SlideShare a Scribd company logo

AWS VPN Configuration for ASA

Download as TXT, PDF
Hatus Cordeiro
Hatus Cordeiro

ASA

Devices & Hardware
1 of 6
! Amazon Web Services ! Virtual Private Cloud ! ! AWS utilizes unique identifiers to manipulate the configuration of ! a VPN Connection. Each VPN Connection is assigned an identifier and is ! associated with two other identifiers, namely the ! Customer Gateway Identifier and Virtual Private Gateway Identifier. ! ! Your VPN Connection ID : vpn-3854d825 ! Your Virtual Private Gateway ID : vgw-6466c379 ! Your Customer Gateway ID : cgw-43ad085e ! ! ! This configuration consists of two tunnels. Both tunnels must be ! configured on your Customer Gateway. Only a single tunnel will be up at a ! time to the VGW. ! ! You may need to populate these values throughout the config based on your setup: ! <outside_interface> - External interface of the ASA ! <outside_access_in> - Inbound ACL on the external interface ! <amzn_vpn_map> - Outside crypto map ! <vpc_subnet> and <vpc_subnet_mask> - VPC address range ! <local_subnet> and <local_subnet_mask> - Local subnet address range ! <sla_monitor_address> - Target address that is part of acl-amzn to run SLA monitoring ! -------------------------------------------------------------------------------- ! IPSec Tunnels ! -------------------------------------------------------------------------------- ! #1: Internet Key Exchange (IKE) Configuration ! ! A policy is established for the supported ISAKMP encryption, ! authentication, Diffie-Hellman, lifetime, and key parameters. ! ! Note that there are a global list of ISAKMP policies, each identified by ! sequence number. This policy is defined as #201, which may conflict with ! an existing policy using the same or lower number depending on ! the encryption type. If so, we recommend changing the sequence number to ! avoid conflicts and overlap. ! ! Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2. ! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24. ! The address of the external interface for your customer gateway must be a static address. ! Your customer gateway may reside behind a device performing network address translation (NAT). ! To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T. ! crypto isakmp identity address crypto ikev1 enable <outside_interface> crypto ikev1 policy 201 encryption aes authentication pre-share group 2 lifetime 28800 hash sha exit
! ! The tunnel group sets the Pre Shared Key used to authenticate the ! tunnel endpoints. ! tunnel-group 52.67.250.226 type ipsec-l2l tunnel-group 52.67.250.226 ipsec-attributes ikev1 pre-shared-key Ut6xvdqyxBkH0dOtv.NoL.6..M5Z2k4R ! ! This option enables IPSec Dead Peer Detection, which causes semi-periodic ! messages to be sent to ensure a Security Association remains operational. ! isakmp keepalive threshold 10 retry 10 exit ! tunnel-group 54.94.131.249 type ipsec-l2l tunnel-group 54.94.131.249 ipsec-attributes ikev1 pre-shared-key Kx6S7_TcEaQ3W02lBQf9_5RVRE44Qzl8 ! ! This option enables IPSec Dead Peer Detection, which causes semi-periodic ! messages to be sent to ensure a Security Association remains operational. ! isakmp keepalive threshold 10 retry 10 exit ! -------------------------------------------------------------------------------- ! #2: Access List Configuration ! ! Access lists are configured to permit creation of tunnels and to send applicable traffic over them. ! This policy may need to be applied to an inbound ACL on the outside interface that is used to manage control-plane traffic. ! This is to allow VPN traffic into the device from the Amazon endpoints. ! access-list <outside_access_in> extended permit ip host 52.67.250.226 host 177.128.118.215 access-list <outside_access_in> extended permit ip host 54.94.131.249 host 177.128.118.215 ! The following access list named acl-amzn specifies all traffic that needs to be routed to the VPC. Traffic will ! be encrypted and transmitted through the tunnel to the VPC. Association with the IPSec security association ! is done through the "crypto map" command. ! ! This access list should contain a static route corresponding to your VPC CIDR and allow traffic from any subnet. ! If you do not wish to use the "any" source, you must use a single access-list entry for accessing the VPC range. ! If you specify more than one entry for this ACL without using "any" as the source, the VPN will function erratically. ! The any rule is also used so the security association will include the ASA outside interface where the SLA monitor ! traffic will be sourced from. ! See section #4 regarding how to restrict the traffic going over the tunnel ! ! access-list acl-amzn extended permit ip any4 <vpc_subnet> <vpc_subnet_mask> !------------------------------------------------------------------------------- -- ! #3: IPSec Configuration ! ! The IPSec transform set defines the encryption, authentication, and IPSec ! mode parameters.
! Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 1,2, 5, 14-18, 22, 23, and 24. ! crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac ! The crypto map references the IPSec transform set and further defines ! the Diffie-Hellman group and security association lifetime. The mapping is created ! as #1, which may conflict with an existing crypto map using the same ! number. If so, we recommend changing the mapping number to avoid conflicts. ! crypto map <amzn_vpn_map> 1 match address acl-amzn crypto map <amzn_vpn_map> 1 set pfs group2 crypto map <amzn_vpn_map> 1 set peer 52.67.250.226 54.94.131.249 crypto map <amzn_vpn_map> 1 set ikev1 transform-set transform-amzn crypto map <amzn_vpn_map> 1 set security-association lifetime seconds 3600 ! ! Only set this if you do not already have an outside crypto map, and it is not applied: ! crypto map <amzn_vpn_map> interface <outside_interface> ! ! Additional parameters of the IPSec configuration are set here. Note that ! these parameters are global and therefore impact other IPSec ! associations. ! ! This option instructs the firewall to clear the "Don't Fragment" ! bit from packets that carry this bit and yet must be fragmented, enabling ! them to be fragmented. ! crypto ipsec df-bit clear-df <outside_interface> ! ! This configures the gateway's window for accepting out of order ! IPSec packets. A larger window can be helpful if too many packets ! are dropped due to reordering while in transit between gateways. ! crypto ipsec security-association replay window-size 128 ! ! This option instructs the firewall to fragment the unencrypted packets ! (prior to encryption). ! crypto ipsec fragmentation before-encryption <outside_interface> ! ! This option causes the firewall to reduce the Maximum Segment Size of ! TCP packets to prevent packet fragmentation. sysopt connection tcpmss 1379 ! ! In order to keep the tunnel in an active or always up state, the ASA needs to send traffic to the subnet ! defined in acl-amzn. SLA monitoring can be configured to send pings to a destination in the subnet and ! will keep the tunnel active. This traffic needs to be sent to a target that will return a response. ! This can be manually tested by sending a ping to the target from the ASA sourced from the outside interface. ! A possible destination for the ping is an instance within the VPC. For redundancy multiple SLA monitors ! can be configured to several instances to protect against a single point of failure. ! ! The monitor is created as #1, which may conflict with an existing monitor using the same ! number. If so, we recommend changing the sequence number to avoid conflicts.
! sla monitor 1 type echo protocol ipIcmpEcho <sla_monitor_address> interface <outside_interface> frequency 5 exit sla monitor schedule 1 life forever start-time now ! ! The firewall must allow icmp packets to use "sla monitor" icmp permit any <outside_interface> !------------------------------------------------------------------------------- -------- ! #4: VPN Filter ! The VPN Filter will restrict traffic that is permitted through the tunnels. By default all traffic is denied. ! The first entry provides an example to include traffic between your VPC Address space and your office. ! You may need to run 'clear crypto isakmp sa', in order for the filter to take effect. ! ! access-list amzn-filter extended permit ip <vpc_subnet> <vpc_subnet_mask> <local_subnet> <local_subnet_mask> access-list amzn-filter extended deny ip any any group-policy filter internal group-policy filter attributes vpn-filter value amzn-filter tunnel-group 52.67.250.226 general-attributes default-group-policy filter exit tunnel-group 54.94.131.249 general-attributes default-group-policy filter exit !------------------------------------------------------------------------------- -------- ! #5: NAT Exemption ! If you are performing NAT on the ASA you will have to add a nat exemption rule. ! This varies depending on how NAT is set up. It should be configured along the lines of: ! object network obj-SrcNet ! subnet 0.0.0.0 0.0.0.0 ! object network obj-amzn ! subnet <vpc_subnet> <vpc_subnet_mask> ! nat (inside,outside) 1 source static obj-SrcNet obj-SrcNet destination static obj-amzn obj-amzn ! If using version 8.2 or older, the entry would need to look something like this: ! nat (inside) 0 access-list acl-amzn ! Or, the same rule in acl-amzn should be included in an existing no nat ACL. ! !------------------------------------------------------------------------------- -------- ! Additional Notes and Questions ! - Amazon Virtual Private Cloud Getting Started Guide: ! http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide ! - Amazon Virtual Private Cloud Network Administrator Guide: ! http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide ! - Troubleshooting Cisco ASA Customer Gateway Connectivity: ! http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide/Cisco_ASA_T roubleshooting.html ! - XSL Version: 2009-07-15-1119716
AWS VPN Configuration for ASA
AWS VPN Configuration for ASA

Recommended

Sa mog
Sa mogSa mog
Sa mogwarchitect
 
Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.igede tirtanata
 
Securing Asterisk: A practical approach
Securing Asterisk: A practical approachSecuring Asterisk: A practical approach
Securing Asterisk: A practical approachBangladesh Network Operators Group
 
Configuracion EIGRP
Configuracion EIGRPConfiguracion EIGRP
Configuracion EIGRPalexis marck Huiza Canchanya
 
IPSec VPN
IPSec VPNIPSec VPN
IPSec VPNNetProtocol Xpert
 
Cisco asa active,active failover configuration
Cisco asa active,active failover configurationCisco asa active,active failover configuration
Cisco asa active,active failover configurationIT Tech
 
Network topology by essay corp uk
Network topology by essay corp ukNetwork topology by essay corp uk
Network topology by essay corp ukJohnsmith5188
 
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideCisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideHarris Andrea
 

Recommended

Sa mog
Sa mogSa mog
Sa mogwarchitect
 
Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.igede tirtanata
 
Securing Asterisk: A practical approach
Securing Asterisk: A practical approachSecuring Asterisk: A practical approach
Securing Asterisk: A practical approachBangladesh Network Operators Group
 
Configuracion EIGRP
Configuracion EIGRPConfiguracion EIGRP
Configuracion EIGRPalexis marck Huiza Canchanya
 
IPSec VPN
IPSec VPNIPSec VPN
IPSec VPNNetProtocol Xpert
 
Cisco asa active,active failover configuration
Cisco asa active,active failover configurationCisco asa active,active failover configuration
Cisco asa active,active failover configurationIT Tech
 
Network topology by essay corp uk
Network topology by essay corp ukNetwork topology by essay corp uk
Network topology by essay corp ukJohnsmith5188
 
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideCisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideHarris Andrea
 
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01Duane Bodle
 
Iuwne10 S06 L03
Iuwne10 S06 L03Iuwne10 S06 L03
Iuwne10 S06 L03Ravi Ranjan
 
Mac authentication amigopod radius
Mac authentication amigopod radiusMac authentication amigopod radius
Mac authentication amigopod radiusAruba, a Hewlett Packard Enterprise company
 
