Configure Route-Based Site-to-Site VPN between Cisco Secure Management Center and AWS VPC

Introduction

The Secure Firewall Management Center (Management Center) features intuitive VPN wizards designed to streamline the configuration of site-to-site VPNs on managed Threat Defense devices.

These wizards also facilitate the setup of route-based site-to-site VPNs between Threat Defense devices and extranet devices. Extranet devices, which are not under the direct management of the management center, may comprise gateways located within public cloud infrastructures. Route-based VPNs use Virtual Tunnel Interfaces (VTIs)—routable logical interfaces that form the foundation of the VPN tunnel.

Is this Guide for You?

This guide is intended for network administrators who use the Management Center to establish a site-to-site VPN between a Threat Defense device located at the headquarters and an AWS Virtual Private Cloud (VPC).

Scenario

A medium-sized enterprise operates several branch offices, each with a set of instances hosted on AWS. This organization must establish a robust network infrastructure to facilitate secure and seamless communication across all locations. The solution involves configuring a site-to-site VPN that connects each branch's AWS VPC to the Threat Defense device at the organization's central headquarters. This connectivity is crucial because, by default, AWS VPC instances are isolated from external networks. The implementation of this VPN will enable the integration of the branches into the corporate network, ensuring centralized access and data security.

System Requirements

The following table shows the platforms for this feature.

Product

Version

Version Used in This Document

Cisco Secure Firewall Threat Defense (formerly Firepower Threat Defense/FTD)

6.7 and later

7.4.1

Cisco Secure Firewall Management Center (formerly Firepower Management Center/FMC)

6.7 and later

7.4.1

AWS Account

-

-

Benefits

The proposed solution offers significant benefits such as:

  • Streamlined Setup: VTI offers a simplified approach to VPN configuration, removing the complexity of traditional crypto maps and access lists.

  • Adaptive Routing: VTI accommodates dynamic routing protocols such as BGP, EIGRP, and OSPF, facilitating the automatic update of routes between VPN endpoints in response to changing network conditions.

  • ISP Resilience: VTI enables the creation of secondary backup tunnels, enhancing connectivity reliability.

  • Load balancing: VTI allows for the even distribution of VPN traffic through ECMP routing.

Prerequisites

  • Licenses: Management center Essentials (formerly Base) license must allow export-controlled functionality. Choose System > Licenses > Smart Licenses to verify this functionality in the Management Center.

  • Configure an internet-routable, public IP address for the Threat Defense device.

  • Assign appropriate logical names and IP addresses to the interfaces of the Threat Defense devices.

  • Own an AWS account.

Components of a Site-to-Site VPN between Management Center and AWS

A site-to-site VPN between the Management Center and AWS consists of the following components:

Figure 1. Site-to-Site VPN between an AWS VPC and an On-Premises Network
Site-to-Site VPN between an AWS VPC and an On-Premises Network

Virtual Private Gateway

A virtual private gateway is the VPN concentrator on the AWS side of the site-to-site VPN connection. You create a virtual private gateway and attach it to a virtual private cloud (VPC).

Customer Gateway

A customer gateway is a resource that you create in AWS that represents the customer gateway device in your on-premises network. When you create a customer gateway, you provide information about your device to AWS.

Customer Gateway Device (Managed Threat Defense)

A customer gateway device is the Threat Defense device in the on-premises network of your central headquarters. You configure the device to work with the AWS site-to-site VPN connection.

End-to-End Procedure for Configuring Route-Based VPN between Management Center and AWS VPC

The following flowchart illustrates the workflow for configuring a route-based VPN between Management Center and AWS VPC.

End-to-End Procedure for Configuring Route-Based Site-to-Site VPN between Cisco Secure Management Center and AWS VPC Configure an Elastic IP Address in AWS Configure Routing Policies in Management Center Create a Virtual Private Cloud in AWS Create a Customer Gateway in AWS Create a Virtual Private Gateway in AWS Create a VPN Connection in AWS Configure Route-Based VPN in Management Center

Step

Description

Log in to AWS console.

Configure elastic IP address. See Configure an Elastic IP Address in AWS.

Create virtual private cloud. See Create a Virtual Private Cloud in AWS.

