Hi, all. I have a Cisco ASA 5510 with older firmware 7.0(7) and no maintenance at the moment. So I know the 1st thing to do is update the software, but let's skip that for the moment.
I have an AWS VPC. I've created a VPN tunnel to the VPC and it's working fine. I also have a VPN tunnel from my ASA to our off-site colo facility which is also working fine. Both tunnels are going across the same interface.
AWS public subnet = 10.0.0.0/24, private subnet 10.0.1.0/24
local LAN segment for inside interface of ASA = 192.168.2.0/24
LAN segment at colo = 10.59.1.0/24
I need to have the servers in the colo communicate with the servers in AWS across the IPSEC VPNs. I've read that this can be accomplished, but I can't seem to get the routing statements correct on the ASA.
I've created route tables in AWS and I've got them set to forward all traffic to 10.59.1.xxx thru the virtual private gateway. Our ISP at the colo says he's forwarded all the traffic to 10.0.0.0/16 thru the tunnel to the ASA.
If I assume the spokes are configured correctly (big assumption), then how do I configure the hub (ASA)?
Assuming that you have routing set up correctly (and it sounds like you do if both tunnels are working correctly), then the main thing that you need to do on the ASA is to use this command
same-security-traffic permit intra-interface
The issue is that by default the ASA will not forward traffic out the same interface it arrived on. So a packet arrives on the outside interface from the AWS and wants to be forwarded to the colo, which is back out the outside interface. By default this will not work. And with this command it will work.
You might also think about the related command which is
same-security-traffic permit inter-interface
This will allow forwarding between interfaces with the same security level. From your description I do not think it fits your environment. But I want to mention it just in case I might have misunderstood your environment.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...