jmelloy · June 21, 2013 17:50
diff --git a/gistfile1.txt b/gistfile1.txt
 ! Amazon Web Services
 ! Virtual Private Cloud
 !
 ! AWS utilizes unique identifiers to manipulate the configuration of 
 ! a VPN Connection. Each VPN Connection is assigned an identifier and is 
 ! associated with two other identifiers, namely the 
 ! Customer Gateway Identifier and Virtual Private Gateway Identifier.
 !
 ! Your VPN Connection ID                  : vpn-4bfe2c55
 ! Your Virtual Private Gateway ID         : vgw-b5cb19ab
 ! Your Customer Gateway ID                : cgw-23f92b3d
 !
 !
 ! This configuration consists of two tunnels. Both tunnels must be 
 ! configured on your Customer Gateway. Only a single tunnel will be up at a 
 ! time to the VGW.
 ! 
 ! You may need to populate these values throughout the config based on your setup:
 ! <outside_interface> - External interface of the ASA
 ! <outside_access_in> - Inbound ACL on the external interface
 ! <amzn_vpn_map> - Outside crypto map
 ! <vpc_subnet> and <vpc_subnet_mask> - VPC address range
 ! <local_subnet> and <local_subnet_mask> - Local subnet address range
 ! <sla_monitor_address> - Target address that is part of acl-amzn to run SLA monitoring

 ! --------------------------------------------------------------------------------
 ! IPSec Tunnels
 ! --------------------------------------------------------------------------------
 ! #1: Internet Key Exchange (IKE) Configuration
 !
 ! A policy is established for the supported ISAKMP encryption, 
 ! authentication, Diffie-Hellman, lifetime, and key parameters.
 !
 ! Note that there are a global list of ISAKMP policies, each identified by 
 ! sequence number. This policy is defined as #201, which may conflict with
 ! an existing policy using the same number. If so, we recommend changing 
 ! the sequence number to avoid conflicts.
 !
 crypto isakmp identity address 
 crypto isakmp enable <outside_interface>
 crypto isakmp policy 201
  encryption aes
  authentication pre-share
  group 2
  lifetime 28800
  hash sha
 exit
 !
 ! The tunnel group sets the Pre Shared Key used to authenticate the 
 ! tunnel endpoints.
 !
 tunnel-group 205.251.233.121 type ipsec-l2l
 tunnel-group 205.251.233.121 ipsec-attributes
   pre-shared-key BeXZZb6wbX2Lk3zkrJHzjaYHsgbTVHSK
 !
 ! This option enables IPSec Dead Peer Detection, which causes periodic
 ! messages to be sent to ensure a Security Association remains operational.
 !
   isakmp keepalive threshold 10 retry 3
 exit
 !
 tunnel-group 205.251.233.122 type ipsec-l2l
 tunnel-group 205.251.233.122 ipsec-attributes
   pre-shared-key I.PRxigV30Wz.xIUJ3YEck5MJ8R0jupU
 !
 ! This option enables IPSec Dead Peer Detection, which causes periodic
 ! messages to be sent to ensure a Security Association remains operational.
 !
   isakmp keepalive threshold 10 retry 3
 exit

 ! --------------------------------------------------------------------------------
 ! #2: Access List Configuration
 !
 ! Access lists are configured to permit creation of tunnels and to send applicable traffic over them.
 ! This policy may need to be applied to an inbound ACL on the outside interface that is used to manage control-plane traffic. 
 ! This is to allow VPN traffic into the device from the Amazon endpoints.
 !
 access-list <outside_access_in> extended permit ip host 205.251.233.121 host 65.150.173.97
 access-list <outside_access_in> extended permit ip host 205.251.233.122 host 65.150.173.97
 ! The following access list named acl-amzn specifies all traffic that needs to be routed to the VPC. Traffic will
 ! be encrypted and transmitted through the tunnel to the VPC. Association with the IPSec security association
 ! is done through the "crypto map" command.
 !
 ! This access list should contain a static route corresponding to your VPC CIDR and allow traffic from any subnet.
 ! If you do not wish to use the "any" source, you must use a single access-list entry for accessing the VPC range.
 ! If you specify more than one entry for this ACL without using "any" as the source, the VPN will function erratically.
 ! See section #4 regarding how to restrict the traffic going over the tunnel
 !
 !
 access-list acl-amzn extended permit ip any <vpc_subnet> <vpc_subnet_mask>

 !---------------------------------------------------------------------------------
 ! #3: IPSec Configuration
 !
 ! The IPSec transform set defines the encryption, authentication, and IPSec
 ! mode parameters.
 !
 crypto ipsec transform-set transform-amzn esp-aes esp-sha-hmac
 ! The crypto map references the IPSec transform set and further defines
 ! the Diffie-Hellman group and security association lifetime. The mapping is created
 ! as #1, which may conflict with an existing crypto map using the same
 ! number. If so, we recommend changing the mapping number to avoid conflicts.
 !
 crypto map <amzn_vpn_map> 1 match address acl-amzn
 crypto map <amzn_vpn_map> 1 set pfs group2
 crypto map <amzn_vpn_map> 1 set peer  205.251.233.121 205.251.233.122
 crypto map <amzn_vpn_map> 1 set transform-set transform-amzn
 !
 ! Only set this if you do not already have an outside crypto map, and it is not applied:
 !
 crypto map <amzn_vpn_map> interface <outside_interface>
 !
 ! Additional parameters of the IPSec configuration are set here. Note that
 ! these parameters are global and therefore impact other IPSec
 ! associations.
 ! Set security association lifetime until it is renegotiated.
 crypto ipsec security-association lifetime seconds 3600
 !
 ! This option instructs the firewall to clear the "Don't Fragment"
 ! bit from packets that carry this bit and yet must be fragmented, enabling
 ! them to be fragmented.
 !
 crypto ipsec df-bit clear-df <outside_interface>
 !
 ! This configures the gateway's window for accepting out of order
 ! IPSec packets. A larger window can be helpful if too many packets
 ! are dropped due to reordering while in transit between gateways.
 !
 crypto ipsec security-association replay window-size 128
 !
 ! This option instructs the firewall to fragment the unencrypted packets
 ! (prior to encryption).
 !
 crypto ipsec fragmentation before-encryption <outside_interface>
 !
 ! This option causes the firewall to reduce the Maximum Segment Size of
 ! TCP packets to prevent packet fragmentation.
 sysopt connection tcpmss 1387
 !
 ! In order to keep the tunnel in an active state, the ASA needs to send traffic to the subnet 
 ! defined in acl-amzn. SLA monitoring can be configured to send pings to a destination in the subnet and
 ! keep the tunnel active. A possible destination for the ping is the VPC Gateway IP, which is the 
 ! first IP address in one of your subnets.
 ! For example: a VPC with a CIDR range of 192.168.50.0/24 will have a gateway: 192.168.50.1.
 ! 
 ! The monitor is created as #1, which may conflict with an existing monitor using the same
 ! number. If so, we recommend changing the sequence number to avoid conflicts.
 !
 sla monitor 1
   type echo protocol ipIcmpEcho <sla_monitor_address> interface <outside_interface>
   frequency 5
 exit
 sla monitor schedule 1 life forever start-time now
 !
 ! The firewall must allow icmp packets to use "sla monitor" 
 icmp permit any <outside_interface>

 !---------------------------------------------------------------------------------------
 ! #4: VPN Filter
 ! The VPN Filter will restrict traffic that is permitted through the tunnels. By default all traffic is denied.
 ! The first entry provides an example to include traffic between your VPC Address space and your office.
 ! You may need to run 'clear crypto isakmp sa', in order for the filter to take effect.
 !
 ! access-list amzn-filter extended permit ip <vpc_subnet> <vpc_subnet_mask> <local_subnet> <local_subnet_mask>
 access-list amzn-filter extended deny ip any any
 group-policy filter internal
 group-policy filter attributes
 vpn-filter value amzn-filter
 tunnel-group 205.251.233.121 general-attributes
 default-group-policy filter
 exit
 tunnel-group 205.251.233.122 general-attributes
 default-group-policy filter
 exit

