Showing results for 
Search instead for 
Did you mean: 

Having Trouble Setting up Lan to Lan VPN from AWS to On Premise


Hi. I'm trying to configure a Lan to Lan VPN between AWS (using Cisco ASAv virtual appliance) and on premises. I'm able to bring up the VPN, but I'm a little confused about how to deal with nat'd traffic on the AWS end. Part of the problem is that the on premise client insists on using a public IP for the encryption domain. 


On Premise side

host IP:



ASA 5505:

Inside IP:

Static ip mapped to above internal host: 


The AWS side:

host IP:



Cisco ASAv

inside IP:

AWS Elastic IP mapped back to ASAv outside interface:


If I ping (AWS host) from the On Premise host (, the VPN comes up:

On Premise ASA 5505:

1 IKE Peer: 7 IKE Peer:
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

AWS Cisco ASAv:

1 IKE Peer:
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE


If I go the other way (From AWS to On Premise) it doesn't initiate any traffic and the VPN does not come up, and even with the VPN up, initiated from the on-premise side, there's no communication between the endpoints. I think both things are because I don't have nat set up properly on the AWS side. The on-prem ASA5505 is 8.3, and the Cisco ASAv is 9.14. I know that nat configs changed significantly with release 8.4. 

I've attached my AWS CiscoASAv config. Can someone tell me what I'm doing wrong? should be able to initiate the vpn connection, and connect to on-premise instance

1 Reply 1

MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers