cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
315
Views
5
Helpful
1
Replies

Having Trouble Setting up Lan to Lan VPN from AWS to On Premise

andrewmorone
Level 1
Level 1

Hi. I'm trying to configure a Lan to Lan VPN between AWS (using Cisco ASAv virtual appliance) and on premises. I'm able to bring up the VPN, but I'm a little confused about how to deal with nat'd traffic on the AWS end. Part of the problem is that the on premise client insists on using a public IP for the encryption domain. 

 

On Premise side

host IP: 192.168.7.159

gw: 192.168.7.1

 

ASA 5505:

Inside IP: 192.168.7.1

Static ip mapped to above internal host: 199.164.254.159 

 

The AWS side:

host IP: 10.41.2.102

gw: 10.41.2.19

 

Cisco ASAv

inside IP: 10.41.2.19

AWS Elastic IP mapped back to ASAv outside interface: 24.123.200.29

 

If I ping 10.41.2.19 (AWS host) from the On Premise host (192.168.7.159), the VPN comes up:

On Premise ASA 5505:

1 IKE Peer: 7 IKE Peer: 24.123.200.29
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

AWS Cisco ASAv:

1 IKE Peer: 199.164.254.159
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE

 

If I go the other way (From AWS to On Premise) it doesn't initiate any traffic and the VPN does not come up, and even with the VPN up, initiated from the on-premise side, there's no communication between the endpoints. I think both things are because I don't have nat set up properly on the AWS side. The on-prem ASA5505 is 8.3, and the Cisco ASAv is 9.14. I know that nat configs changed significantly with release 8.4. 

I've attached my AWS CiscoASAv config. Can someone tell me what I'm doing wrong? 10.41.2.102 should be able to initiate the vpn connection, and connect to on-premise instance 199.164.254.159.

1 Reply 1

follow

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: