Wednesday, April 16, 2014

Establishing site-to-site VPN from Amazon VPC to Cisco ASA device running in datacenter

If you are attempting to establish site-to-site VPN between your Amazon vpc to your Cisco ASA device in your data center, then you would need the below information


  • Determine whether you will be using static routing or use dynamic using Border Gateway Protocol (BGP).
  • If you are using BGP, you will need ASN number unique when you create the customer gateway as below:-
  • If you are using static routing, then you will need the publicly addressable ip address of your Cisco ASA device that you can set in your customer gateway (CGW) information:-


  • Next you will need to know the subnet CIDR range from the data center that is behind the Cisco ASA that will need access to EC2 instances running in your VPC. e.g. 10.128.44.0/24 (Please note that is recommended that subnet CIDR block is different from CIDR block of your VPC)
Once you have all of the above information, you can follow the steps below:-

  1. Create a Virtual Private Gateway (VPG) and attach it to your VPC using vpc id:-

    2.  Create a Customer Gateway (CGW) and attach it yo the VPG that you created in the above step. In the CGW, enter the static ip of the Cisco ASA device.

    3. Next create a VPN connection per subnet in your data center that you want to publish to your VPC


4. Once you have configured your VPG, CGW and VPN, you can download configuration:


5. In your VPC "route tables", make sure "route propagation" is enabled for the main route table or secondary route table or both depending on the instance that you want to access the VPN tunnel:


6. Also, add the customer's subnet ip cidr to the VPN static routes:-




7. Next work with your data center team on the Phase 1, Phase 2 and PSK properties specified in this configuration file that is needed for your Cisco ASA device. 

8. Test the VPN connection by bringing up a machine in the subnet behind the ASA device and try connecting to an instance in the AWS VPC.

9. If Tunnels are successfully established, you will see one of them as "up" below:-




3 comments:

  1. I read this article. I think You put a lot of effort to create this article. I appreciate your work. navigare anonimo

    ReplyDelete
  2. Hi cloudofnines,

    I followed your tutorial but still stuck in connect to customer system. Can you help me, please shot me an email at sonpython@gmail.com thank you

    ReplyDelete