How to use a VPN alternative connection as management path

sawasa · ‎02-16-2021

Hi all,

Some weeks ago I got help in this community regarding a management access configuration for my ASA and I got advise from @Marius Gunnerud which I'm trying to follow here.

I got an ASA 5508, connected to AWS cloud via AWS direct connect, which uses a cross-connect in the datacenter, and communicates via BGP (this is not a VPN).

AWS net: 10.15.1.0/22
inside net behind the ASA: 10.50.3.0/24

As a backup path, I have now created a VPN connection that will take over in case the direct-connect connection fails. The VPN goes towards the outside interface. It works and I have tested the traffic bringing down the direct-connect one.
Also, I would like to use this second VPN connection as a management one to be able to administrate the ASA from AWS.

Since the BGP route takes priority over the VPN, I'm not sure how can I configure the ASA for the following:
- The traffic from/to the AWS 10.15.1.1/22 must go through the direct connect as it is now (working)
- The VPN has to stay configured from/to the AWS 10.15.1.1/22 as a backup route (working)
- The traffic from/to a specific IP in that range (let's say 10.15.1.2), must go through the VPN outside interface so I can administrate from AWS.

I have tried a packet tracert using the outside interface but for some reason the traffic does not enter the VPN, which is up all the time.
I'm not sure if I have to enter a route towards the outside interface for just this one host. I don't want to cause a traffic balance to the VPN path by doing this.

My relevant config is the following:

!
interface GigabitEthernet1/3.2
description "direct connect to AWS"
vlan 2
nameif directConnect
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface GigabitEthernet1/5
nameif if-inside
security-level 100
ip address 10.50.3.1 255.255.255.0
!
interface GigabitEthernet1/1
nameif outside
security-level 0
pppoe client vpdn group adslppp
ip address pppoe setroute
!

nat (directConnect,if-inside) source static AWS15 AWS15 destination static inside-net inside-net

For the VPN traffic, I use an ACL to filter:

!
access-list amzn-filter extended permit ip 10.50.3.0 255.255.255.0 object AWS15

Any advise on this would be very much appreciated,

Thank you!

Marius Gunnerud · ‎02-16-2021

You would need to do some traffic engineering on the AWS side. Have a look through the following link, it might give you some ideas on how to achieve this.

https://aws.amazon.com/blogs/architecture/internet-routing-and-traffic-engineering/

--
Please remember to select a correct answer and rate helpful posts

sawasa · ‎02-17-2021

Thanks.
Consulted with my devops, who does not see the way of doing that from the AWS side.

I'm thinking of enabling another interface in the ASA, give it some IP address (maybe if-inside8 as 172.16.1.1), and from AWS route towards that through the VPN. One problem that I find on this set-up is that there is no link on this interface so it won't come up unless we connect something to it.

Do you think this might work? I can have someone go to the datacenter to connect the interface just to bring the link up...

Marius Gunnerud · ‎02-18-2021

The interface needs to be up for you to be able to manage the ASA over VPN. And you will need to set the command management-access <interface name> as well as add the new interface IP to the crypto ACL and add it to the NAT exempt / twice NAT statement.

It is a way around this issue.

I am no expert in AWS architecture, but I am surprised that AWS doesn't have some form of policy based routing (or similar)

--
Please remember to select a correct answer and rate helpful posts

sawesa · ‎02-24-2021

Hi @Marius Gunnerud ,

Thanks a lot for your help. Someone went to the datacenter and connected the interface so now it's up.

For more clarity, the host from AWS that is the one that has to access the ASA, I will call AWS_host (10.15.1.2)

The VPN path is set up through the "outside" interface, so I have added the double nat statement, plus the ACL into the cryptomap.

nat (if-inside8,outside) source static any any

access-list amzn-filter extended permit ip interface if-inside8 host 10.15.1.2

I know I should be more specific in the NAT rule, I'm going to change that.

Generating traffic from AWS_host, I can see how the traffic in the tunnel is growing. However, not sure if the ASA is trying to route it back through the BGP routing, since the AWS_host belongs to the same network that is announced in BGP.

show bgp

Network Next Hop Metric LocPrf Weight Path
*> 10.15.0.0/16 x.x.x.x 0 AS number i
*> 10.50.3.0/24 0.0.0.0 0 i

I was hoping that since the traffic comes through the VPN tunnel, the ASA will simply reply to it in the same way it came.
I'm gonna place some traffic captures to confirm if is replying through the directConnect interface. If so, how can I force it to reply through the VPN?

Additionally, the firewall uses this AWS_host as a Radius server (which is not responding but that is another issue) and to deliver logs (the logs are delivered fine). So it is fine to route through the directConnect to the AWS_host when the traffic is initiated from the firewall. Only for management from the interface8 - AWS_Host traffic the VPN should do the trick.

Thank you for your help.

Marius Gunnerud · ‎02-25-2021

What terminates the VPN on the AWS side?

You could use an unused IP instead of the real ASA IP and route that towards the VPN. Then NAT that IP to the ASA IP you want to manage.

--
Please remember to select a correct answer and rate helpful posts