Join Log in
Score:0
MarkK avatar Server

Can't ping or traceroute through EC2 using AWS Site-to-Site VPN to Cisco ASA

ml flag
MarkK

My VPC is connected to Cisco ASA, tunnel is shown to be UP in the AWS console.

What is working:

  • The engineer on the Cisco side has successfully pinged my EC2 instance within my private 10.5.0.0/17 subnet range.
  • Cisco side SLA is working and pinging.
  • Tunnel is up.

What is not working:

  • I cannot ping their network within their subnet range 192.168.0.0/21.

AWS Configurations:

Route Table for the subnet:

Destination        Target                  Status   Propagated
0.0.0.0/0          nat-000b0728fc3ee1267   Active   No
10.2.0.0/16        pcx-0901efe0ec72e2727   Active   No
10.5.0.0/16 local                          Active   No
192.168.0.0/21     vgw-014d07635177a0b23   Active   Yes

Security group of AWS instances: Inbound:

Type          Protocol    Port Range    Source
All           IPv4        All  N/A      192.168.0.0/21

Security group of AWS instances: Outbound:

Type          Protocol    Port Range    Source
All           IPv4        All  N/A      0.0.0.0/0

Network ACL outbound:

Rule number Type        Protocol Port   Destination      Allow/Deny
100         All traffic All      All    0.0.0.0/0        Allow
200         All traffic All      All    192.168.0.0/21   Allow
*           All traffic All      All    0.0.0.0/0        Deny

Network ACL inbound:

Rule number Type           Protocol  Port   Source           Allow/Deny
100         All traffic    All       All    0.0.0.0/0        Allow
200         All traffic    All       All    192.168.0.0/21   Allow
*           All traffic    All       All    0.0.0.0/0        Deny

VPN Site-to-Site static route tab:

IP prefixes      State
192.168.0.0/21   Available

Tunnel Details:

Routing Type: Routing Static
Local IPv4 network CIDR: 192.168.0.0/21
Remote IPv4 network CIDR: 10.5.0.0/17

Security groups outbound:

Name Security group rule ID IP version Type Protocol Port range Destination
IPv4    All traffic All All 0.0.0.0/0

Security groups inbound:

Name Security group rule ID IP version Type Protocol Port Source
IPv4    All traffic All All 192.168.0.0/21

In short: Traffic outbound from my premises EC2 instance IP 10.5.55.214 never seems to reach the Cisco device (or at least that is what has been implied).

Other tests I have run:

Reachability Analyzer: Reachable

Name.   Path ID.  Reachability status.  Source.  Destination.  Destination port. Protocol
192.168.0.28    nip-0d2801c29eef99582   Reachable   i-0a11d82798368c646 vgw-014d07635177a0b2

Traceroute on EC2:

traceroute to 192.168.0.28 (192.168.0.28), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * *......
747
0 + 4
Appleoddity avatar
ng flag
Appleoddity
Hard to troubleshoot when we only get to see one side of the connection. The ASA is a complicated piece of equipment. No one is going to be able to solve your problem without seeing the configuration. End of story. Sorry.
0
Reply
Tim avatar
gp flag
Tim
Firewall on the on-premises side? VPN Flow Logs would be my next step, to see if anything comes back at all.
1
Reply
MarkK avatar
ml flag
MarkK
@Appleoddity Thank you. Unfortunately, I don't have access to the other side of the VPN, the main thing I wanted to answer here is if on the AWS side anything seems incorrect or if i missed something obvious.
0
Reply
MarkK avatar
ml flag
MarkK
@Tim Thanks. I will look into the VPN Flow Logs and update.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.