Create customer gateway. See Create a Customer Gateway in AWS.

Create virtual private gateway. See Create a Virtual Private Gateway in AWS.

Create AWS VPN connection. See Create a VPN Connection in AWS.

Configure route-based VPN. See Configure Route-Based VPN in Management Center.

Configure routing policies. See Configure Routing Policies in Management Center.

Deploy configurations on Threat Defense device.

Configure an Elastic IP Address in AWS

Elastic IP address is a static public IPv4 address that is allocated to your AWS account.

Procedure

Step 1

Choose Services > Networking & Content Delivery > VPC.

Step 2

In the left pane, click Elastic IPs.

Step 3

Click Allocate Elastic IP address.

Step 4

Configure the following parameters in the Allocate Elastic IP address dialog box:

  1. For Network Border Group, use the default value.

  2. Click the Amazon’s pool of IPv4 addresses radio button.

  3. Click Allocate.

Create a Virtual Private Cloud in AWS

A VPC is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS cloud. When you create a VPC, AWS configures the IP address, subnets, route tables, network gateways, and security settings.

Procedure

Step 1

Choose Services > Networking & Content Delivery > VPC.

Step 2

In the left pane, click VPC dashboard.

Step 3

Click Create VPC.

Step 4

Configure the following parameters in the Create VPC dialog box:

Create VPC
Create VPC

  1. Click the VPC and more radio button.

  2. In the Name tag field, enter a name to identify the VPC.

  3. In the IPv4 CIDR block field, enter an IP address.

    The CIDR block size must be between /16 and /28.

  4. From the Tenancy drop-down list, choose Default.

    This option defines if instances that you launch into the VPC run on hardware that is shared with other AWS accounts or on hardware that is dedicated for your use only.

  5. Choose 2 as the Number of Availability Zones (AZs) to provision subnets in at least two availability zones.

  6. Choose values for Number of public subnets and Number of private subnets to configure your subnets.

  7. Expand Customize subnets CIDR blocks to choose the IP address ranges for your subnets. You can also let AWS choose them for you.

  8. (Optional) For NAT gateways, if resources in a private subnet need access to the public internet over IPv4, choose the number of AZs in which to create NAT gateways.

  9. For VPC endpoints, choose None orS3 Gateway.

  10. (Optional) Under DNS options, by default, both options are enabled by default.

  11. Click Create VPC.

Associate a Subnet with a Route Table in AWS

You must associate each subnet in your VPC with the route table of your VPC.

Before you begin

Create a VPC in AWS.

Procedure

Step 1

In the left pane, click Route tables.

Step 2

Select the route table assigned to your VPC.

Step 3

Click the Subnet associations tab.

Step 4

Click Edit subnet associations.

Edit subnet associations

Step 5

Check the private and public subnet check boxes.

Step 6

Click Save associations.

Create a Customer Gateway in AWS

Create a customer gateway to provide information about your device to AWS.

Procedure

Step 1

In the left pane, expand Virtual Private network (VPN).

Step 2

Click Customer gateways.

Step 3

Click Create customer gateway.

Step 4

Configure the following parameters in the Create customer gateway dialog box:

  1. In the Name tag field, enter a name to identify the customer gateway.

  2. In the BGP ASN field, enter the BGP Autonomous System Number (ASN) of the Threat Defense device.

    The range is 1 to 2,147,483,647. In our example, the ASN is 65000. You need this ASN when you configure BGP routing in the Management Center.

  3. In the IP address field, enter the IP address of the Threat Defense device’s external interface.

    The IP address must be static. If your customer gateway device is behind a NAT device, use the IP address of your NAT device.

  4. (Optional) In the Certificate ARN field, provide the Amazon Resource Name (ARN) of an AWS Certificate Manager (ACM) private certificate for the Threat Defense device to enable certificate-based authentication.

  5. (Optional) In the Device field, enter the name of the Threat Defense device.

  6. Click Create customer gateway.

Create a Virtual Private Gateway in AWS

Procedure

Step 1

In the left pane, expand Virtual private network (VPN).

Step 2

Click Create virtual private gateway.

Step 3

Configure the following parameters in the Create virtual private gateway dialog box:

  1. In the Name tag field, enter a name for the virtual private gateway.

  2. Click either the Amazon default ASN or the Custom ASN radio button.

    Note that the Amazon ASN is 64512.

