I know I’m missing something simple, maybe you guys can help.
I can’t get my VPN working, here’s the network side if you;re interested: https://redd.it/3sfigk
On the AWS side
I have a new VPC 172.31.0.0/16, with 4 subnets.
I created the Customer Gateway, Virtual Private Gateway and VPN Connection with the static routes back to my 2 LAN subnets. The VPN comes up on the first Tunnel, but I can’t get it to send any traffic back to my LAN.
My ASA shows nothing Rx on the VPN tunnel.
I checked the route table and the VPG is propagating the routes, and I see them in the route table.
I checked the security group and I’m allowing all traffic to both of my LAN subnets and to the SG itself. Outbound is wide open, and the network ACLs are wide open. I can ping between hosts on the AWS subnets.
Can anyone point out the glaringly obvious step that I have missed?
you added static routes in your VPN connection, but did you add the routes to your on premise subnets to the VPC route table with a “Target” of the VGW? Also check your ACL’s in aws
I turned on the route propagation in the Route table from the vgw, and they show up in the table. Network ACLs are all all all 0/0 allow inbound and outbound.
I’ve had routing issues with the two tunnel thing they want you to set up. I just killed the second tunnel config and it started working. Your mileage may vary.
Have you done a packet capture on the instance that you’re hitting to see if the packets are even being received there?
In your linked config I don’t see the NAT exemption, so it’s possible the traffic is hitting the instance with your Public IP, and the return traffic is being routed back out the IGW instead of the VGW.
EDIT: Example ASA NAT Exemption:
!------------------- ! #5: NAT Exemption
! If you are performing NAT on the ASA you will have to add a nat exemption rule.
! This varies depending on how NAT is set up. It should be configured along the lines of:
! object network obj-SrcNet
! subnet 0.0.0.0 0.0.0.0
! object network obj-amzn
! subnet vpc_subnet vpc_subnet_mask
! nat (inside,outside) 1 source static obj-SrcNet obj-SrcNet destination static obj-amzn obj-amzn
! If using version 8.2 or older, the entry would need to look something like this:
! nat (inside) 0 access-list acl-amzn
! Or, the same rule in acl-amzn should be included in an existing no nat ACL.
This is good advice. aws_n00b, after confirming your on-prem priv net route points to your vgw, setup a cap statement on the ASA to see if traffic arrives at the firewall. This should quickly help you determine if the problem is with an ACL somewhere or a NAT statement.
Depending on the version of ASA, you may need a static route in your fw pointing traffic for the VPC CIDR to your outside interface. You’ll certainly need routes on your LAN to send VPC traffic to your ASA.
Can you ping a VPC IP from your outside ASA interface?
if you do a tracert from one of your instances to a node on your local LAN where does it fail?
I removed one of the tunnel groups and there is no change. Thanks for the suggestion though. I even tried adding some static routes on the ASA and it didn’t help.
Yes the route table includes my LAN subnets. I am getting packets dropped on 4500, so looking at nat-t issues. Also tried various nat statements.
Tried with and without static routes, and the rest of the network already points to the ASA as default route.
No I cannot ping to any VPC IP from outside interface.
no replies at all, even out to the internet I only start getting a response after the 3rd hop