Hi, I have set up a site-to-site connection between AWS and CISCO ISR Router. I also have anyconnect configured on my ASA. Now, site-to-site is working except for users connected to Anyconnect VPN. Do i need to set specific NAT or Access control policy for anyconnect users to connect AWS instances?
Solved! Go to Solution.
@kimgg2022 how are the devices all connected together?
Are the AWS routes tunnelled through the VPN to the ASA?
Does the ASA know to route the AWS traffic to the ISR router and onward to AWS?
Depending on your ASA configuration you may need a NAT exemption rule to ensure traffic to the AWS networks is not unintentially translated.
Hi Rob, thank you for your response.
ASA forwards the traffic to Cisco router for AWS traffic. the Cisco router is my AWS customer gateway.
Other local networks behind ASA can connect to AWS instances just fine.
RAVPN - 10.11.0.0/24
AWS - 10.30.0.0/16
Local network - 10.10.0.0/20
how would be the nat exemption look like? RAVPN is configured to use the ASA's outside interface
@kimgg2022 so the IOS router is on the inside interface of the ASA?
This would be an example if the AWS network is on the inside of the ASA.
object network AWS
subnet 10.30.0.0 255.255.255.0
object network RAVPN
subnet 10.11.1.0 255.255.255.0
nat (INSIDE,OUTSIDE) source static AWS AWS destination static RAVPN RAVPN no-proxy-arp
You could always run packet-tracer from the CLI to simulate the traffic from a RAVPN user to AWS to confirm it routes via the correct path, traffic is not blocked by and ACL and traffic is not unintentially translated (or matches the NAT exemption rule).
@Rob Ingram hi Rob, im referring to AWS with the VPC running on it. Virtual private network already configured to establish the site-to-site connection with our corporate network. The S2S tunnel has 10.10.0.0/20 local CIDR set on it. But I also wanted to have our Cisco Anyconnect users to connect to AWS network. Cisco anyconnect is configured in ASA using outside interface with network10.11.0.0/24 for the pool. In ASA, all traffic going to AWS network will be forwarded to our CISCO IOS router (which serves as the customer gateway of our AWS).
Now, all traffic from this 10.10.0.0/20 will be routed just fine to AWS, but Anyconnect users with 10.11.0.0/24 just kinda stuck in our vpn router.
sorry for the confusions...
Is the IOS router with the VPN not in parallel with the ASA - therefore AnyConnect traffic would need to route via the inside interface to reach AWS VPN?
Or is the IOS router, the ISP router connected to the ASA's outside interface, so therefore AnyConnect traffic needs to hairpin and route back out the outside interface?