Skip to main content

About

After creating a site-to-site VPN connection in Amazon, customers must configure the Cisco firewall to recognize the connection and let traffic into MacStadium Private Cloud.

Overview

Amazon provides a semi-prefilled configuration file with very detailed instructions. The configuration file must be downloaded and provide any missing information (indicated by placeholders). Afterwards, the configuration can be applied to the Cisco ASA/ASAv to complete the Site-to-Site VPN setup.

Getting Started

Amazon Configuration Download Amazon lets you download pre-filled configurations for a variety of vendors. The default firewall vendor for MacStadium private clouds is Cisco Systems, Inc.
  1. Verify that you have created a site-to-site VPN connection in Amazon.
  2. Log in to your AWS Management Console and access your VPC service.
  3. In the top right corner of the screen, make sure that you’re working in the correct region.
  4. In the VPC service sidebar, locate the Virtual Private Network menu and select Site-to-Site VPN Connections.
    48ec19d-select-virtual-private-gatewa.png
  5. In the list, select your newly created VPN connection and click Download Configuration.
    a86c88f-download-configuration.png
  6. For Vendor, select Cisco Systems, Inc.
  7. For Platform, select ASA 5500 Series.
  8. For Software, select ASA 9.x for a policy-based VPN OR ASA 9.7 + VTI for a route-based VPN.
    d081d30-Screenshot_2020-08-19_at_14.47.33.png

Fill in the configuration blanks

IMPORTANT : Unless you have extensive experience with AWS and ASA/ASAv configurations, follow the instructions in the configuration file to the letter. Otherwise, your site-to-site VPN might not work as expected. You need to manually replace the placeholders in the configuration file you downloaded from Amazon with the values for your MacStadium configuration. Table 1: Configuration parameters
PlaceholderDescriptionMore informationExample
<outside_interface>The name of the outside interface of your Cisco ASA/ASAv device as provided in Appendix A of your IP Plan. By default, the value is Outside.The IP PlanOutside
<outside_access_in>A unique name for the access control list that permits the creation of the tunnel and the traffic over it.Cisco Documentation: Cisco Access Control Listsoutside_access_in
<vpc_subnet>The IPv4 address of your Amazon VPC (without the subnet mask bit notation).You can get this value by logging in to your AWS Management Console, navigating to your VPC dashboard, selecting your VPC, and checking the Description at the bottom of the screen.192.168.0.0
<vpc_subnet_mask>The subnet mask for your Amazon VPC.You can get this value by logging in to your AWS Management Console, navigating to your VPC dashboard, selecting your VPC, and checking the Details at the bottom of the screen. You need to convert the subnet mask bit notation to the correct subnet mask (e.g., the /16 notation converts to a 255.255.0.0 subnet mask).255.255.0.0
<amzn_vpn_map>A unique name for the crypto map. If you already have other crypto maps configured, you need to change the mapping number.Cisco Documentation: Configuring Crypto Mapsamzn_vpn_map.
<sla_monitor_address>An IP address in your Amazon VPC that can serve as an SLA monitor keeping the site-to-site tunnel alive.You can set this to the <vpc_subnet> address plus one. For example: if your <vpc_subnet> is 192.168.0.0, use 192.168.0.1 for your <sla_monitor_address>.192.168.0.1
<local_subnet>The IP address for the internal private network of your MacStadium cloud as provided in Appendix A of your IP Plan. By default, this is the Private-1 network.The IP Plan192.168.0.0
<local_subnet_mask>The subnet mask for the internal private LAN of your MacStadium cloud as provided in Appendix A of the IP Plan. By default, this is the Private-1 network.The IP Plan255.255.0.0
  1. Verify that you have downloaded the configuration file from your AWS Management Console.
  2. Open the configuration file.
  3. Replace all placeholders with their respective values. Use Table 1: Configuration parameters for reference.
  4. Uncomment the line: access-list amzn-filter extended permit ip … To uncomment, remove ! at the start of the line.
  5. Uncomment the lines for object and nat configuration at the end of the config file. To uncomment, remove ! at the start of the line.
  6. Keep the following line. This ensures the SLA monitor works as expected.
     object network obj-SrcNet
     subnet 0.0.0.0 0.0.0.0

 * Note that based on your network configuration and requirements, you can modify this line to map to the subnet and the subnet mask for the Private-1 network from your IP Plan. If you choose to modify this line, do not configure the <sla_monitor_address> value.
  1. On the following line, change 0.0.0.0 0.0.0.0 to a combination of the IP address and the subnet mask for your Amazon VPC.
    • You can get these values by logging in to your AWS Management Console, navigating to your VPC dashboard, selecting your VPC, and checking the Description at the bottom of the screen. You need to convert the subnet mask bit notation to the correct subnet mask (e.g., the /16 notation converts to a 255.255.0.0 subnet mask).
    • For example
       object network obj-amzn
       subnet 0.0.0.0 0.0.0.0
       TO
       object network obj-amzn
       subnet 192.168.0.0 255.255.0.0
  1. On the following line, change inside and outside to the names of the internal private network and the outside interface of your MacStadium private cloud, respectively, as provided in Appendix A of your IP Plan. By default, these are Private-1 and Outside, respectively.
     nat (inside,outside) 1 source static obj-SrcNet obj-SrcNet
     destination static obj-amzn obj-amzn
     TO
     nat (Private-1,Outside) 1 source static obj-SrcNet obj-SrcNet
     destination static obj-amzn obj-amzn
  1. (Optional) Delete the remaining commented lines to clean up the file. Commented lines are indicated by ! at the beginning of the line.
  2. Save your changes.

Configure TCP State Bypass (Route-based VPN only)

If you selected ASA 9.7 + VTI (route-based VPN), you need to enable the TCP State Bypass feature. This allows outbound and inbound traffic to flow through separate VPN tunnels, which is required for HA VPN scenarios where both tunnels are active simultaneously. Table 2: TCP State Bypass parameters Place
holderDescriptionMore informationExample
<acl-state-bypass>A unique name for the access control list that permits the creation of the tunnel and the traffic over it.Cisco Documentation: Access Control Listsacl-state-bypass
<cm-state-bypass>A unique name for the class map that identifies the traffic for which to disable stateful firewall inspection.Cisco Documentation: TCP State Bypasscm-state-bypass
<pm-state-bypass>A unique name for the policy map that assigns actions to the specified class map traffic.Cisco Documentation: TCP State Bypasspm-state-bypass
<private_interface>The name of the internal private interface of your Cisco ASA/ASAv device as provided in Appendix A of your IP Plan. By default, this is Private-1.The IP PlanPrivate-1
  1. Define an access list with the source and destination networks:
access-list <acl-state-bypass> extended permit ip <local_subnet> <local_subnet_mask> <vpc_subnet> <vpc_subnet_mask>
  1. Create a class map to identify the traffic for which you want to disable stateful firewall inspection:
class-map <cm-state-bypass>
  match access-list <acl-state-bypass>
  1. Create a policy map to assign the TCP State Bypass action to the class map:
policy-map <pm-state-bypass>
  class <cm-state-bypass>
    set connection advanced-options tcp-state-bypass
  1. Apply the policy map to your private interface:
service-policy <pm-state-bypass> interface <private_interface>
  1. Save your changes.

Next steps

If you are ready to feed the complete configuration into your Cisco ASA/ASAv, see Setting Up the MacStadium Side of the Site-to-Site VPN.