06-10-2020 07:29 PM
Hello,
Can you advise , is it possible to configure Cisco ASA side with Policy Based Site to Site VPN and AWS side Route Based VPN ?
So far I know AWS does support only ROUTE based VPN.
06-11-2020 02:50 AM - edited 06-11-2020 05:35 AM
It is. As far as I know, you won't be able to have an active/active scenario with 2 redundant DC sites they provide. You will have an active/passive scenario with an IP SLA in your side and DPD for failovering purposes (and two crypto map peering to AWS DC peers).
06-11-2020 06:37 AM
Thank You for quick reply. And that does work without below global commands ? My fear is if I add below Global Commands it will impact my other existing VPN on same VPN Box and I want to avoid that.
crypto ipsec df-bit clear-df 'outside_interface'
sysopt connection tcpmss 1379
crypto ipsec security-association replay window-size 128
crypto ipsec fragmentation before-encryption 'outside_interface'
06-11-2020 06:45 AM
And that worked on 9.9 version or around this version ?
06-14-2020 03:50 AM
You do not need those commands for the AWS VPN to work. If you have active L2L VPNs up and running, it is ok if you do not apply them. Anyways, I think the DF bit set can be configured under cryptomap configuration, instead of globally.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide