11-17-2022 10:27 AM
Hi, I have set up a site-to-site connection between AWS and CISCO ISR Router. I also have anyconnect configured on my ASA. Now, site-to-site is working except for users connected to Anyconnect VPN. Do i need to set specific NAT or Access control policy for anyconnect users to connect AWS instances?
Solved! Go to Solution.
11-18-2022 01:06 AM
@kish02 that may well be the case...but as I've tried to determine from you, depending on where the router is you may well need some configuration on the ASA.
11-17-2022 10:29 AM
AWS network already added to Standard ACL used in Cisco Anyconnect setup
also added the RAVPN network to AWS route table
11-17-2022 10:39 AM
@kish02 how are the devices all connected together?
Are the AWS routes tunnelled through the VPN to the ASA?
Does the ASA know to route the AWS traffic to the ISR router and onward to AWS?
Depending on your ASA configuration you may need a NAT exemption rule to ensure traffic to the AWS networks is not unintentially translated.
11-17-2022 10:53 AM
Hi Rob, thank you for your response.
ASA forwards the traffic to Cisco router for AWS traffic. the Cisco router is my AWS customer gateway.
Other local networks behind ASA can connect to AWS instances just fine.
RAVPN - 10.11.0.0/24
AWS - 10.30.0.0/16
Local network - 10.10.0.0/20
how would be the nat exemption look like? RAVPN is configured to use the ASA's outside interface
11-17-2022 11:11 AM
@kish02 so the IOS router is on the inside interface of the ASA?
This would be an example if the AWS network is on the inside of the ASA.
object network AWS
subnet 10.30.0.0 255.255.255.0
object network RAVPN
subnet 10.11.1.0 255.255.255.0
!
nat (INSIDE,OUTSIDE) source static AWS AWS destination static RAVPN RAVPN no-proxy-arp
You could always run packet-tracer from the CLI to simulate the traffic from a RAVPN user to AWS to confirm it routes via the correct path, traffic is not blocked by and ACL and traffic is not unintentially translated (or matches the NAT exemption rule).
11-17-2022 11:17 PM - edited 11-18-2022 12:25 AM
@Rob Ingram hi Rob, im referring to AWS with the VPC running on it. Virtual private network already configured to establish the site-to-site connection with our corporate network. The S2S tunnel has 10.10.0.0/20 local CIDR set on it. But I also wanted to have our Cisco Anyconnect users to connect to AWS network. Cisco anyconnect is configured in ASA using outside interface with network10.11.0.0/24 for the pool. In ASA, all traffic going to AWS network will be forwarded to our CISCO IOS router (which serves as the customer gateway of our AWS).
Now, all traffic from this 10.10.0.0/20 will be routed just fine to AWS, but Anyconnect users with 10.11.0.0/24 just kinda stuck in our vpn router.
sorry for the confusions...
11-17-2022 11:54 PM
Is the IOS router with the VPN not in parallel with the ASA - therefore AnyConnect traffic would need to route via the inside interface to reach AWS VPN?
Or is the IOS router, the ISP router connected to the ASA's outside interface, so therefore AnyConnect traffic needs to hairpin and route back out the outside interface?
11-18-2022 01:03 AM
@Rob Ingram hi Rob, i think i got it. i just need to adjust the local CIDR in the AWS defined in the tunnel. just need to fine-tune the security i guess.
thank for your help
11-18-2022 01:06 AM
@kish02 that may well be the case...but as I've tried to determine from you, depending on where the router is you may well need some configuration on the ASA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide