Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
321
Views
1
Helpful
2
Replies

AWS HA Firewall (ASAv or FTDv) for RA client and s2s VPN connectivity

pwelmarcus
Level 1
Level 1

‎07-26-2024 09:02 AM

Good Afternoon

I'm looking for some guidance, We are looking to deploy:

1: Regional HA RA Cisco Firewall(s) supporting AnyConnect Remote access VPN clients. I understand we can deploy ASAv and use External DNS monitoring (such as R53) to either prioritize or load-balance across 2 or More firewall in separate AZs. The below url explains the details and most of this seems fairly straightforward.

https://aws-ia.github.io/cfn-ps-cisco-asav-ravpn/

2: Regional HA RA Cisco Firewall(s) supporting IPSEC s2s VPN peers. I have searched various resources and the current Cisco documentation seems to infer the use of FTDv and not ASAv (See below url) with the Use of GWLB with FTDv nodes acting as a true cluster with ability to process traffic in an active/active manner

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/cluster/deploy-threat-defense-virtual-cluster-aws.html#concept_lc2_dsq_5xb

This configuration seems more complex and seems to configure the firewalls with a single arm. Is anyone familiar with this design. Just trying to understand how the traffic across IPSec VPN peers would flow.  If say I had multiple IPSec peers would they be distributed across all FTDvs and in terms of routing between remote IPsec Sites to local AWS resources is it as simple as updating route tables in AWS for the relevant remote subnets and the relevant s2s IPSec VPN configuration on the control peer (which I assume is auto-synced to the other data nodes).

Any reason why for RA VPN ASAv is deployed whereas for s2s VPN FTDv is deployed? Is ASAv not supported in this configuration
Any advice appreciated.

 

Thanks

 

Labels:
0 Helpful
2 Replies 2

MHM Cisco World
VIP
VIP

‎07-28-2024 07:20 AM

Any reason why for RA VPN ASAv is deployed whereas for s2s VPN FTDv is deployed? Is ASAv not supported in this configuration
I don't get your Q

MHM

0 Helpful

pwelmarcus
Level 1
Level 1
In response to MHM Cisco World

‎07-28-2024 12:51 PM

Hi MHM

I was looking for cisco designs/implementations for remote access and then for s2s vpn in aws. The 2 articles I found had asav for ra vpn but ftdv for ipsec vpn (links are in my question). So I am asking

1. Can you use asav for both vpn requirements or do I have to follow guidelines in both documents.

2. The hardware version of ASA firewall are now in an EoL cycle, is this same scenario for AsaV, whereby they have been superceded by the FTDv.

3. I was asking if any users had experience with ASAv or FTDv in Aws with any information about the deployment/operation appreciated.

Thanks

Customers Also Viewed These Support Documents