Cohesive Networks Support Docs: VNS3 Administration
Cohesive Networks Support Docs: VNS3 AdministrationCohesive Networks Support Docs: VNS3 Administration
Cohesive Networks Support Docs: VNS3 AdministrationCohesive Networks
 
Deploy Failover/High Availability in ASA Firewall
Deploy Failover/High Availability in ASA FirewallDeploy Failover/High Availability in ASA Firewall
Deploy Failover/High Availability in ASA FirewallKHNOG
 
Ipsec
IpsecIpsec
IpsecEddy Barzallo
 
Iuwne10 S06 L01
Iuwne10 S06 L01Iuwne10 S06 L01
Iuwne10 S06 L01Ravi Ranjan
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Cisco Russia
 
Palo Alto VM-100 Configuration Lab
Palo Alto VM-100 Configuration LabPalo Alto VM-100 Configuration Lab
Palo Alto VM-100 Configuration LabMykhaylo Skrypka
 
הגדרת נתבי סיסקו 1.0
הגדרת נתבי סיסקו 1.0הגדרת נתבי סיסקו 1.0
הגדרת נתבי סיסקו 1.0ELI KENDEL אלי קנדל
 
Ccna 4 pretest exam answer v5
Ccna 4 pretest exam answer v5Ccna 4 pretest exam answer v5
Ccna 4 pretest exam answer v5friv4schoolgames
 
BACIK CISCO SKILLS
BACIK CISCO SKILLSBACIK CISCO SKILLS
BACIK CISCO SKILLSPeťko Z Chochoľova
 
Triển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gponTriển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gponlaonap166
 
Practice exam #2
Practice exam #2Practice exam #2
Practice exam #2Kris Mofu
 
6.5.1.2 packet tracer layer 2 security instructor
6.5.1.2 packet tracer layer 2 security instructor6.5.1.2 packet tracer layer 2 security instructor
6.5.1.2 packet tracer layer 2 security instructorSalem Trabelsi
 
Port Security
Port SecurityPort Security
Port SecurityNetProtocol Xpert
 
Vpn site to site 2 asa qua gpon ftth thực tế
Vpn site to site 2 asa qua gpon ftth thực tếVpn site to site 2 asa qua gpon ftth thực tế
Vpn site to site 2 asa qua gpon ftth thực tếlaonap166
 
Catalyst Smart Operations : Simplify Your Network
Catalyst Smart Operations : Simplify Your NetworkCatalyst Smart Operations : Simplify Your Network
Catalyst Smart Operations : Simplify Your NetworkCisco Russia
 
How to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallHow to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallIT Tech
 
Cisco CCNA Port Security
Cisco CCNA Port SecurityCisco CCNA Port Security
Cisco CCNA Port SecurityHamed Moghaddam
 
Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Amazon Web Services
 
Cisco data center support
Cisco data center supportCisco data center support
Cisco data center supportKrunal Shah
 

More Related Content

What's hot

Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01Duane Bodle
 
Cohesive Networks Support Docs: VNS3 Administration
Cohesive Networks Support Docs: VNS3 AdministrationCohesive Networks Support Docs: VNS3 Administration
Cohesive Networks Support Docs: VNS3 AdministrationCohesive Networks
 
Deploy Failover/High Availability in ASA Firewall
Deploy Failover/High Availability in ASA FirewallDeploy Failover/High Availability in ASA Firewall
Deploy Failover/High Availability in ASA FirewallKHNOG
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Cisco Russia
 
Palo Alto VM-100 Configuration Lab
Palo Alto VM-100 Configuration LabPalo Alto VM-100 Configuration Lab
Palo Alto VM-100 Configuration LabMykhaylo Skrypka
 
Ccna 4 pretest exam answer v5
Ccna 4 pretest exam answer v5Ccna 4 pretest exam answer v5
Ccna 4 pretest exam answer v5friv4schoolgames
 
Triển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gponTriển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gponlaonap166
 
Practice exam #2
Practice exam #2Practice exam #2
Practice exam #2Kris Mofu
 
6.5.1.2 packet tracer layer 2 security instructor
6.5.1.2 packet tracer layer 2 security instructor6.5.1.2 packet tracer layer 2 security instructor
6.5.1.2 packet tracer layer 2 security instructorSalem Trabelsi
 
Vpn site to site 2 asa qua gpon ftth thực tế
Vpn site to site 2 asa qua gpon ftth thực tếVpn site to site 2 asa qua gpon ftth thực tế
Vpn site to site 2 asa qua gpon ftth thực tếlaonap166
 
Catalyst Smart Operations : Simplify Your Network
Catalyst Smart Operations : Simplify Your NetworkCatalyst Smart Operations : Simplify Your Network
Catalyst Smart Operations : Simplify Your NetworkCisco Russia
 
How to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallHow to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallIT Tech
 
Cisco CCNA Port Security
Cisco CCNA Port SecurityCisco CCNA Port Security
Cisco CCNA Port SecurityHamed Moghaddam
 

What's hot (20)

Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
 
Iuwne10 S06 L03
Iuwne10 S06 L03Iuwne10 S06 L03
Iuwne10 S06 L03
 
Mac authentication amigopod radius
Mac authentication amigopod radiusMac authentication amigopod radius
Mac authentication amigopod radius
 
Cohesive Networks Support Docs: VNS3 Administration
Cohesive Networks Support Docs: VNS3 AdministrationCohesive Networks Support Docs: VNS3 Administration
Cohesive Networks Support Docs: VNS3 Administration
 
Deploy Failover/High Availability in ASA Firewall
Deploy Failover/High Availability in ASA FirewallDeploy Failover/High Availability in ASA Firewall
Deploy Failover/High Availability in ASA Firewall
 
Ipsec
IpsecIpsec
Ipsec
 
Iuwne10 S06 L01
Iuwne10 S06 L01Iuwne10 S06 L01
Iuwne10 S06 L01
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
 
Palo Alto VM-100 Configuration Lab
Palo Alto VM-100 Configuration LabPalo Alto VM-100 Configuration Lab
Palo Alto VM-100 Configuration Lab
 
הגדרת נתבי סיסקו 1.0
הגדרת נתבי סיסקו 1.0הגדרת נתבי סיסקו 1.0
הגדרת נתבי סיסקו 1.0
 
Ccna 4 pretest exam answer v5
Ccna 4 pretest exam answer v5Ccna 4 pretest exam answer v5
Ccna 4 pretest exam answer v5
 
BACIK CISCO SKILLS
BACIK CISCO SKILLSBACIK CISCO SKILLS
BACIK CISCO SKILLS
 
Triển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gponTriển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gpon
 
Practice exam #2
Practice exam #2Practice exam #2
Practice exam #2
 
6.5.1.2 packet tracer layer 2 security instructor
6.5.1.2 packet tracer layer 2 security instructor6.5.1.2 packet tracer layer 2 security instructor
6.5.1.2 packet tracer layer 2 security instructor
 
Port Security
Port SecurityPort Security
Port Security
 
Vpn site to site 2 asa qua gpon ftth thực tế
Vpn site to site 2 asa qua gpon ftth thực tếVpn site to site 2 asa qua gpon ftth thực tế
Vpn site to site 2 asa qua gpon ftth thực tế
 
Catalyst Smart Operations : Simplify Your Network
Catalyst Smart Operations : Simplify Your NetworkCatalyst Smart Operations : Simplify Your Network
Catalyst Smart Operations : Simplify Your Network
 
How to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallHow to configure cisco asa virtual firewall
How to configure cisco asa virtual firewall
 
Cisco CCNA Port Security
Cisco CCNA Port SecurityCisco CCNA Port Security
Cisco CCNA Port Security
 

Similar to AWS VPN Configuration for ASA

Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Amazon Web Services
 
Cisco data center support
Cisco data center supportCisco data center support
Cisco data center supportKrunal Shah
 
Best practices for catalyst 4500 4000, 5500-5000, and 6500-6000 series switch...
Best practices for catalyst 4500 4000, 5500-5000, and 6500-6000 series switch...Best practices for catalyst 4500 4000, 5500-5000, and 6500-6000 series switch...
Best practices for catalyst 4500 4000, 5500-5000, and 6500-6000 series switch...abdenour boussioud
 
Configuring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A PixConfiguring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A Pixangelitoh11
 
Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Amazon Web Services
 
Important cisco-chow-commands
Important cisco-chow-commandsImportant cisco-chow-commands
Important cisco-chow-commandsssusere31b5c
 
Code Red Security
Code Red SecurityCode Red Security
Code Red SecurityAmr Ali
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
 
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014Amazon Web Services
 
Cohesive Networks Support Docs: VNS3 Setup for Cisco ASA
Cohesive Networks Support Docs: VNS3 Setup for Cisco ASACohesive Networks Support Docs: VNS3 Setup for Cisco ASA
Cohesive Networks Support Docs: VNS3 Setup for Cisco ASACohesive Networks
 
FlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLEFlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLETariq Sheikh
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksAPNIC
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 

Similar to AWS VPN Configuration for ASA (20)

Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)
 
Cisco data center support
Cisco data center supportCisco data center support
Cisco data center support
 
Best practices for catalyst 4500 4000, 5500-5000, and 6500-6000 series switch...
Best practices for catalyst 4500 4000, 5500-5000, and 6500-6000 series switch...Best practices for catalyst 4500 4000, 5500-5000, and 6500-6000 series switch...
Best practices for catalyst 4500 4000, 5500-5000, and 6500-6000 series switch...
 
Configuring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A PixConfiguring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A Pix
 
Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)
 
Important cisco-chow-commands
Important cisco-chow-commandsImportant cisco-chow-commands
Important cisco-chow-commands
 
Code Red Security
Code Red SecurityCode Red Security
Code Red Security
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
 
1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618) 1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618)
 
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014
 
Cohesive Networks Support Docs: VNS3 Setup for Cisco ASA
Cohesive Networks Support Docs: VNS3 Setup for Cisco ASACohesive Networks Support Docs: VNS3 Setup for Cisco ASA
Cohesive Networks Support Docs: VNS3 Setup for Cisco ASA
 
Oreilly solinea-managing-openstack
Oreilly solinea-managing-openstackOreilly solinea-managing-openstack
Oreilly solinea-managing-openstack
 
FlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLEFlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLE
 
F5 tcpdump
F5 tcpdumpF5 tcpdump
F5 tcpdump
 
Aruba mobility access switch useful commands v2
Aruba mobility access switch useful commands v2Aruba mobility access switch useful commands v2
Aruba mobility access switch useful commands v2
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building Blocks
 
Xpress path vxlan_bgp_evpn_appricot2019-v2_
Xpress path vxlan_bgp_evpn_appricot2019-v2_Xpress path vxlan_bgp_evpn_appricot2019-v2_
Xpress path vxlan_bgp_evpn_appricot2019-v2_
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
 
Vpc aws meetup
Vpc aws meetupVpc aws meetup
Vpc aws meetup
 
06.pptx
06.pptx06.pptx
06.pptx
 

Recently uploaded

定制加拿大滑铁卢大学毕业证(Waterloo毕业证书)成绩单(文凭)原版一比一
定制加拿大滑铁卢大学毕业证(Waterloo毕业证书)成绩单(文凭)原版一比一定制加拿大滑铁卢大学毕业证(Waterloo毕业证书)成绩单(文凭)原版一比一
定制加拿大滑铁卢大学毕业证(Waterloo毕业证书)成绩单(文凭)原版一比一zul5vf0pq
 
如何办理萨省大学毕业证(UofS毕业证)成绩单留信学历认证原版一比一
如何办理萨省大学毕业证(UofS毕业证)成绩单留信学历认证原版一比一如何办理萨省大学毕业证(UofS毕业证)成绩单留信学历认证原版一比一
如何办理萨省大学毕业证(UofS毕业证)成绩单留信学历认证原版一比一ga6c6bdl
 
Low Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service Nashik
Low Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service NashikLow Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service Nashik
Low Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
High Profile Call Girls In Andheri 7738631006 Call girls in mumbai Mumbai ...
High Profile Call Girls In Andheri 7738631006 Call girls in mumbai Mumbai ...High Profile Call Girls In Andheri 7738631006 Call girls in mumbai Mumbai ...
High Profile Call Girls In Andheri 7738631006 Call girls in mumbai Mumbai ...Pooja Nehwal
 
Russian Call Girls In South Delhi Delhi 9711199012 💋✔💕😘 Independent Escorts D...
Russian Call Girls In South Delhi Delhi 9711199012 💋✔💕😘 Independent Escorts D...Russian Call Girls In South Delhi Delhi 9711199012 💋✔💕😘 Independent Escorts D...
Russian Call Girls In South Delhi Delhi 9711199012 💋✔💕😘 Independent Escorts D...nagunakhan
 
VVIP Pune Call Girls Warje (7001035870) Pune Escorts Nearby with Complete Sat...
VVIP Pune Call Girls Warje (7001035870) Pune Escorts Nearby with Complete Sat...VVIP Pune Call Girls Warje (7001035870) Pune Escorts Nearby with Complete Sat...
VVIP Pune Call Girls Warje (7001035870) Pune Escorts Nearby with Complete Sat...Call Girls in Nagpur High Profile
 
Gaya Call Girls #9907093804 Contact Number Escorts Service Gaya
Gaya Call Girls #9907093804 Contact Number Escorts Service GayaGaya Call Girls #9907093804 Contact Number Escorts Service Gaya
Gaya Call Girls #9907093804 Contact Number Escorts Service Gayasrsj9000
 
(ANIKA) Wanwadi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(ANIKA) Wanwadi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(ANIKA) Wanwadi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(ANIKA) Wanwadi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...ranjana rawat
 
如何办理(Adelaide毕业证)阿德莱德大学毕业证成绩单Adelaide学历认证真实可查
如何办理(Adelaide毕业证)阿德莱德大学毕业证成绩单Adelaide学历认证真实可查如何办理(Adelaide毕业证)阿德莱德大学毕业证成绩单Adelaide学历认证真实可查
如何办理(Adelaide毕业证)阿德莱德大学毕业证成绩单Adelaide学历认证真实可查awo24iot
 
Call Girls in Thane 9892124323, Vashi cAll girls Serivces Juhu Escorts, powai...
Call Girls in Thane 9892124323, Vashi cAll girls Serivces Juhu Escorts, powai...Call Girls in Thane 9892124323, Vashi cAll girls Serivces Juhu Escorts, powai...
Call Girls in Thane 9892124323, Vashi cAll girls Serivces Juhu Escorts, powai...Pooja Nehwal
 
如何办理(UCLA毕业证书)加州大学洛杉矶分校毕业证成绩单留信学历认证原版一比一
如何办理(UCLA毕业证书)加州大学洛杉矶分校毕业证成绩单留信学历认证原版一比一如何办理(UCLA毕业证书)加州大学洛杉矶分校毕业证成绩单留信学历认证原版一比一
如何办理(UCLA毕业证书)加州大学洛杉矶分校毕业证成绩单留信学历认证原版一比一ga6c6bdl
 
9892124323 Pooja Nehwal Call Girls Services Call Girls service in Santacruz A...
9892124323 Pooja Nehwal Call Girls Services Call Girls service in Santacruz A...9892124323 Pooja Nehwal Call Girls Services Call Girls service in Santacruz A...
9892124323 Pooja Nehwal Call Girls Services Call Girls service in Santacruz A...Pooja Nehwal
 
Vip Noida Escorts 9873940964 Greater Noida Escorts Service
Vip Noida Escorts 9873940964 Greater Noida Escorts ServiceVip Noida Escorts 9873940964 Greater Noida Escorts Service
Vip Noida Escorts 9873940964 Greater Noida Escorts Serviceankitnayak356677
 
Call Girls Delhi {Rohini} 9711199012 high profile service
Call Girls Delhi {Rohini} 9711199012 high profile serviceCall Girls Delhi {Rohini} 9711199012 high profile service
Call Girls Delhi {Rohini} 9711199012 high profile servicerehmti665
 
Call Girls in Nagpur Bhavna Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Bhavna Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Bhavna Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Bhavna Call 7001035870 Meet With Nagpur Escortsranjana rawat
 
Beautiful Sapna Call Girls CP 9711199012 ☎ Call /Whatsapps
Beautiful Sapna Call Girls CP 9711199012 ☎ Call /WhatsappsBeautiful Sapna Call Girls CP 9711199012 ☎ Call /Whatsapps
Beautiful Sapna Call Girls CP 9711199012 ☎ Call /Whatsappssapnasaifi408
 
Slim Call Girls Service Badshah Nagar * 9548273370 Naughty Call Girls Service...
Slim Call Girls Service Badshah Nagar * 9548273370 Naughty Call Girls Service...Slim Call Girls Service Badshah Nagar * 9548273370 Naughty Call Girls Service...
Slim Call Girls Service Badshah Nagar * 9548273370 Naughty Call Girls Service...nagunakhan
 
Call Girls Dubai Slut Wife O525547819 Call Girls Dubai Gaped
Call Girls Dubai Slut Wife O525547819 Call Girls Dubai GapedCall Girls Dubai Slut Wife O525547819 Call Girls Dubai Gaped
Call Girls Dubai Slut Wife O525547819 Call Girls Dubai Gapedkojalkojal131
 
哪里办理美国宾夕法尼亚州立大学毕业证(本硕)psu成绩单原版一模一样
哪里办理美国宾夕法尼亚州立大学毕业证(本硕)psu成绩单原版一模一样哪里办理美国宾夕法尼亚州立大学毕业证(本硕)psu成绩单原版一模一样
哪里办理美国宾夕法尼亚州立大学毕业证(本硕)psu成绩单原版一模一样qaffana
 

Recently uploaded (20)

定制加拿大滑铁卢大学毕业证(Waterloo毕业证书)成绩单(文凭)原版一比一
定制加拿大滑铁卢大学毕业证(Waterloo毕业证书)成绩单(文凭)原版一比一定制加拿大滑铁卢大学毕业证(Waterloo毕业证书)成绩单(文凭)原版一比一
定制加拿大滑铁卢大学毕业证(Waterloo毕业证书)成绩单(文凭)原版一比一
 
如何办理萨省大学毕业证(UofS毕业证)成绩单留信学历认证原版一比一
如何办理萨省大学毕业证(UofS毕业证)成绩单留信学历认证原版一比一如何办理萨省大学毕业证(UofS毕业证)成绩单留信学历认证原版一比一
如何办理萨省大学毕业证(UofS毕业证)成绩单留信学历认证原版一比一
 
Low Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service Nashik
Low Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service NashikLow Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service Nashik
Low Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service Nashik
 
High Profile Call Girls In Andheri 7738631006 Call girls in mumbai Mumbai ...
High Profile Call Girls In Andheri 7738631006 Call girls in mumbai Mumbai ...High Profile Call Girls In Andheri 7738631006 Call girls in mumbai Mumbai ...
High Profile Call Girls In Andheri 7738631006 Call girls in mumbai Mumbai ...
 
Russian Call Girls In South Delhi Delhi 9711199012 💋✔💕😘 Independent Escorts D...
Russian Call Girls In South Delhi Delhi 9711199012 💋✔💕😘 Independent Escorts D...Russian Call Girls In South Delhi Delhi 9711199012 💋✔💕😘 Independent Escorts D...
Russian Call Girls In South Delhi Delhi 9711199012 💋✔💕😘 Independent Escorts D...
 
VVIP Pune Call Girls Warje (7001035870) Pune Escorts Nearby with Complete Sat...
VVIP Pune Call Girls Warje (7001035870) Pune Escorts Nearby with Complete Sat...VVIP Pune Call Girls Warje (7001035870) Pune Escorts Nearby with Complete Sat...
VVIP Pune Call Girls Warje (7001035870) Pune Escorts Nearby with Complete Sat...
 
young call girls in Sainik Farm 🔝 9953056974 🔝 Delhi escort Service
young call girls in Sainik Farm 🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Sainik Farm 🔝 9953056974 🔝 Delhi escort Service
young call girls in Sainik Farm 🔝 9953056974 🔝 Delhi escort Service
 
Gaya Call Girls #9907093804 Contact Number Escorts Service Gaya
Gaya Call Girls #9907093804 Contact Number Escorts Service GayaGaya Call Girls #9907093804 Contact Number Escorts Service Gaya
Gaya Call Girls #9907093804 Contact Number Escorts Service Gaya
 
(ANIKA) Wanwadi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(ANIKA) Wanwadi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(ANIKA) Wanwadi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(ANIKA) Wanwadi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
 
如何办理(Adelaide毕业证)阿德莱德大学毕业证成绩单Adelaide学历认证真实可查
如何办理(Adelaide毕业证)阿德莱德大学毕业证成绩单Adelaide学历认证真实可查如何办理(Adelaide毕业证)阿德莱德大学毕业证成绩单Adelaide学历认证真实可查
如何办理(Adelaide毕业证)阿德莱德大学毕业证成绩单Adelaide学历认证真实可查
 
Call Girls in Thane 9892124323, Vashi cAll girls Serivces Juhu Escorts, powai...
Call Girls in Thane 9892124323, Vashi cAll girls Serivces Juhu Escorts, powai...Call Girls in Thane 9892124323, Vashi cAll girls Serivces Juhu Escorts, powai...
Call Girls in Thane 9892124323, Vashi cAll girls Serivces Juhu Escorts, powai...
 
如何办理(UCLA毕业证书)加州大学洛杉矶分校毕业证成绩单留信学历认证原版一比一
如何办理(UCLA毕业证书)加州大学洛杉矶分校毕业证成绩单留信学历认证原版一比一如何办理(UCLA毕业证书)加州大学洛杉矶分校毕业证成绩单留信学历认证原版一比一
如何办理(UCLA毕业证书)加州大学洛杉矶分校毕业证成绩单留信学历认证原版一比一
 
9892124323 Pooja Nehwal Call Girls Services Call Girls service in Santacruz A...
9892124323 Pooja Nehwal Call Girls Services Call Girls service in Santacruz A...9892124323 Pooja Nehwal Call Girls Services Call Girls service in Santacruz A...
9892124323 Pooja Nehwal Call Girls Services Call Girls service in Santacruz A...
 
Vip Noida Escorts 9873940964 Greater Noida Escorts Service
Vip Noida Escorts 9873940964 Greater Noida Escorts ServiceVip Noida Escorts 9873940964 Greater Noida Escorts Service
Vip Noida Escorts 9873940964 Greater Noida Escorts Service
 
Call Girls Delhi {Rohini} 9711199012 high profile service
Call Girls Delhi {Rohini} 9711199012 high profile serviceCall Girls Delhi {Rohini} 9711199012 high profile service
Call Girls Delhi {Rohini} 9711199012 high profile service
 
Call Girls in Nagpur Bhavna Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Bhavna Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Bhavna Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Bhavna Call 7001035870 Meet With Nagpur Escorts
 
Beautiful Sapna Call Girls CP 9711199012 ☎ Call /Whatsapps
Beautiful Sapna Call Girls CP 9711199012 ☎ Call /WhatsappsBeautiful Sapna Call Girls CP 9711199012 ☎ Call /Whatsapps
Beautiful Sapna Call Girls CP 9711199012 ☎ Call /Whatsapps
 
Slim Call Girls Service Badshah Nagar * 9548273370 Naughty Call Girls Service...
Slim Call Girls Service Badshah Nagar * 9548273370 Naughty Call Girls Service...Slim Call Girls Service Badshah Nagar * 9548273370 Naughty Call Girls Service...
Slim Call Girls Service Badshah Nagar * 9548273370 Naughty Call Girls Service...
 
Call Girls Dubai Slut Wife O525547819 Call Girls Dubai Gaped
Call Girls Dubai Slut Wife O525547819 Call Girls Dubai GapedCall Girls Dubai Slut Wife O525547819 Call Girls Dubai Gaped
Call Girls Dubai Slut Wife O525547819 Call Girls Dubai Gaped
 
哪里办理美国宾夕法尼亚州立大学毕业证(本硕)psu成绩单原版一模一样
哪里办理美国宾夕法尼亚州立大学毕业证(本硕)psu成绩单原版一模一样哪里办理美国宾夕法尼亚州立大学毕业证(本硕)psu成绩单原版一模一样
哪里办理美国宾夕法尼亚州立大学毕业证(本硕)psu成绩单原版一模一样
 

