You are here in the workflow: AWS-Orka Connections | 1. AWS Side of the VPN Tunnel | 2. VPN Tunnel Configuration File | 3. Orka Side of the VPN Tunnel | 4. Verifying the VPN Tunnel | VPN Tunnel Troubleshooting
After you have created your VPN tunnel in Amazon, you need to configure your Cisco firewall to recognize the connection and let traffic into your Orka cluster.
Amazon provides a semi-prefilled configuration file with very detailed instructions. First, you need to download the configuration file and provide the missing information indicated by placeholders. Next, you'll need to feed the configuration into your Cisco ASAv to complete the setup.
- Verify that you are logged in your AWS Management Console and you're working in the correct region.
- Verify that you have created a tunnel in Amazon.
- Navigate to your VPC service. In the VPC service sidebar, locate the Virtual Private Network menu and select Site-to-Site VPN Connections.
- In the list, select your newly created VPN connection and click Download Configuration.
- Fill in the form and click Download.
- For Vendor, select Cisco Systems, Inc..
- For Platform, select ASA 5500 Series.
- For Software, select ASA 9.x for a policy-based VPN OR ASA 9.7 + VTI for a route-based VPN.
Unless you have extensive experience with AWS and ASAv configurations, follow the instructions in the configuration file to the letter. Otherwise, your site-to-site VPN might not work as expected.
- Open the configuration file in a text editor.
- Replace all placeholders with their respective values.
The name of the outside interface of your Cisco ASAv device (the
Any unique name. This will be the name for the access control list that permits the creation of the tunnel and the traffic over it.
The IPv4 address of your Amazon VPC (without the subnet mask bit notation).
You can get this value by selecting your VPC in AWS > VPC dashboard and checking the Details at the bottom of the screen.
The subnet mask for your Amazon VPC, converted from its CIDR notation.
You can get this value by selecting your VPC in AWS > VPC dashboard and checking the Description at the bottom of the screen. You need to convert the subnet mask bit notation to the correct subnet mask (e.g., the
Any unique name for the crypto map. It must not be already in use by any other crypto maps you might have configured.
An IP address in your Amazon VPC that can serve as an SLA monitor keeping the site-to-site tunnel alive.
You can set this to the
The IP address for the
The subnet mask for the
- Uncomment the following lines. To uncomment, remove
!at the start of the line.
access-list amzn-filter extended permit ip ...
nat-related configuration at the end of the config file.
- Keep the following line. This ensures the SLA monitor works as expected.
object network obj-SrcNet subnet 0.0.0.0 0.0.0.0
Note that based on your network configuration and requirements, you can modify this line to map to the subnet and the subnet mask for the
Private-1 network from your IP Plan. If you choose to modify this line, do not configure the
- (Optional) Delete the remaining commented lines to clean up the file. Commented lines are indicated by
!at the beginning of the line.
- Save your changes.
Updated 5 months ago