Re: Created a site to site VPN with 5506 and AWS, how do I allow remote access clients?

Pete Johnstone · ‎10-11-2017

So I've successfully created a VPN tunnel (well 2 actually) between a 5506 and AWS, and you can successfully hit AWS instances from servers behind the 5506.

I used the documentation supplied by AWS and Cisco for setting this connection up using the VTI (first time doing this).

That said, I would like to allow remote access clients to also be able to connect to AWS instances directly from their machines, rather than having to connect via one of the servers.

I'm drawing a blank at the moment, figured I'd ask in case there is a simple answer that I'm not seeing.

GioGonza · ‎10-11-2017

Hello @Pete Johnstone,

You need to perform a U-Turn or hairpinning, the idea is to connect your remote users on the ASA and then send the traffic through the Site to Site VPN tunnel with AWS. You need to keep in mind that AWS only allows one entry on the Encryption Domain ACL so if you don´t any (as they recommend) there will be some additional changes you need to do in order to make it work.

Can you share your config to verify the exact command you need to apply?

HTH

Gio

Kias · ‎10-11-2017

Hi,

You could follow this as a prototype.

https://supportforums.cisco.com/t5/lan-switching-and-routing/cisco-asa-5512-x-hairpinning-anyconnect-users-to-azure-vms/m-p/3192869#M392800

Regards,

Kias

Kias
Fonicom Limited
raiseaticket Malta