Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
428
Views
2
Helpful
14
Replies

IPSEC VPN

Go to solution
fmugambi
Spotlight
Spotlight

‎04-25-2024 02:56 AM

Hello Team,

I have below topology : -

fmugambi_0-1714037714524.png

I have ipsec vpn from on-prem to aws cloud. the two endpoints  [192.168.40.10/32, 192.168.30.10/32] work fine as they are allowed on the encryption domain.

I have users using remote vpn to connect to on-prem dc to access on-prem resources - they can reach 192.168.40.10/32. There is a need for them to reach a portal on aws cloud [192.168.30.10/32]. 

How can I achieve this?

Your support will be appreciated.

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎04-25-2024 03:01 AM

Two simple point

One add RA VPN pool to ACL of ipsec VPN

Second use no-NAT that includes the RA VPN and subnet .30

That it.

By the way you have other post about ikev2 did you try ikev1? Was that issue solved?

MHM

View solution in original post

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to fmugambi

‎04-25-2024 03:48 AM

I think you are referring to the security ACLs in this case, not the encryption domains ACLs? anyway, if you want to allow the remote users traffic to hit AWS portal you would need to treat the remote users subnet as if it is a local subnet to the on-prem firewall, which means it has to be added to the on-prem local encryption domains to AWS VPN tunnel, a NAT exemption rule with (nat (outside,outside) ...) must be created (I assumed your on-prem firewall external interface is called outside), and on AWS side the remote users VPN subnet must be configured to be routed back to the on-prem firewall over the VPN tunnel.

View solution in original post

0 Helpful
14 Replies 14

Go to solution
MHM Cisco World
VIP
VIP

‎04-25-2024 03:01 AM

Two simple point

One add RA VPN pool to ACL of ipsec VPN

Second use no-NAT that includes the RA VPN and subnet .30

That it.

By the way you have other post about ikev2 did you try ikev1? Was that issue solved?

MHM

0 Helpful

Go to solution
fmugambi
Spotlight
Spotlight
In response to MHM Cisco World

‎04-25-2024 03:03 AM

not yet, its on prod, approval process is yet to conclude, then i can test. i put it on hold till done with approval.

Thanks.

0 Helpful

Go to solution
fmugambi
Spotlight
Spotlight
In response to MHM Cisco World

‎04-25-2024 03:05 AM

what about allowed networks/encryption domain?

assume i have multiple ipsec vpns, the acl am touching is just specific to this ipsec vpn? cause i kinda have bundled all my ipsec acls together.

Go to solution
MHM Cisco World
VIP
VIP
In response to fmugambi

‎04-25-2024 03:07 AM

Sorry it mandatory to add RA VPN pool to ACL.

And using one ACL is work but not optimal.

MHM

0 Helpful

Go to solution
fmugambi
Spotlight
Spotlight
In response to MHM Cisco World

‎04-25-2024 03:28 AM

do i need to add it to the encryption domain? or under access control on policies? am using cisco ftd

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to fmugambi

‎04-25-2024 03:28 AM

What do you mean by bundled all my IPsec ACLs together?

0 Helpful

Go to solution
fmugambi
Spotlight
Spotlight
In response to Aref Alsouqi

‎04-25-2024 03:38 AM

if i have 40 ipsec tunnels, i dont have corresponding 40 acls, i have 2 acls, one for incoming , one for outgoing, but in each all protected networks are in each acl respectively ie. if its incoming, one acl, has entries for all remote networks as destination and all local subnets for local network.

Hope i make sense.

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to fmugambi

‎04-25-2024 03:48 AM

I think you are referring to the security ACLs in this case, not the encryption domains ACLs? anyway, if you want to allow the remote users traffic to hit AWS portal you would need to treat the remote users subnet as if it is a local subnet to the on-prem firewall, which means it has to be added to the on-prem local encryption domains to AWS VPN tunnel, a NAT exemption rule with (nat (outside,outside) ...) must be created (I assumed your on-prem firewall external interface is called outside), and on AWS side the remote users VPN subnet must be configured to be routed back to the on-prem firewall over the VPN tunnel.

0 Helpful

Go to solution
fmugambi
Spotlight
Spotlight
In response to Aref Alsouqi

‎04-25-2024 04:08 AM

understood,

so ideally if like an addition local on-prem subnet.

Got it thanks.

Go to solution
fmugambi
Spotlight
Spotlight

‎04-25-2024 03:32 AM - edited ‎04-25-2024 03:34 AM

fmugambi_1-1714041246397.png

 

the protected networks is what am referring to as encryption domain, so am adding the ra pool here, or under policies, or both?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to fmugambi

‎04-25-2024 03:35 AM - edited ‎04-25-2024 03:36 AM

Protect network' add RA VPN in this part of vpn topolgy.

Also I forget you need route in other Peer for RA VPN.

And for policy' if you meaning ACP you also need to add it there.

MHM

0 Helpful

Go to solution
fmugambi
Spotlight
Spotlight
In response to MHM Cisco World

‎04-25-2024 03:39 AM

AWS Peer? or on-prem peer.

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎04-25-2024 03:41 AM

AWS friend 

Prem peer RA VPN is direct connect so no need route

MHM

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎04-25-2024 04:13 AM

Other point sure you will ask it later 

No-NAT

If the RA VPN is connect to same IPsec interface then no-NAT will be 

Nat(out'out)

If the RA VPN have different interface than IPsec then 

Nat(RA VPN interface, IPsec interface)

Goodluck in your task 

MHM

0 Helpful
Customers Also Viewed These Support Documents