 !---------------------------------------------------------------------------------------
 ! #5: NAT Exemption
 ! If you are performing NAT on the ASA you will have to add a nat exemption rule.
 ! This varies depending on how NAT is set up.  It should be configured along the lines of:
 ! object network obj-SrcNet
 !   subnet 0.0.0.0 0.0.0.0
 ! object network obj-amzn
 !   subnet <vpc_subnet> <vpc_subnet_mask>
 ! nat (inside,outside) 1 source static obj-SrcNet obj-SrcNet destination static obj-amzn obj-amzn
 ! If using version 8.2 or older, the entry would need to look something like this:
 ! nat (inside) 0 access-list acl-amzn
 ! Or, the same rule in acl-amzn should be included in an existing no nat ACL.
 !
 !---------------------------------------------------------------------------------------
 !  Additional Notes and Questions
 !  - Amazon Virtual Private Cloud Getting Started Guide: 
 !       http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide
 !  - Amazon Virtual Private Cloud Network Administrator Guide: 
 !       http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide
 !  - Troubleshooting Cisco ASA Customer Gateway Connectivity:
 !       http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide/Cisco_ASA_Troubleshooting.html
 !  - XSL Version: 2009-07-15-1119716
	! Amazon Web Services
	! Virtual Private Cloud
	!
	! AWS utilizes unique identifiers to manipulate the configuration of
	! a VPN Connection. Each VPN Connection is assigned an identifier and is
	! associated with two other identifiers, namely the
	! Customer Gateway Identifier and Virtual Private Gateway Identifier.
	!
	! Your VPN Connection ID : vpn-4bfe2c55
	! Your Virtual Private Gateway ID : vgw-b5cb19ab
	! Your Customer Gateway ID : cgw-23f92b3d
	!
	!
	! This configuration consists of two tunnels. Both tunnels must be
	! configured on your Customer Gateway. Only a single tunnel will be up at a
	! time to the VGW.
	!
	! You may need to populate these values throughout the config based on your setup:
	! <outside_interface> - External interface of the ASA
	! <outside_access_in> - Inbound ACL on the external interface
	! <amzn_vpn_map> - Outside crypto map
	! <vpc_subnet> and <vpc_subnet_mask> - VPC address range
	! <local_subnet> and <local_subnet_mask> - Local subnet address range
	! <sla_monitor_address> - Target address that is part of acl-amzn to run SLA monitoring

	! --------------------------------------------------------------------------------
	! IPSec Tunnels
	! --------------------------------------------------------------------------------
	! #1: Internet Key Exchange (IKE) Configuration
	!
	! A policy is established for the supported ISAKMP encryption,
	! authentication, Diffie-Hellman, lifetime, and key parameters.
	!
	! Note that there are a global list of ISAKMP policies, each identified by
	! sequence number. This policy is defined as #201, which may conflict with
	! an existing policy using the same number. If so, we recommend changing
	! the sequence number to avoid conflicts.
	!
	crypto isakmp identity address
	crypto isakmp enable <outside_interface>
	crypto isakmp policy 201
	encryption aes
	authentication pre-share
	group 2
	lifetime 28800
	hash sha
	exit
	!
	! The tunnel group sets the Pre Shared Key used to authenticate the
	! tunnel endpoints.
	!
	tunnel-group 205.251.233.121 type ipsec-l2l
	tunnel-group 205.251.233.121 ipsec-attributes
	pre-shared-key BeXZZb6wbX2Lk3zkrJHzjaYHsgbTVHSK
	!
	! This option enables IPSec Dead Peer Detection, which causes periodic
	! messages to be sent to ensure a Security Association remains operational.
	!
	isakmp keepalive threshold 10 retry 3
	exit
	!
	tunnel-group 205.251.233.122 type ipsec-l2l
	tunnel-group 205.251.233.122 ipsec-attributes
	pre-shared-key I.PRxigV30Wz.xIUJ3YEck5MJ8R0jupU
	!
	! This option enables IPSec Dead Peer Detection, which causes periodic
	! messages to be sent to ensure a Security Association remains operational.
	!
	isakmp keepalive threshold 10 retry 3
	exit

	! --------------------------------------------------------------------------------
	! #2: Access List Configuration
	!
	! Access lists are configured to permit creation of tunnels and to send applicable traffic over them.
	! This policy may need to be applied to an inbound ACL on the outside interface that is used to manage control-plane traffic.
	! This is to allow VPN traffic into the device from the Amazon endpoints.
	!
	access-list <outside_access_in> extended permit ip host 205.251.233.121 host 65.150.173.97
	access-list <outside_access_in> extended permit ip host 205.251.233.122 host 65.150.173.97
	! The following access list named acl-amzn specifies all traffic that needs to be routed to the VPC. Traffic will
	! be encrypted and transmitted through the tunnel to the VPC. Association with the IPSec security association
	! is done through the "crypto map" command.
	!
	! This access list should contain a static route corresponding to your VPC CIDR and allow traffic from any subnet.
	! If you do not wish to use the "any" source, you must use a single access-list entry for accessing the VPC range.
	! If you specify more than one entry for this ACL without using "any" as the source, the VPN will function erratically.
	! See section #4 regarding how to restrict the traffic going over the tunnel
	!
	!
	access-list acl-amzn extended permit ip any <vpc_subnet> <vpc_subnet_mask>

	!---------------------------------------------------------------------------------
	! #3: IPSec Configuration
	!
	! The IPSec transform set defines the encryption, authentication, and IPSec
	! mode parameters.
	!
	crypto ipsec transform-set transform-amzn esp-aes esp-sha-hmac
	! The crypto map references the IPSec transform set and further defines
	! the Diffie-Hellman group and security association lifetime. The mapping is created
	! as #1, which may conflict with an existing crypto map using the same
	! number. If so, we recommend changing the mapping number to avoid conflicts.
	!
	crypto map <amzn_vpn_map> 1 match address acl-amzn
	crypto map <amzn_vpn_map> 1 set pfs group2
	crypto map <amzn_vpn_map> 1 set peer 205.251.233.121 205.251.233.122
	crypto map <amzn_vpn_map> 1 set transform-set transform-amzn
	!
	! Only set this if you do not already have an outside crypto map, and it is not applied:
	!
	crypto map <amzn_vpn_map> interface <outside_interface>
	!
	! Additional parameters of the IPSec configuration are set here. Note that
	! these parameters are global and therefore impact other IPSec
	! associations.
	! Set security association lifetime until it is renegotiated.
	crypto ipsec security-association lifetime seconds 3600
	!
	! This option instructs the firewall to clear the "Don't Fragment"
	! bit from packets that carry this bit and yet must be fragmented, enabling
	! them to be fragmented.
	!
	crypto ipsec df-bit clear-df <outside_interface>
	!
	! This configures the gateway's window for accepting out of order
	! IPSec packets. A larger window can be helpful if too many packets
	! are dropped due to reordering while in transit between gateways.
	!
	crypto ipsec security-association replay window-size 128
	!
	! This option instructs the firewall to fragment the unencrypted packets
	! (prior to encryption).
	!
	crypto ipsec fragmentation before-encryption <outside_interface>
	!
	! This option causes the firewall to reduce the Maximum Segment Size of
	! TCP packets to prevent packet fragmentation.
	sysopt connection tcpmss 1387
	!
	! In order to keep the tunnel in an active state, the ASA needs to send traffic to the subnet
	! defined in acl-amzn. SLA monitoring can be configured to send pings to a destination in the subnet and
	! keep the tunnel active. A possible destination for the ping is the VPC Gateway IP, which is the
	! first IP address in one of your subnets.
	! For example: a VPC with a CIDR range of 192.168.50.0/24 will have a gateway: 192.168.50.1.
	!
	! The monitor is created as #1, which may conflict with an existing monitor using the same
	! number. If so, we recommend changing the sequence number to avoid conflicts.
	!
	sla monitor 1
	type echo protocol ipIcmpEcho <sla_monitor_address> interface <outside_interface>
	frequency 5
	exit
	sla monitor schedule 1 life forever start-time now
	!
	! The firewall must allow icmp packets to use "sla monitor"
	icmp permit any <outside_interface>

	!---------------------------------------------------------------------------------------
	! #4: VPN Filter
	! The VPN Filter will restrict traffic that is permitted through the tunnels. By default all traffic is denied.
	! The first entry provides an example to include traffic between your VPC Address space and your office.
	! You may need to run 'clear crypto isakmp sa', in order for the filter to take effect.
	!
	! access-list amzn-filter extended permit ip <vpc_subnet> <vpc_subnet_mask> <local_subnet> <local_subnet_mask>
	access-list amzn-filter extended deny ip any any
	group-policy filter internal
	group-policy filter attributes
	vpn-filter value amzn-filter
	tunnel-group 205.251.233.121 general-attributes
	default-group-policy filter
	exit
	tunnel-group 205.251.233.122 general-attributes
	default-group-policy filter
	exit

	!---------------------------------------------------------------------------------------
	! #5: NAT Exemption
	! If you are performing NAT on the ASA you will have to add a nat exemption rule.
	! This varies depending on how NAT is set up. It should be configured along the lines of:
	! object network obj-SrcNet
	! subnet 0.0.0.0 0.0.0.0
	! object network obj-amzn
	! subnet <vpc_subnet> <vpc_subnet_mask>
	! nat (inside,outside) 1 source static obj-SrcNet obj-SrcNet destination static obj-amzn obj-amzn
	! If using version 8.2 or older, the entry would need to look something like this:
	! nat (inside) 0 access-list acl-amzn
	! Or, the same rule in acl-amzn should be included in an existing no nat ACL.
	!
	!---------------------------------------------------------------------------------------
	! Additional Notes and Questions
	! - Amazon Virtual Private Cloud Getting Started Guide:
	! http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide
	! - Amazon Virtual Private Cloud Network Administrator Guide:
	! http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide
	! - Troubleshooting Cisco ASA Customer Gateway Connectivity:
	! http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide/Cisco_ASA_Troubleshooting.html
	! - XSL Version: 2009-07-15-1119716