07-13-2021 01:44 AM - edited 07-13-2021 01:46 AM
Hello ,
I have a Cisco ASA on a particular site . This is a POC setup . There are 3 servers which are directly connected to the Firewall ( we avoid having a Switch as we only have 3 servers, so we use ethernet ports on ASA itself) . Now the Internet provider in this area will take some time to commission the data line
I have to establish a VPN ( Site to Site ) with AWS because my servers connected to ASA needs to talk to AWS services
The Datacenter guy said that as new Internet connection takes times . There is already a router in datacenter( i think from Huawei) which is having a Direct Internet connection .
he said to connect my ASA to that router and then establish a VPN . The same Router is a kind of shared router and many other companies are connecting their network devices to this same Huawei router . ( same reason as service provider connectivity is poor)
My question is - is to possible to establish a VPN between ASA and AWS considering that Public IP is on Huawei and not on ASA ; Is the DC guy referring to Dynamic VPN ( which is something i dont want) .
From my view , VPN will be between AWS and Huwaei and then there is plain text traffic between Huawei and ASA ;
Any suggestions
07-13-2021 08:46 PM
Anyone please ?
07-14-2021 06:39 AM
Hi!
Do you have access to the Huawei router? If not, can you ask someone (perhaps the DC guy) to setup SNAT on it for your ASA's IP?
I think if you were to use NAT-T and setup the VPN endpoint on the ASA itself, instead of the Huawei router, then you're concerns should be addressed.
The packet won't be in plaintext at the Huawei router. Additionally, you may have to ask the DC guy to get a free Public IP for the SNAT, but this should be (relatively) much quicker than ordering the circuit.
Hope this helps.
07-14-2021 06:48 AM - edited 07-14-2021 06:50 AM
Hi @somsinha Thanks
Yes the VPN has to be build between ASA and AWS and not between Huawei router and AWS
This Huawei router is being used by many other companies for the exit Internet . This is the only router ( or device) having an Internet connection . And Companies are putting their VPN devices behind this router . Only to use the Public IP address of this router .
I dont have access to Huawei router , but we can ask to enable NAT-T on it ( believe it is already enabled) ; There is only 1 public IP address assigned to the outside interface of Huawei router and there is no possibilty to have a separate IP address .
ALso , do this VPN work in both direction : I mean from network behind ASA to AWS and Also if someone behind AWS initiate
connection toward Network behind ASA .
DO i have to define the Public IP of Huawei in the ASA config or only the interface between ASA and Huawei ?
Also does AWS also has to define the Public IP of Huawei as the peer IP ?
Is this not a Dynamic VPN ?
07-19-2021 02:26 AM
Hi , Can anyone help here ;
The VPN needs to be build between ASA and 3rd part aws .
The router has only 1 public IP address assigned to its outside interface . There is no extra Public IP address other than this on the router .
Can we make a VPN with this setup ? In Main mode or aggresive mode .?
07-19-2021 03:57 AM
07-19-2021 05:57 AM
@Georg Pauwen Thanks a lot ; this means we can work with main mode and not necessarily aggresive mode ?
Do we need a Layer connection between ASA and Router or only Layer 2 ?
I am thinking of accessing the ASA ( admin management access) through this tunnel .
07-19-2021 07:41 AM
I have set up site to site vpn where my vpn device (mostly my experience is with routers doing this but should work also for ASA) was behind a router that was shared by other organizations. It works well if you can have a static translation of some Public IP to the private address used by the vpn device. But if the Huawei has a single Public IP and is shared by other companies who are also doing vpn then I suspect that you will not be able to get a static translation.
If you can not get a static translation then you might be able to set up a vpn on the ASA going through Huawei and getting dynamically translated. If you do this you would need to initiate the vpn session. AWS would respond to a vpn request but would not be able to initiate a vpn request. I am not sure how you would set this up with AWS and suspect it would be problematic.
If other companies have set this up and have it running perhaps you can get some insight from the DC guy about how they have done this?
07-19-2021 08:07 AM
Hi @Richard Burts Thanks a lot for your inputs .I have asked DC guy the same question .
I would be problematic to have Dynamic NAT then as we want connection to be initiated from both ends of the tunnel .
07-19-2021 08:55 AM
I understand that you prefer not to use Dynamic and that you want both ends to be able to initiate the vpn session. Given the constraints that are placed on you I do not see how to accomplish it.
A common approach in your type of situation would be static nat for your ASA address with a Public IP. But Huawei has only a single Public IP. So static nat would not work.
Another common approach in your type of situation would be port forwarding in which packets to the Public IP for the vpn ports are translated and forwarded to your ASA. But that would mess up all the other companies using vpn through Huawei.
If you could get the remote peer to use non standard ports for vpn traffic (most especially ISAKMP and ESP) then you could use port forwarding for those ports. But I do not think that AWS would want to do that.
I am not clear what other approach (other than Dynamic) would work. I will be very interested in what the DC guy says about how other companies are getting it to work.
07-19-2021 10:13 AM
@Richard Burts Hi Richard , if we make use of any probe to always ping the remote end IP of AWS for example we create a loopback interface on ASA and ping from this loopback any IP in AWS side , so that tunnel always remain active .
can we then say that AWS can initiate a connection on an active tunnel ?
07-19-2021 01:25 PM
We are using the term initiate in somewhat different ways. When I discuss initiate the vpn I am talking about situations where the vpn is not up and who can initiate the vpn connection and bring the tunnel up. You are talking about initiating a connection on an already active tunnel. Certainly when the tunnel is up and active then either side can initiate communication over the active tunnel.
07-20-2021 02:21 AM
Hi @Richard Burts Yes i understood that any side can initiate connection once the tunnel is active .
However to make the tunnel active always or to keep the tunnel always up/alive , what is your suggestion ?
Do we make a continuos ping between the server at each end of the tunnel ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide