cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11235
Views
0
Helpful
8
Replies

Amazon VPC with Cisco ASA

ZooplaPaul
Level 1
Level 1

Hi all,

I'm planned to create a site-to-site VPN with an Amazon Virtual Private Cloud (VPC).  Our currentl gateway is a Cisco ASA 5520 which we had set up previously with multiple site-to-site VPNs with no problem.  While finding out more about the Amazon VPC a guy on the Amazon forums says that the ASA 5520 cannot support a site-to-site with a VPC because it doesn't support the required features, namely binding tunnels to logical interfaces (route-based VPN).  Is this true?  It's a bit irritating if it can't because the ASA was very expensive.  If this is true is there anything that can be done?  I have a spare Cisco 3600 router lying around, could that be used?

Amazon generate a Cisco config file once you have create a VPC to be used as a guide but our ASA doesn't seem to be having any of it:

                                                                                                                               
VPNCONNECTION     vpn-83f5ddf7     available     ipsec.1     cgw-7ff6de0b     vgw-17f6de63
! Amazon Web Services
! Virtual Private Cloud

! AWS utilizes unique identifiers to manipulate the configuration of
! a VPN Connection. Each VPN Connection is assigned an identifier and is
! associated with two other identifiers, namely the
! Customer Gateway Identifier and VPN Gateway Identifier.
!
! Your VPN Connection ID   : vpn-xxxxx
! Your VPN Gateway ID      : vgw-xxxxx
! Your Customer Gateway ID : cgw-xxxxx
!
!
! This configuration consists of two tunnels. Both tunnels must be
! configured on your Customer Gateway.
!
! --------------------------------------------------------------------------------
! IPSec Tunnel #1
! --------------------------------------------------------------------------------
! #1: Internet Key Exchange (IKE) Configuration
!
! A policy is established for the supported ISAKMP encryption,
! authentication, Diffie-Hellman, lifetime, and key parameters.
!
! Note that there are a global list of ISAKMP policies, each identified by
! sequence number. This policy is defined as #200, which may conflict with
! an existing policy using the same number. If so, we recommend changing
! the sequence number to avoid conflicts.
!
crypto isakmp policy 200
  encryption aes 128
  authentication pre-share
  group 2
  lifetime 28800
  hash sha
exit

! The ISAKMP keyring stores the Pre Shared Key used to authenticate the
! tunnel endpoints.
!
crypto keyring keyring-vpn-83f5ddf7-0
  pre-shared-key address x.x.x.x key xxxxxxxxxxxxxxxx
exit

! An ISAKMP profile is used to associate the keyring with the particular
! endpoint.
!
crypto isakmp profile isakmp-vpn-xxxxxxx
  match identity address x.x.x.x
  keyring keyring-vpn-xxxxxxx

! #2: IPSec Configuration
!
! The IPSec transform set defines the encryption, authentication, and IPSec
! mode parameters.
!
crypto ipsec transform-set ipsec-prop-vpn-xxxxxxxx esp-aes 128 esp-sha-hmac
  mode tunnel
exit

! The IPSec profile references the IPSec transform set and further defines
! the Diffie-Hellman group and security association lifetime.
!
crypto ipsec profile ipsec-vpn-xxxxxxxx
  set pfs group2
  set security-association lifetime seconds 3600
  set transform-set ipsec-prop-vpn-xxxxxx
exit

! Additional parameters of the IPSec configuration are set here. Note that
! these parameters are global and therefore impact other IPSec
! associations.
! This option instructs the router to clear the "Don't Fragment"
! bit from packets that carry this bit and yet must be fragmented, enabling
! them to be fragmented.
!
crypto ipsec df-bit clear

! This option enables IPSec Dead Peer Detection, which causes periodic
! messages to be sent to ensure a Security Association remains operational.
!
crypto isakmp keepalive 10 10 on-demand

! This configures the gateway's window for accepting out of order
! IPSec packets. A larger window can be helpful if too many packets
! are dropped due to reordering while in transit between gateways.
!
crypto ipsec security-association replay window-size 128

! This option instructs the router to fragment the unencrypted packets
! (prior to encryption).
!
crypto ipsec fragmentation before-encryption
 

! #3: Tunnel Interface Configuration

! This configuration assumes the presence of an internal
! Virtual Routing and Forwarding (VRF) instance. For more details, see the
! associated diagram. Here, we assume the internal VRF is named "YOUR_VRF".
!
ip vrf YOUR_VRF
  rd 1:1
exit

! A tunnel interface is configured to be the logical interface associated 
! with the tunnel. All traffic routed to the tunnel interface will be
! encrypted and transmitted to the VPC. Similarly, traffic from the VPC
! will be logically received on this interface.
!
! The interface is a member of the internal routing instance (YOUR_VRF).
! Association with the IPSec security association is done through the
! "tunnel protection" command.
!
! This example shows the outside of the tunnel as interface FastEthernet0.
!
! This should be set to the interface that IP address 213.121.253.125 is
! associated with.
!
! This address is configured with the setup for your Customer Gateway.
!
! If the address changes, the Customer Gateway and VPN Connection must be
! recreated with AWS.
!
interface Tunnel1
  ip vrf forwarding YOUR_VRF
  ip address 169.254.254.2 255.255.255.252
  ip virtual-reassembly
  tunnel source FastEthernet0
  tunnel destination x.x.x.x
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile ipsec-vpn-xxxxxxxx
  ! This option causes the router to reduce the Maximum Segment Size of
  ! TCP packets to prevent packet fragmentation.
  ip tcp adjust-mss 1396
  no shutdown
exit

! --------------------------------------------------------------------------------
! #4: Border Gateway Protocol (BGP) Configuration
!                                                                                    
! BGP is used within the tunnel to exchange prefixes between the
! VPN Gateway and your Customer Gateway. The VPN Gateway   
! will announce the prefix corresponding to your VPC.
!           
! Your Customer Gateway must announce a default route (0.0.0.0/0),
! which can be done with the 'network' and 'default-originate' statements.
! Only one prefix is accepted by the VPN Gateway.
!
! The BGP timers are adjusted to provide more rapid detection of outages.
!
! The local BGP Autonomous System Number (ASN) (65212) is configured
! as part of your Customer Gateway. If the ASN must be changed, the
! Customer Gateway and VPN Connection will need to be recreated with AWS.
!
router bgp 65212
  neighbor 169.254.254.1 remote-as 9059
  neighbor 169.254.254.1 activate
  neighbor 169.254.254.1 timers 10 30 30
  address-family ipv4 unicast vrf YOUR_VRF
    neighbor 169.254.254.1 remote-as 9059
    neighbor 169.254.254.1 timers 10 30 30
    neighbor 169.254.254.1 default-originate
    neighbor 169.254.254.1 activate
    neighbor 169.254.254.1 soft-reconfiguration inbound
    network 0.0.0.0
  exit
exit
!
! --------------------------------------------------------------------------------
! IPSec Tunnel #2
! --------------------------------------------------------------------------------
! #1: Internet Key Exchange (IKE) Configuration
!
! A policy is established for the supported ISAKMP encryption,
! authentication, Diffie-Hellman, lifetime, and key parameters.
!
! Note that there are a global list of ISAKMP policies, each identified by
! sequence number. This policy is defined as #201, which may conflict with
! an existing policy using the same number. If so, we recommend changing
! the sequence number to avoid conflicts.
!
crypto isakmp policy 201
  encryption aes 128
  authentication pre-share
  group 2
  lifetime 28800
  hash sha
exit

! The ISAKMP keyring stores the Pre Shared Key used to authenticate the
! tunnel endpoints.
!
crypto keyring keyring-vpn-xxxxxxx
  pre-shared-key address x.x.x.x key xxxxxxxxxxxxxx
exit

! An ISAKMP profile is used to associate the keyring with the particular
! endpoint.
!
crypto isakmp profile isakmp-vpn-xxxxxxx
  match identity address x.x.x.x
  keyring keyring-vpn-xxxxxxx
exit

! #2: IPSec Configuration
!
! The IPSec transform set defines the encryption, authentication, and IPSec
! mode parameters.
!
crypto ipsec transform-set ipsec-prop-vpn-xxxxxxxx esp-aes 128 esp-sha-hmac
  mode tunnel
exit

! The IPSec profile references the IPSec transform set and further defines
! the Diffie-Hellman group and security association lifetime.
!
crypto ipsec profile ipsec-vpn-xxxxxxxx
  set pfs group2
  set security-association lifetime seconds 3600
  set transform-set ipsec-prop-vpn-xxxxxxx
exit

! Additional parameters of the IPSec configuration are set here. Note that
! these parameters are global and therefore impact other IPSec
! associations.
! This option instructs the router to clear the "Don't Fragment"
! bit from packets that carry this bit and yet must be fragmented, enabling
! them to be fragmented.
!
crypto ipsec df-bit clear

! This option enables IPSec Dead Peer Detection, which causes periodic
! messages to be sent to ensure a Security Association remains operational.
!
crypto isakmp keepalive 10 10 on-demand

! This configures the gateway's window for accepting out of order
! IPSec packets. A larger window can be helpful if too many packets
! are dropped due to reordering while in transit between gateways.
!
crypto ipsec security-association replay window-size 128

! This option instructs the router to fragment the unencrypted packets
! (prior to encryption).
!
crypto ipsec fragmentation before-encryption
 

! #3: Tunnel Interface Configuration

! This configuration assumes the presence of an internal
! Virtual Routing and Forwarding (VRF) instance. For more details, see the
! associated diagram. Here, we assume the internal VRF is named "YOUR_VRF".
!
ip vrf YOUR_VRF
  rd 1:1
exit

