Re: ASAv configuration with AWS NLB and ec2 based Nat instance

sudsark · ‎08-01-2025

Hi There, Could you please suggest me a good reference document where my traffic will flow as " stringswan vpn --> AWS NLB-->AWS ec2 based NAT --> ASAv--> bacneknd network" Trying to understand how the setup would be for this use case and if there is any reference document available please ?

Enes Simnica · ‎08-02-2025

hello @sudsark. yes check these resources:

1. AWS hybrid vpn reference architecture: https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html

2. Nlb + Ec2 nat setup: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html

3. ASAc in aws which is a Cisco guide: https://www.cisco.com/c/en/us/td/docs/security/asa/asa915/asav/getting-started/asav-915-gsg/m_asav-aws.html

hope it helps.....

-Enes

more Cisco?!
more Gym?!

If this post solved your problem, kindly mark it as Accepted Solution. Much appreciated!

zayanhani · ‎08-04-2025

I worked on a similar setup where traffic flowed through a VPN, NLB, NAT, and then ASAv. The tricky part was configuring routing tables and security groups correctly to allow traffic from the NAT instance to the ASAv. Cisco’s and AWS’s official docs combined with some trial and error helped me.

sudsark · ‎08-07-2025

Thanks Zayanhani, I am stuck in that setup- specially not seeing encap in the asa side. I am abe to initiate traffic from strongswan network side and see thraffic encrypted and sending over to the assav and then not abe to reach to target .

Also I initiate traffic from asav side to the strongswan and I don't see traffic coming into the asa at all ( no encap either ) .

Seems like the translation of traffic in asa is not happening. While setup of other tunnels are working fine in the same ASAv . The only difference here is this specific tunnel its going through NLB and NAT . Any suggestion would be greatly appreciated .