  3. For Tags, by default, the name is taken as the tag.

  4. Click Create Virtual Private Gateway.

Attach a Virtual Private Gateway to the Virtual Private Cloud

After you create a virtual private gateway, you must attach it to the VPC.

Procedure

Step 1

Select the virtual private gateway that you created.

Step 2

Choose Attach to VPC from the Actions drop-down list.

Step 3

In the Attach to VPC dialog box, choose the VPC from the Available VPCs drop-down list.

Step 4

Click Attach to VPC.

Step 5

Verify if the State of the virtual private gateway is Attached.

Create a VPN Connection in AWS

Before you begin

Ensure that you have a VPC, customer gateway, and a virtual private gateway.

Procedure

Step 1

In the left pane, expand Virtual private network (VPN).

Step 2

Click Site-to-Site VPN connections.

Step 3

Click Create VPN connection.

Step 4

Configure the following VPN parameters in the Create VPN connection dialog box:

Create VPN Connection in AWS

  1. In the Name tag field, enter a name for the VPN connection.

  2. For Target gateway type, click the Virtual private gateway radio button.

  3. Choose a virtual private gateway from the Virtual private gateway drop-down list.

  4. For Customer gateway, click the Existing radio button and choose a customer gateway from the Customer gateway ID drop-down list.

  5. For Routing options, click the Dynamic (requires BGP) radio button.

  6. (Optional) For Local IPv4 network CIDR, enter the IP address of the protected network of the Threat Defense device or use the default value of 0.0.0.0/0.

  7. (Optional) For Remote IPv4 network CIDR, enter the IP address of the AWS side network or use the default value of 0.0.0.0/0.

  8. Expand Tunnel 1 options to configure the VPN tunnel parameters:

    VPN Connection in AWS

    1. For Inside IPv4 CIDR for tunnel 1, AWS generates an IPv4 address.

    2. In the Pre-shared key for tunnel 1 field, enter a pre-shared key (PSK) for authentication between the virtual private gateway and the customer gateway. If you do not specify a PSK, AWS generates a PSK.

      You need this PSK to configure the VPN in the Management Center.

    3. For Advanced options for tunnel 1, click the Use default options radio button.

  9. (Optional) Expand Tunnel 2 options to configure the backup VPN tunnel parameters.

    Note

     

    Ensure that you use the same PSK for both the tunnels.

Step 5

Click Create VPN connection.

After the VPN connection is created, the State changes from Pending to Available.

  1. Select the VPN connection that you created to view the details.

  2. Click the Tunnel details tab.

    AWS VPN Tunnel Details

    In the above example, note the following details:

    Tunnel

    Outside (Extranet) IP Address

    AWS VTI IP Address

    Threat Defense Device VTI IP Address

    Tunnel 1

    209.165.201.28

    198.51.100.9/30

    198.51.100.10/30

    Tunnel 2

    203.0.113.238

    192.0.2.129/30

    192.0.2.130/30

    You need the above details when you configure the route-based VPN in the Management Center.

Configure Route-Based VPN in Management Center

Before you begin

Ensure that you note the inside and outside IP addresses of the VPN tunnel in AWS.

Procedure

Step 1

Choose Devices > Site To Site.

Step 2

Click + Site To Site VPN.

Step 3

In the Topology Name field, enter a name for the VPN topology.

Step 4

Click the Route Based (VTI) radio button.

Step 5

Click the Point to Point tab.

Step 6

Check the IKEv2 check box.

Step 7

Click the Endpoints tab.

Step 8

For Node A, configure the following parameters:

  1. Choose a Threat Defense device from the Device drop-down list.

  2. Choose a Static Virtual Tunnel Interface (SVTI) of the Threat Defense device from the Virtual Tunnel Interface drop-down list or click + to create an SVTI.

    For more information about creating an SVTI, see Create a Static VTI for a Threat Defense Device in the Management Center.

  3. (Optional) Click + Add Backup VTI to configure a backup VTI and configure the required parameters.

    The Tunnel Source is the same for both the VTI tunnels. In our example, the backup VTI IP address is 192.0.2.130/30. See the IP address table in Create a VPN Connection in AWS.

