cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
504
Views
5
Helpful
8
Replies

AnyConnect VPN users cannot connec to Instances in AWS

kimgg2022
Beginner
Beginner

Hi, I have set up a site-to-site connection between AWS and CISCO ISR Router. I also have anyconnect configured on my ASA. Now, site-to-site is working except for users connected to Anyconnect VPN. Do i need to set specific NAT or Access control policy for anyconnect users to connect AWS instances?

1 Accepted Solution

Accepted Solutions

@kimgg2022 that may well be the case...but as I've tried to determine from you, depending on where the router is you may well need some configuration on the ASA.

View solution in original post

8 Replies 8

kimgg2022
Beginner
Beginner

AWS network already added to Standard ACL used in Cisco Anyconnect setup

also added the RAVPN network to AWS route table

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@kimgg2022 how are the devices all connected together?

Are the AWS routes tunnelled through the VPN to the ASA?

Does the ASA know to route the AWS traffic to the ISR router and onward to AWS?

Depending on your ASA configuration you may need a NAT exemption rule to ensure traffic to the AWS networks is not unintentially translated.

Hi Rob, thank you for your response. 

ASA forwards the traffic to Cisco router for AWS traffic. the Cisco router is my AWS customer gateway.

Other local networks behind ASA can connect to AWS instances just fine.

RAVPN - 10.11.0.0/24

AWS  - 10.30.0.0/16

Local network - 10.10.0.0/20

how would be the nat exemption look like? RAVPN is configured to use the ASA's outside interface

@kimgg2022 so the IOS router is on the inside interface of the ASA?

This would be an example if the AWS network is on the inside of the ASA.

object network AWS
 subnet 10.30.0.0 255.255.255.0
object network RAVPN
 subnet 10.11.1.0 255.255.255.0
!
nat (INSIDE,OUTSIDE) source static AWS AWS destination static RAVPN RAVPN no-proxy-arp

You could always run packet-tracer from the CLI to simulate the traffic from a RAVPN user to AWS to confirm it routes via the correct path, traffic is not blocked by and ACL and traffic is not unintentially translated (or matches the NAT exemption rule).

@Rob Ingram hi Rob, im referring to AWS with the VPC running on it. Virtual private network already configured to establish the site-to-site connection with our corporate network. The S2S tunnel has 10.10.0.0/20 local CIDR set on it. But I also wanted to have our Cisco Anyconnect users to connect to AWS network. Cisco anyconnect is configured in ASA using outside interface with network10.11.0.0/24 for the pool. In ASA, all traffic going to AWS network will be forwarded to our CISCO IOS router (which serves as the customer gateway of our AWS).

Now, all traffic from this 10.10.0.0/20 will be routed just fine to AWS, but Anyconnect users with 10.11.0.0/24 just kinda stuck in our vpn router.

sorry for the confusions...

 

 

@kimgg2022

Is the IOS router with the VPN not in parallel with the ASA - therefore AnyConnect traffic would need to route via the inside interface to reach AWS VPN?

Or is the IOS router, the ISP router connected to the ASA's outside interface, so therefore AnyConnect traffic needs to hairpin and route back out the outside interface?

@Rob Ingram hi Rob, i think i got it. i just need to adjust the local CIDR in the AWS defined in the tunnel. just need to fine-tune the security i guess.

thank for your help

@kimgg2022 that may well be the case...but as I've tried to determine from you, depending on where the router is you may well need some configuration on the ASA.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers