Solved: Re: AWS VPN with two source subnets

sanchezeldorado · ‎08-09-2021

Hello!

1. I have an AWS VPN setup and working just fine from my "Inside" interface on my Cisco ASA. (192.168.10.0/24).

2. I have another DMZ interface (192.168.5.0/24)

3. I want both of these to access the AWS subnet (172.30.0.0/16).

I've set ANY as the source in my ACL, but no matter what I do, the phase 2 SA only comes up with 192.168.10.0/24. I know that AWS can only have a single SA, so I'm not sure where the ASA is getting the /24 network from. I'm assuming it's the interface. Is there a way to allow both subnets access to AWS? I will also want to allow my anyconnect subnet access to AWS later on. Here's the show crypto ipsec sa:

access-list acl-amzn extended permit ip any 172.30.0.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.30.0.0/255.255.255.0/0/0)
current_peer: <AWS IP>

Thanks!

sanchezeldorado · ‎08-11-2021

Seems this whole thread was unnecessary. Thank you to those who responded. Policy based routing would have worked except that the Vendor didn't specify all the subnets on my end for the VPN connections settings. The Asymmetric routing wasn't actually an issue either because the vendor had configured the VM to only accept traffic from the single subnet as well. All is working now when they got their part right. Have a great day!

View solution in original post

Milos_Jovanovic · ‎08-09-2021

Hi @sanchezeldorado,

Based on your inputs, I would say that you are using policy-based VPN (one defined with ACL that matches relevant traffic). I know for sure that AWS supports route-based VPN, and I would advise to move to that deployment. Once you have tunnel interface deployed, routing traffic is as simple as adding static route pointing to tunnel interface. You can find different config guides for this, but here is one. Support for VTI was introduced in ASA v9.7.

BR,

Milos

sanchezeldorado · ‎08-10-2021

Thank you for the reply! I switched it to Route based, and I end up with the same situation. The SA is too limited in scope. I put in a static route if that matters. I wouldn't think BGP would change the scope of the IPSEC SA. When I run packet-tracer with DMZ as my source, this is what I get.

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: AWS1
output-status: up
output-line-status: up
Action: drop
Drop-reason: (unexpected-packet) Unexpected packet

sanchezeldorado · ‎08-10-2021

I figured out most of it. It turns out that either VPN type would have worked, but The VPN connection settings on the AWS side were set to a specific /24 subnet. After that, I had asymmetric routing issues. Now my issue is that with two active tunnels, the connection gets held open on a single tunnel and doesn't timeout. Then it doesn't follow the routing to go back to the primary tunnel when it comes back online. I was going to use the timeout floating-connection option, but it can only apply when an SLA is applied for a backup route. The SLA is unable to apply to a tunnel interface. Both subnets now work, but failing back to the primary tunnel after an outage of the first tunnel still results in asymmetric routing.

sanchezeldorado · ‎08-11-2021

Seems this whole thread was unnecessary. Thank you to those who responded. Policy based routing would have worked except that the Vendor didn't specify all the subnets on my end for the VPN connections settings. The Asymmetric routing wasn't actually an issue either because the vendor had configured the VM to only accept traffic from the single subnet as well. All is working now when they got their part right. Have a great day!

ciscocase · ‎08-09-2021

I do not know, how the AWS-VPN konfiguration looks like, but, if you want a diffrent network to join the VPN you have to define it at the remote site as well. The only other way for you to get this working, is to hide your second subnet behind an address from your inside network using nat.

sanchezeldorado · ‎08-10-2021

Thank you for the reply. I have to reach out to a vendor to work with them on the AWS side. I'm not very familiar with that part(and neither are they), but they have static routes entered back to my network that worked for one of my two subnets. I may be forced to NAT the traffic, but that just doesn't seem right. I would think there is a way to expand the IPSEC SA to include a wider subnet. What settings actually negotiate that? I don't see anything in my config that would specify that my internal subnet should create the SA vs my DMZ. Maybe it's a setting on the AWS side.

sanchezeldorado · ‎08-10-2021

I fixed this part of it. See the comments on the other reply. Thank you for your input.

Milos_Jovanovic · ‎08-10-2021

Hi @sanchezeldorado,

Glad that you resolved your issues.

When reconfiguring VPN type, you have to do it on both ends, as there is relevant configuration on AWS side also. If you change it on your end, in better case, you'll most likely end up exactly where you were - you still have old access, but without changes that you were pursuing. In worse case, you would end up with non-working VPN.

If you find some of these comments helpfull, please mark thread as solved, so you can help other people too.

BR,

Milos

JerryLarson7922 · ‎04-01-2024

Hello to all on this thread, I have an AWS issue which is similar,

1. can anybody tell me is AWS can support multiple network across a single tunnel? My vendor using AWS said he cant. I had to build 2 external tunnels, one for my 172.21.0.x/32 per site and a second external tunnel for my 10.x.x.157/32 network

He was unable to add both of these as remote interesting traffic across one tunnel. Does anybody know if that is in fact a limitation of AWS?

thank you