10-24-2017 07:49 PM - edited 03-12-2019 04:39 AM
We have site to site VPN tunnel between our office and AWS cloud and everything seems working great, now we have one more subnet at office location which we want to route over same tunnel so this is what i did.
existing ACL for interesting traffic.
access-list ACL-VPN extended permit ip 10.0.0.0 255.255.255.0 10.100.4.0 255.255.255.0
new subnet which i want to route over existing tunnel
access-list ACL-VPN extended permit ip 64.100.200.0 255.255.255.0 10.100.4.0 255.255.255.0
as soon as i add new ACL it bring down previous tunnel and now i can ping from 64 network to 10.100.4.0 network, what is the solution here?
Solved! Go to Solution.
10-25-2017 06:25 AM
Hello @satish.txt1,
The S2S with AWS are different :) They only support one security association with Cisco ASA (and maybe other vendors) that´s why the recommendation is to have only one ACL on the crypto map because if you add another it will with both and it will be dropping the connection between the 2 ACLs.
AWS recommend to have source as ANY and permit the subnets from your site and if you want to apply the subnets to a particular ones, you should apply VPN-Filters on the group-policy and permit the ones you really want.
This is the documentation from AWS: http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Cisco_ASA.html
This is the statement from them:
! This access list should contain a static route corresponding to your VPC CIDR and allow traffic from any subnet.
! If you do not wish to use the "any" source, you must use a single access-list entry for accessing the VPC range.
! If you specify more than one entry for this ACL without using "any" as the source, the VPN will function erratically.
! The any rule is also used so the security association will include the ASA outside interface where the SLA monitor
! traffic will be sourced from.
! See section #4 regarding how to restrict the traffic going over the tunnel
HTH
Gio
10-24-2017 08:58 PM
10-25-2017 06:25 AM
Hello @satish.txt1,
The S2S with AWS are different :) They only support one security association with Cisco ASA (and maybe other vendors) that´s why the recommendation is to have only one ACL on the crypto map because if you add another it will with both and it will be dropping the connection between the 2 ACLs.
AWS recommend to have source as ANY and permit the subnets from your site and if you want to apply the subnets to a particular ones, you should apply VPN-Filters on the group-policy and permit the ones you really want.
This is the documentation from AWS: http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Cisco_ASA.html
This is the statement from them:
! This access list should contain a static route corresponding to your VPC CIDR and allow traffic from any subnet.
! If you do not wish to use the "any" source, you must use a single access-list entry for accessing the VPC range.
! If you specify more than one entry for this ACL without using "any" as the source, the VPN will function erratically.
! The any rule is also used so the security association will include the ASA outside interface where the SLA monitor
! traffic will be sourced from.
! See section #4 regarding how to restrict the traffic going over the tunnel
HTH
Gio
10-25-2017 12:56 PM
You are goddamn!! right!! Thanks a lot for that hint! it is working now!
06-10-2021 01:20 PM
Hello,
@satish.txt1 what exactly did you do in order to get this to work ?
did change something on your office router or on AWS side ?
I have the same problem where new subnet can not get to my webportal in AWS.
I have Customer Enclave Router (on_premises) connected to Cisco FTD in AWS through another GATEWAY ROUTER (on_premises) basically
CUSTOMER_ROUTER (on_premises) ------------> GATEWAY_ROUTER (on_premises) --------------> FTDv (AWS)
@GioGonza Please I need you advises on this issue, I can be reached at nasdepago@gmail.com / ntcheumoe@novetta.com
Thank you in advance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide