ASA Basics
Login credentials are in lastpass. The superuser in the ASDM is enable_15. Once logged it you should create your own login by going to Configuration > Device Management > Users/AAA > User Accounts. Add yourself a user in here with Privilege Level 15. You will need to do this before you can log in using SSH. Once you have a user, always use this rather than enable_15
You can SSH the box by using any SSH client and going to 172.16.1.252. Login with your own user. You will then most likely need to elevate your permissions by running the command enable then entering the enable_15 users password. Once you are in as 'enable', you can run conf t to go into 'configure terminal' mode followed by commands like sh bgp summ - see bgp neighbours status or sh bgp neighbour - more detailed. This information can also be found in the ASDM though
Always take a backup before making changes. This can be done from Tools > Backup Configurations. Click 'Browse Local' and pick where you want to store it.
Whenever you make a change and apply it, you need to click save at the top. It will prompt you to save when you exit the ASA. If you don't save it, the change won't persist through a reboot unless you specifically tell it to when scheduling the reboot)
To do a reboot, go to Tools > System Reload. From here you can choose to schedule the reload (reload is cisco terminology for restart/reboot). If you leave the options as default and click the 'Schedule Reload' button it will do it immediately
BGP is a routing protocol short for Border Gateway Patrol. The AWS tunnels when created to be dynamic and not static use BGP. This allows for one of the two tunnels that it creates to go down and automatically advertise this to our VPN endpoint which will direct all traffic down the tunnel which is up. AWS do maintenance on their tunnels without warning so it is essential to use dynamic routing.
Tunnel configuration in AWS:
In AWS, go to Services > VPC and under Virtual Private Network (VPN), select Site-to-Site VPN Connections. Here you will see the configuration for the AWS side of the tunnel. It is comprised of a customer gateway (our Cisco ASA) and a virtual gateway (the AWS endpoint). In this screen you can download the configuration which actually gives you the list of commands you can paste into the ASA. A few changes need to happen to this configuration before you do that though:
Do a find and replace on 'outside_interface' and change it to the name of the outside interface on the ASA, typically GigabitEthernet1/1 (include the quotes around outside_interface).
Find and replace crypto ikev1 policy 200 and crypto ikev1 policy 201 with with the next available numbers if you have existing policies/tunnels on your device (this needs to be incremented to an unused number).
Find and replace interface Tunnel1 and interface Tunnel2 with the next available numbers if you have existing tunnels on your device (this needs to be incremented to an unused number). (this needs to be incremented to an unused number).
The next line below each of the Tunnel lines above reads nameif Tunnel-*** (AWS assigned ID). This ID should be changed to something a bit more meaningful to us to make administration on the ASDM interface easier.
Finally, the config doesn't come with any routing information which must be added be copying the below into the end of the config file and editing it
prefix-list nameoftunnel-IPV4-BGP-IN seq 5 permit IP CIDR Block in AWS
prefix-list nameoftunnel-IPV4-BGP-OUT permit Office Network
route-map PASS permit 10
route-map nameoftunnel-IPV4-BGP-IN permit 10
match ip add prefix-list nameoftunnel-IPV4-BGP-IN
route-map nameoftunnel-IPV4-BGP-OUT permit 10
match ip add prefix-list nameoftunnel-IPV4-BGP-OUT
router bgp 65000
address-family ipv4 unicast
neighbor 169.254.105.45 remote-as 64512
neighbor 169.254.105.45 activate
neighbor 169.254.105.45 route-map AWSProd-IPV4-BGP-IN in
neighbor 169.254.105.45 route-map AWSProd-IPV4-BGP-OUT out
neighbor 169.254.50.141 remote-as 64512
neighbor 169.254.50.141 activate
neighbor 169.254.50.141 route-map AWSProd-IPV4-BGP-IN in
neighbor 169.254.50.141 route-map AWSProd-IPV4-BGP-OUT out
redistribute connected route-map PASS
redistribute static route-map PASS
no auto-summary
no synchronization
Find and replace nameoftunnel and change it to something relevant to the new tunnel for example TestEnvironment
Find and replace IP CIDR Block in AWS with the CIDR range of the VPC in AWS (VPC, not subnet)
Find and replace Office Network with the CIDR block of the network you want to allow access from (where your ASA is)
Find and replace 169.254.105.45 with the IP address of the BGP neighbor in the first section 4 of the AWS configuration
Find and replace 169.254.50.141 with the IP address of the BGP neighbor in the second section 4 of the AWS configuration
With your completed configuration file , you can now copy it and paste it into the ASDM software by going to Tools > Command Line Interface and changing it to Multiple Line mode. Once pasted in, click Send and it will run it against the ASA. Close this window and wait 10-15 seconds and you will be prompted to refresh the configuration which will now be live. The tunnel can take a few minutes to establish.
Additional configuration required in AWS
In AWS, you will need to edit the route table for the subnets to route traffic for your office network to the Virtual Gateway that is configured for use by the VPN tunnel
You will also need to configure the security groups for any EC2 instances to allow the traffic you want (RDP/ICMP for example)
Additional configuration needed at the office network
You will need to configure a static route on your router to route traffic to the AWS subnet to the ASA
No comments:
Post a Comment