AWS VPN Configuration for ASA

  • 1. ! Amazon Web Services ! Virtual Private Cloud ! ! AWS utilizes unique identifiers to manipulate the configuration of ! a VPN Connection. Each VPN Connection is assigned an identifier and is ! associated with two other identifiers, namely the ! Customer Gateway Identifier and Virtual Private Gateway Identifier. ! ! Your VPN Connection ID : vpn-3854d825 ! Your Virtual Private Gateway ID : vgw-6466c379 ! Your Customer Gateway ID : cgw-43ad085e ! ! ! This configuration consists of two tunnels. Both tunnels must be ! configured on your Customer Gateway. Only a single tunnel will be up at a ! time to the VGW. ! ! You may need to populate these values throughout the config based on your setup: ! <outside_interface> - External interface of the ASA ! <outside_access_in> - Inbound ACL on the external interface ! <amzn_vpn_map> - Outside crypto map ! <vpc_subnet> and <vpc_subnet_mask> - VPC address range ! <local_subnet> and <local_subnet_mask> - Local subnet address range ! <sla_monitor_address> - Target address that is part of acl-amzn to run SLA monitoring ! -------------------------------------------------------------------------------- ! IPSec Tunnels ! -------------------------------------------------------------------------------- ! #1: Internet Key Exchange (IKE) Configuration ! ! A policy is established for the supported ISAKMP encryption, ! authentication, Diffie-Hellman, lifetime, and key parameters. ! ! Note that there are a global list of ISAKMP policies, each identified by ! sequence number. This policy is defined as #201, which may conflict with ! an existing policy using the same or lower number depending on ! the encryption type. If so, we recommend changing the sequence number to ! avoid conflicts and overlap. ! ! Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2. ! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24. ! The address of the external interface for your customer gateway must be a static address. ! Your customer gateway may reside behind a device performing network address translation (NAT). ! To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T. ! crypto isakmp identity address crypto ikev1 enable <outside_interface> crypto ikev1 policy 201 encryption aes authentication pre-share group 2 lifetime 28800 hash sha exit
  • 2. ! ! The tunnel group sets the Pre Shared Key used to authenticate the ! tunnel endpoints. ! tunnel-group 52.67.250.226 type ipsec-l2l tunnel-group 52.67.250.226 ipsec-attributes ikev1 pre-shared-key Ut6xvdqyxBkH0dOtv.NoL.6..M5Z2k4R ! ! This option enables IPSec Dead Peer Detection, which causes semi-periodic ! messages to be sent to ensure a Security Association remains operational. ! isakmp keepalive threshold 10 retry 10 exit ! tunnel-group 54.94.131.249 type ipsec-l2l tunnel-group 54.94.131.249 ipsec-attributes ikev1 pre-shared-key Kx6S7_TcEaQ3W02lBQf9_5RVRE44Qzl8 ! ! This option enables IPSec Dead Peer Detection, which causes semi-periodic ! messages to be sent to ensure a Security Association remains operational. ! isakmp keepalive threshold 10 retry 10 exit ! -------------------------------------------------------------------------------- ! #2: Access List Configuration ! ! Access lists are configured to permit creation of tunnels and to send applicable traffic over them. ! This policy may need to be applied to an inbound ACL on the outside interface that is used to manage control-plane traffic. ! This is to allow VPN traffic into the device from the Amazon endpoints. ! access-list <outside_access_in> extended permit ip host 52.67.250.226 host 177.128.118.215 access-list <outside_access_in> extended permit ip host 54.94.131.249 host 177.128.118.215 ! The following access list named acl-amzn specifies all traffic that needs to be routed to the VPC. Traffic will ! be encrypted and transmitted through the tunnel to the VPC. Association with the IPSec security association ! is done through the "crypto map" command. ! ! This access list should contain a static route corresponding to your VPC CIDR and allow traffic from any subnet. ! If you do not wish to use the "any" source, you must use a single access-list entry for accessing the VPC range. ! If you specify more than one entry for this ACL without using "any" as the source, the VPN will function erratically. ! The any rule is also used so the security association will include the ASA outside interface where the SLA monitor ! traffic will be sourced from. ! See section #4 regarding how to restrict the traffic going over the tunnel ! ! access-list acl-amzn extended permit ip any4 <vpc_subnet> <vpc_subnet_mask> !------------------------------------------------------------------------------- -- ! #3: IPSec Configuration ! ! The IPSec transform set defines the encryption, authentication, and IPSec ! mode parameters.
  • 3. ! Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 1,2, 5, 14-18, 22, 23, and 24. ! crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac ! The crypto map references the IPSec transform set and further defines ! the Diffie-Hellman group and security association lifetime. The mapping is created ! as #1, which may conflict with an existing crypto map using the same ! number. If so, we recommend changing the mapping number to avoid conflicts. ! crypto map <amzn_vpn_map> 1 match address acl-amzn crypto map <amzn_vpn_map> 1 set pfs group2 crypto map <amzn_vpn_map> 1 set peer 52.67.250.226 54.94.131.249 crypto map <amzn_vpn_map> 1 set ikev1 transform-set transform-amzn crypto map <amzn_vpn_map> 1 set security-association lifetime seconds 3600 ! ! Only set this if you do not already have an outside crypto map, and it is not applied: ! crypto map <amzn_vpn_map> interface <outside_interface> ! ! Additional parameters of the IPSec configuration are set here. Note that ! these parameters are global and therefore impact other IPSec ! associations. ! ! This option instructs the firewall to clear the "Don't Fragment" ! bit from packets that carry this bit and yet must be fragmented, enabling ! them to be fragmented. ! crypto ipsec df-bit clear-df <outside_interface> ! ! This configures the gateway's window for accepting out of order ! IPSec packets. A larger window can be helpful if too many packets ! are dropped due to reordering while in transit between gateways. ! crypto ipsec security-association replay window-size 128 ! ! This option instructs the firewall to fragment the unencrypted packets ! (prior to encryption). ! crypto ipsec fragmentation before-encryption <outside_interface> ! ! This option causes the firewall to reduce the Maximum Segment Size of ! TCP packets to prevent packet fragmentation. sysopt connection tcpmss 1379 ! ! In order to keep the tunnel in an active or always up state, the ASA needs to send traffic to the subnet ! defined in acl-amzn. SLA monitoring can be configured to send pings to a destination in the subnet and ! will keep the tunnel active. This traffic needs to be sent to a target that will return a response. ! This can be manually tested by sending a ping to the target from the ASA sourced from the outside interface. ! A possible destination for the ping is an instance within the VPC. For redundancy multiple SLA monitors ! can be configured to several instances to protect against a single point of failure. ! ! The monitor is created as #1, which may conflict with an existing monitor using the same ! number. If so, we recommend changing the sequence number to avoid conflicts.
  • 4. ! sla monitor 1 type echo protocol ipIcmpEcho <sla_monitor_address> interface <outside_interface> frequency 5 exit sla monitor schedule 1 life forever start-time now ! ! The firewall must allow icmp packets to use "sla monitor" icmp permit any <outside_interface> !------------------------------------------------------------------------------- -------- ! #4: VPN Filter ! The VPN Filter will restrict traffic that is permitted through the tunnels. By default all traffic is denied. ! The first entry provides an example to include traffic between your VPC Address space and your office. ! You may need to run 'clear crypto isakmp sa', in order for the filter to take effect. ! ! access-list amzn-filter extended permit ip <vpc_subnet> <vpc_subnet_mask> <local_subnet> <local_subnet_mask> access-list amzn-filter extended deny ip any any group-policy filter internal group-policy filter attributes vpn-filter value amzn-filter tunnel-group 52.67.250.226 general-attributes default-group-policy filter exit tunnel-group 54.94.131.249 general-attributes default-group-policy filter exit !------------------------------------------------------------------------------- -------- ! #5: NAT Exemption ! If you are performing NAT on the ASA you will have to add a nat exemption rule. ! This varies depending on how NAT is set up. It should be configured along the lines of: ! object network obj-SrcNet ! subnet 0.0.0.0 0.0.0.0 ! object network obj-amzn ! subnet <vpc_subnet> <vpc_subnet_mask> ! nat (inside,outside) 1 source static obj-SrcNet obj-SrcNet destination static obj-amzn obj-amzn ! If using version 8.2 or older, the entry would need to look something like this: ! nat (inside) 0 access-list acl-amzn ! Or, the same rule in acl-amzn should be included in an existing no nat ACL. ! !------------------------------------------------------------------------------- -------- ! Additional Notes and Questions ! - Amazon Virtual Private Cloud Getting Started Guide: ! http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide ! - Amazon Virtual Private Cloud Network Administrator Guide: ! http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide ! - Troubleshooting Cisco ASA Customer Gateway Connectivity: ! http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide/Cisco_ASA_T roubleshooting.html ! - XSL Version: 2009-07-15-1119716