be really appreciate it.

Thanks!

 

1 person had this problem
0 Helpful
4 Replies 4

enriquecaballero
Level 1
Level 1

‎01-10-2019 06:36 PM - edited ‎01-10-2019 06:37 PM

Can the Peer Public IP be the same as the Encryption Domain Public IP and handle it by NAT? Maybe that is the way to go?

0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni

‎01-10-2019 06:48 PM - edited ‎01-10-2019 06:48 PM

the way I read it is that you set up an IPsec tunnel using the remote peer address of 107.1.2.3 on the non-AWS end, then add 107.4.5.6  as interesting traffic. But essentially you would get to go back to them, and clarify.

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

enriquecaballero
Level 1
Level 1
In response to Dennis Mink

‎01-10-2019 07:07 PM

On the AWS ASAv I will point the VPN to Peer 107.1.2.3 with 107.4.5.6 as interesting traffic and they will NAT to the proper destination ( i.e 107.4.5.6 ----> 10.1.1.10)

On the Non-AWS they are asking me for the Peer address which is my Public outside and the encryption domain Public IP so they could setup their side.

0 Helpful

enriquecaballero
Level 1
Level 1
In response to enriquecaballero

‎01-10-2019 08:06 PM - edited ‎01-10-2019 08:08 PM

I have setup a VPN from:

- my home ASA 50.2.2.8 --> to AWS ASAv 53.1.2.3 with the same Public Peer and Encryption Public Domain in both sides configurations (each its own ;) ). When i am generating interesting traffic from ASA 50.2.2.8, i am getting this debug on AWS ASAv:

 

Jan 11 03:58:40 [IKEv1]Group = 50.2.2.8, IP = 50.2.2.8, QM FSM error (P2 struct &0x00007f06301bc5f0, mess id 0xe72052b4)!
Jan 11 03:58:40 [IKEv1]Group = 50.2.2.8, IP = 50.2.2.8, Removing peer from correlator table failed, no match!
Jan 11 03:58:40 [IKEv1]Group = 50.2.2.8, IP = 50.2.2.8, Session is being torn down. Reason: crypto map policy not found

 

Now i have to figure it out how to solve that :)

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card