! A tunnel interface is configured to be the logical interface associated 
! with the tunnel. All traffic routed to the tunnel interface will be
! encrypted and transmitted to the VPC. Similarly, traffic from the VPC
! will be logically received on this interface.
!
! The interface is a member of the internal routing instance (YOUR_VRF).
! Association with the IPSec security association is done through the
! "tunnel protection" command.
!
! This example shows the outside of the tunnel as interface FastEthernet0.
!
! This should be set to the interface that IP address x.x.x.x is
! associated with.
!
! This address is configured with the setup for your Customer Gateway.
!
! If the address changes, the Customer Gateway and VPN Connection must be
! recreated with AWS.
!
interface Tunnel2
  ip vrf forwarding YOUR_VRF
  ip address 169.254.254.6 255.255.255.252
  ip virtual-reassembly
  tunnel source FastEthernet0
  tunnel destination x.x.x.x
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile ipsec-vpn-xxxxxxxx
  ! This option causes the router to reduce the Maximum Segment Size of
  ! TCP packets to prevent packet fragmentation.
  ip tcp adjust-mss 1396
  no shutdown
exit

! --------------------------------------------------------------------------------
! #4: Border Gateway Protocol (BGP) Configuration
!                                                                                    
! BGP is used within the tunnel to exchange prefixes between the
! VPN Gateway and your Customer Gateway. The VPN Gateway   
! will announce the prefix corresponding to your VPC.
!           
! Your Customer Gateway must announce a default route (0.0.0.0/0),
! which can be done with the 'network' and 'default-originate' statements.
! Only one prefix is accepted by the VPN Gateway.
!
! The BGP timers are adjusted to provide more rapid detection of outages.
!
! The local BGP Autonomous System Number (ASN) (65212) is configured
! as part of your Customer Gateway. If the ASN must be changed, the
! Customer Gateway and VPN Connection will need to be recreated with AWS.
!
router bgp 65212
  neighbor 169.254.254.5 remote-as 9059
  neighbor 169.254.254.5 activate
  neighbor 169.254.254.5 timers 10 30 30
  address-family ipv4 unicast vrf YOUR_VRF
    neighbor 169.254.254.5 remote-as 9059
    neighbor 169.254.254.5 timers 10 30 30
    neighbor 169.254.254.5 default-originate
    neighbor 169.254.254.5 activate
    neighbor 169.254.254.5 soft-reconfiguration inbound
    network 0.0.0.0
  exit
exit
!

! To establish connectivity between your internal network and your VPC, you
! must have an interface facing your internal network in the "YOUR_VRF" VRF.
! This is done using configuration like that shown below.
!interface FastEthernet1
!  ip vrf forwarding YOUR_VRF
!exit


! Additional Notes and Questions
!  - Amazon Virtual Private Cloud Getting Started Guide:
!       http://docs.amazonwebservices.com/AWSVPC/latest/GettingStartedGuide
!  - Amazon Virtual Private Cloud Network Administrator Guide:
!       http://docs.amazonwebservices.com/AWSVPC/latest/NetworkAdminGuide
!  - XSL Version: 2009-07-15-207071
VPNCONNECTION     vpn-xxxxx     deleted     ipsec.1     xxxxx     vgw-xxxxxx




Many help would be much appreciated.

Regards
Paul.
8 Replies 8

Jennifer Halim
Cisco Employee
Cisco Employee

You are absolutely correct. ASA does not support VRF, nor GRE tunnel, nor BGP configuration.

The config file that has been posted will work well on Cisco router, and yes, you can use the 3600 router that you have to run the GRE over IPSec on VRF configuration.

Thanks for the quick reply mate.

So would I use the 3600 in conjunction with the ASA?  This would be preferable as our remote client VPN is set up on the ASA.  I'm guessing that I would put the 3600 as the gateway and have the ASA sit behind it?

That probably needs to be look into a little bit more in terms of routing, etc etc.

You can place the router outside interface in paralel with the ASA, and all traffic that has been decrypted on the router to be passed through to the ASA for another layer of security. However, you would need to design all the ip addressing prior to make sure that routing does not break.

Hi halijenn

Thanks for replying again.  I have created a network diagram of my interpretation of the setup.  Would you mind having a quick look? (See attached image).

We have 2 public IP addresses at our office, and have previously run two firewalls in tandem.  My understanding is that if I have our current ASA as it is (acting as a general gateway for the office and a remote client VPN) on our first public IP address and then add the 3600 as a second gateway on our second public IP.  Create all the VPC tunnelling with the 3600 and then create a route on the ASA stating that any office traffic destined for the VPC should go via the 3600.  Would this be plausable?

Also, does the 3600 do everything required for the VPC connection or will I need additional hardware/software to make the VPC communicate with the office network?

Kind regards

Paul.

Yup, that design will work. Just kindly make sure that there is no overlapping in network subnets, otherwise, routing will not work.

In regards to hardware, you shouldn't need anything else. With the software, you would need to upgrade it to the version of software that supports VRF aware IPSec and BGP. Something like 12.4(24)T (latest T train) should be fine.

John Skinner
Level 1
Level 1

I know that this thread is 4 years old, but I just wanted to make sure that this is still not the case. My understanding is that the Cisco ASA (5505 with version 8.4.7 specifically) can be used to connect to an Amazon VPC VPN. Am I correct?

Thanks in advance if you answer me

did you find out about this? i have a asa 5520

Yes I found out about the 5505. It will not work. Threw the 5505 away and installed a free copy of pfSense BSD firewall. It has been more stable than my Sonicwall for connecting to our AWS VPC.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: