Hi @somsinha  Thanks 

Yes the VPN has to be build between ASA and AWS and not between Huawei router and AWS

This Huawei router is being used by many other companies for the exit Internet . This is the only router ( or device) having an Internet connection . And Companies are putting their VPN devices behind this router . Only to use the Public IP address of this router .

I dont have access to Huawei router , but we can ask to enable NAT-T on it ( believe it is already enabled) ;  There is only 1 public IP address assigned to the outside interface of Huawei router and there is no possibilty to have a separate IP address  .

ALso , do this VPN work in both direction : I mean from network behind ASA to AWS  and Also if someone behind AWS initiate

connection toward Network behind ASA .

DO i have to define the Public IP of Huawei in the ASA config  or only the interface between ASA and Huawei ?

Also does AWS also has to define the Public IP of Huawei as the peer IP ?

Is this not a Dynamic VPN ?

Hi , Can anyone help here ;

The VPN needs to be build between ASA and 3rd part aws .

The router has only 1 public IP address assigned to its outside interface . There is no extra Public IP address other than this on the router .

Can we make a VPN with this setup ? In Main mode or aggresive mode .?

Hello,

with NAT-T enabled on the Huawei, this should work. Attached the AWS sample config for the ASA (your) side....

@Georg Pauwen  Thanks a lot ; this means we can work with main mode  and not necessarily aggresive mode ?

Do we need a Layer connection between ASA and Router or only Layer 2 ?

I am thinking of accessing the ASA ( admin management access) through this tunnel . 

I have set up site to site vpn where my vpn device (mostly my experience is with routers doing this but should work also for ASA) was behind a router that was shared by other organizations. It works well if you can have a static translation of some Public IP to the private address used by the vpn device. But if the Huawei has a single Public IP and is shared by other companies who are also doing vpn then I suspect that you will not be able to get a static translation. 

If you can not get a static translation then you might be able to set up a vpn on the ASA going through Huawei and getting dynamically translated. If you do this you would need to initiate the vpn session. AWS would respond to a vpn request but would not be able to initiate a vpn request. I am not sure how you would set this up with AWS and suspect it would be problematic.

If other companies have set this up and have it running perhaps you can get some insight from the DC guy about how they have done this?

Hi @Richard Burts  Thanks a lot for your inputs .I have asked DC guy the same question .

I would be problematic to have Dynamic NAT then as we want connection to be initiated from both ends of the tunnel .

I understand that you prefer not to use Dynamic and that you want both ends to be able to initiate the vpn session. Given the constraints that are placed on you I do not see how to accomplish it.

A common approach in your type of situation would be static nat for your ASA address with a Public IP. But Huawei has only a single Public IP. So static nat would not work.

Another common approach in your type of situation would be port forwarding in which packets to the Public IP for the vpn ports are translated and forwarded to your ASA. But that would mess up all the other companies using vpn through Huawei.

If you could get the remote peer to use non standard ports for vpn traffic (most especially ISAKMP and ESP) then you could use port forwarding for those ports. But I do not think that AWS would want to do that.

I am not clear what other approach (other than Dynamic) would work. I will be very interested in what the DC guy says about how other companies are getting it to work.

@Richard Burts  Hi Richard , if we make use of any probe to always ping the remote end IP of AWS for example we create a loopback interface on ASA and ping from this loopback any IP in AWS side , so that tunnel always remain active .

can we then say that AWS can initiate a connection on an active tunnel ?

We are using the term initiate in somewhat different ways. When I discuss initiate the vpn I am talking about situations where the vpn is not up and who can initiate the vpn connection and bring the tunnel up. You are talking about initiating a connection on an already active tunnel. Certainly when the tunnel is up and active then either side can initiate communication over the active tunnel.

Hi @Richard Burts  Yes i understood that any side can initiate connection once the tunnel is active .

However to make the tunnel active always or to keep the tunnel always up/alive , what is your suggestion ?

Do we make a continuos ping between the server at each end of the tunnel ?