Solved: IPSEC VPN WITH AWS

fmugambi · ‎10-12-2023

Hello,

I have setup site to site VPN between cisco FTDv and AWS, the VPN is up both phases, but not encaps once i initiate traffic from on-prem. But if traffic is initiated from AWS cloud, i get some decaps but 0 encaps.

If i check my acls, i realize FW_ACL has hits (both for incoming and outgoing), but my IPSEC_ACLs have no hits.

What could i be missing .

Kindly help.

MHM Cisco World · ‎10-13-2023

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/215470-site-to-site-vpn-configuration-on-ftd-ma.html

First you need to enable sysop permit vpn

And check this link how you can config NO-NAT for Ipsec

View solution in original post

balaji.bandi · ‎10-12-2023

the VPN is up both phases

if this is the case the the traffic suppose to leave using tunnel should work as expected, hence this is not working, we need to verify both the side confg. make sure Interesting traffic correctly allowed, we have seen the both side subnet need to match exactly same mask for the allowed list.

i would check the configuration and routing again, make sure Tunnel established.

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/215470-site-to-site-vpn-configuration-on-ftd-ma.html

AWS side :

https://www.youtube.com/watch?v=NtDt34_tXCI

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

fmugambi · ‎10-13-2023

yeah, actually the tunnel is up on both ends,

Not sure why am not able to encapsulate traffic, on i initiate it from on-prem.

Both subnets match.

in my case am not natting anything, so i disabled nat traversal setting.

Question, my ftdv is new setup, so have not even done pat overload on the outside interface. would this cause this behaviur or its unrelated?

Thanks,.

fmugambi · ‎10-13-2023

as well when i initiate traffic and capture on the FTD inside interface, am able to capture traffic, but its one way, no response.

So it troubles me if the traffic is getting on the FTDv, why is my encaps still Zero? is there anything i might be missing.

All i know i dont have nat on outside and inside interface, can this be the cause?

MHM Cisco World · ‎10-13-2023

Did ypu config No-NAT for ipsec traffic?

fmugambi · ‎10-13-2023

this is the brief design,

fmugambi · ‎10-13-2023

sorry, here,

fmugambi · ‎10-13-2023

a server say 192.168.250.100 is not able to ping 172.29.0.50 on AWS, and still not registering encaps.

but a capture on FTDv shows the ping requests from 192.168.250.100 to 172.29.0.50 with no echo replies.

balaji.bandi · ‎10-13-2023

you need to troubleshooting all the way each firewall

Looks for me your Server not able to go out to reach 172 network as per the information,

May be help you to Open Ping all the way and traceroute all the will give you some visibility.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎10-13-2023

You need exception NAT (no-NAT) config in ftdv.

fmugambi · ‎10-13-2023

this is unchecked, or is there another way on fmc to disable this?

MHM Cisco World · ‎10-13-2023

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/215470-site-to-site-vpn-configuration-on-ftd-ma.html

First you need to enable sysop permit vpn

And check this link how you can config NO-NAT for Ipsec

balaji.bandi · ‎10-13-2023

the document i have provided the option - (hope you got a chance to read the document)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

fmugambi · ‎10-13-2023

This has worked.

Thanks.