Below is the sample configuration received from Amazon VPN support where a successful VPN tunnel was established:-
******************
ASA Version 8.4(1)
!
hostname ciscoasa
enable password * encrypted
passwd * encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.x.x 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.x.x 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network obj_SrcNet
subnet 0.0.0.0 0.0.0.0
object network obj-Amzn
subnet 10.0.x.x 255.255.0.0
object network DynamicNatOut
subnet 0.0.0.0 0.0.0.0
object network obj-test
subnet 172.31.x.x 255.255.0.0
access-list outside_in extended permit ip host 72.21.x.x host 192.168.x.x
access-list outside_in extended permit ip host 72.21.x.x host 192.168.x.x
access-list outside_in extended permit ip host 205.251.x.x host 192.168.x.x
access-list outside_in extended permit ip host 205.251.x.x host 192.168.x.x
access-list acl-amzn extended permit ip any object obj-Amzn
access-list acl-test extended permit ip any 172.31.x.x 255.255.0.0
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging trap debugging
logging facility 21
logging host outside *.*.*.*
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source static obj_SrcNet obj_SrcNet destination static obj-test obj-test
nat (inside,outside) source static obj_SrcNet obj_SrcNet destination static obj-Amzn obj-Amzn
!
object network DynamicNatOut
nat (inside,outside) dynamic interface
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection tcpmss 1387
sla monitor 1
type echo protocol ipIcmpEcho 10.0.x.x interface outside
frequency 5
sla monitor schedule 1 life forever start-time now
sla monitor 3
type echo protocol ipIcmpEcho 10.0.x.x interface outside
frequency 5
sla monitor schedule 3 life forever start-time now
sla monitor 5
type echo protocol ipIcmpEcho 172.31.x.x interface outside
frequency 5
sla monitor schedule 5 life forever start-time now
crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set transform-test esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association replay window-size 128
crypto ipsec df-bit clear-df outside
crypto map amzn_vpn_map 1 match address acl-amzn
crypto map amzn_vpn_map 1 set pfs
crypto map amzn_vpn_map 1 set peer 72.21.x.x 72.21.x.x
crypto map amzn_vpn_map 1 set ikev1 transform-set transform-amzn
crypto map amzn_vpn_map 2 match address acl-test
crypto map amzn_vpn_map 2 set pfs
crypto map amzn_vpn_map 2 set peer 205.251.x.x 205.251.x.x
crypto map amzn_vpn_map 2 set ikev1 transform-set transform-test
crypto map amzn_vpn_map interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 201
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 8.8.8.8 8.8.4.4
!
dhcpd address 10.10.x.x-10.10.x.x inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 72.21.x.x type ipsec-l2l
tunnel-group 72.21.x.x ipsec-attributes
ikev1 pre-shared-key *
isakmp keepalive threshold 20 retry 5
tunnel-group 72.21.x.x type ipsec-l2l
tunnel-group 72.21.x.x ipsec-attributes
ikev1 pre-shared-key *
isakmp keepalive threshold 20 retry 5
tunnel-group 205.251.x.x type ipsec-l2l
tunnel-group 205.251.x.x ipsec-attributes
ikev1 pre-shared-key *
isakmp keepalive threshold 20 retry 5
tunnel-group 205.251.x.x type ipsec-l2l
tunnel-group 205.251.x.x ipsec-attributes
ikev1 pre-shared-key *
isakmp keepalive threshold 20 retry 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email test@xyz.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:*
: end
******************
Also, please make sure the following command is enabled on the ASA to allow for ICMP traffic which is what the SLA monitor uses.
icmp permit any outside
******************
ASA Version 8.4(1)
!
hostname ciscoasa
enable password * encrypted
passwd * encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.x.x 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.x.x 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network obj_SrcNet
subnet 0.0.0.0 0.0.0.0
object network obj-Amzn
subnet 10.0.x.x 255.255.0.0
object network DynamicNatOut
subnet 0.0.0.0 0.0.0.0
object network obj-test
subnet 172.31.x.x 255.255.0.0
access-list outside_in extended permit ip host 72.21.x.x host 192.168.x.x
access-list outside_in extended permit ip host 72.21.x.x host 192.168.x.x
access-list outside_in extended permit ip host 205.251.x.x host 192.168.x.x
access-list outside_in extended permit ip host 205.251.x.x host 192.168.x.x
access-list acl-amzn extended permit ip any object obj-Amzn
access-list acl-test extended permit ip any 172.31.x.x 255.255.0.0
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging trap debugging
logging facility 21
logging host outside *.*.*.*
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source static obj_SrcNet obj_SrcNet destination static obj-test obj-test
nat (inside,outside) source static obj_SrcNet obj_SrcNet destination static obj-Amzn obj-Amzn
!
object network DynamicNatOut
nat (inside,outside) dynamic interface
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection tcpmss 1387
sla monitor 1
type echo protocol ipIcmpEcho 10.0.x.x interface outside
frequency 5
sla monitor schedule 1 life forever start-time now
sla monitor 3
type echo protocol ipIcmpEcho 10.0.x.x interface outside
frequency 5
sla monitor schedule 3 life forever start-time now
sla monitor 5
type echo protocol ipIcmpEcho 172.31.x.x interface outside
frequency 5
sla monitor schedule 5 life forever start-time now
crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set transform-test esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association replay window-size 128
crypto ipsec df-bit clear-df outside
crypto map amzn_vpn_map 1 match address acl-amzn
crypto map amzn_vpn_map 1 set pfs
crypto map amzn_vpn_map 1 set peer 72.21.x.x 72.21.x.x
crypto map amzn_vpn_map 1 set ikev1 transform-set transform-amzn
crypto map amzn_vpn_map 2 match address acl-test
crypto map amzn_vpn_map 2 set pfs
crypto map amzn_vpn_map 2 set peer 205.251.x.x 205.251.x.x
crypto map amzn_vpn_map 2 set ikev1 transform-set transform-test
crypto map amzn_vpn_map interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 201
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 8.8.8.8 8.8.4.4
!
dhcpd address 10.10.x.x-10.10.x.x inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 72.21.x.x type ipsec-l2l
tunnel-group 72.21.x.x ipsec-attributes
ikev1 pre-shared-key *
isakmp keepalive threshold 20 retry 5
tunnel-group 72.21.x.x type ipsec-l2l
tunnel-group 72.21.x.x ipsec-attributes
ikev1 pre-shared-key *
isakmp keepalive threshold 20 retry 5
tunnel-group 205.251.x.x type ipsec-l2l
tunnel-group 205.251.x.x ipsec-attributes
ikev1 pre-shared-key *
isakmp keepalive threshold 20 retry 5
tunnel-group 205.251.x.x type ipsec-l2l
tunnel-group 205.251.x.x ipsec-attributes
ikev1 pre-shared-key *
isakmp keepalive threshold 20 retry 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email test@xyz.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:*
: end
******************
Also, please make sure the following command is enabled on the ASA to allow for ICMP traffic which is what the SLA monitor uses.
icmp permit any outside
Free property management system
ReplyDeleteNOBEDS” was created by Lithuanians Saulius Chomentauskas and Tomas Bickus. These talented freelancers are experienced in multi-programming, graphic design and marketing.