Step 9

For Node B, configure the following parameters:

  1. From the Device drop-down list, choose Extranet.

  2. In the Device Name field, enter the name of the extranet device.

  3. In the Endpoint IP Address field, enter the IP addresses of the AWS VPN.

    In our example, the IP address is 209.165.201.28 and 203.0.113.238.

Configure VPN in Management Center > Endpoints Tab

Step 10

Click the IKE tab to configure the following parameters:

Configure VPN in Management Center > IKE Tab

  1. For IKEv2 Settings, click the edit icon adjacent to Policies and choose AES-SHA-SHA-LATEST from the drop-down list. This protocol is the default IKE protocol of the AWS VPN.

  2. From the Authentication Typedrop-down list, choose Pre-shared Manual Key.

  3. Enter a key in the Key and Confirm Key fields.

    In our example, use the PSK that you configured in the AWS VPN.

Step 11

For IPsec and Advanced configuration, use the default values.

Step 12

Click Save.

You can view the topology in the Site-to-Site VPN Summary page (Devices > Site To Site VPN). After you deploy the configurations to all the devices, you can see the status of all the tunnels in this page.

Create a Static VTI for a Threat Defense Device in the Management Center

Before you begin

Configure the basic parameters for a route-based point-to-point VPN topology as described in Configure Route-Based VPN in Management Center, click the Endpoints tab, and choose a Threat Defense device from the Device drop-down list as Node A.

Procedure

In the Add Virtual Tunnel Interface dialog box, configure the following parameters:

Create Static VTI for a Threat Defense Device Using Management Center

  1. In the Name field, enter a name for the SVTI.

  2. Check the Enabled check box.

  3. (Optional) From the Security Zone drop-down list, choose a security zone for the static VTI.

  4. In the Priority field, enter the priority for load-balancing the traffic across multiple VTIs.

    The range is from 0 to 65535. The lowest number has the highest priority.

  5. In the Tunnel ID field, enter a unique tunnel ID.

    The range is from 0 to 10413.

  6. From the Tunnel Source drop-down list, choose the tunnel source interface.

  7. For IPSec Tunnel Mode, click the IPv4 radio button to specify the traffic type over the IPsec tunnel.

  8. In the Configure IP field, enter the IP address of the SVTI.

    In our example, the SVTI IP address is 198.51.100.10/30. See the IP address table in Create a VPN Connection in AWS.

  9. Click OK.

Configure Routing Policies in Management Center

Configure an Underlay Routing Policy in the Management Center

To enable traffic to and from the AWS, you must configure an underlay routing policy. You can configure a static route or any dynamic routing protocol. In our example, we use a static route.

Procedure

Step 1

Choose Devices > Device Management.

Step 2

Click the edit icon adjacent to the interface that you want to edit.

Step 3

Click the Routing tab.

Step 4

In the left pane, click Static Route to configure a static route.

Step 5

Click +Add Route.

Step 6

Configure the following parameters in the Add Static Route Configuration dialog box:

  1. Click the IPv4 radio button.

  2. From the Interface drop-down list, choose the outside interface of the Threat Defense device.

  3. For Available Network, click + to create a network object for the AWS network.

  4. Configure the following parameters in the New Network Object dialog box:

    New Network Object for Configuring a Static Route to the AWS VPC

    1. In the Name field, enter a name for the AWS network.

    2. Click the Host radio button and enter the IP address of the AWS network.

      In our example, the IP address of the AWS network is 209.165.201.28.

    3. Click Save.

  5. Repeat Step 6c to Step 6d to create a network object for the backup AWS network.

    In our example, the IP address of the backup AWS network is 203.0.113.238.

  6. Choose the AWS network and the backup AWS network from the Available Network list, and click Add to move it to the Selected Network list.

    Static Route Configuration in Management Center

  7. In the Gateway field, enter the IP address of the Threat Defense device’s gateway.

  8. Click OK.

Configure an Overlay Routing Policy in the Management Center

You must configure an overlay routing policy for the VPN traffic. In our example, we configure a BGP routing policy.

Procedure

Step 1

Choose Devices > Device Management.

Step 2

Click the edit icon adjacent to the interface that you want to edit.

Step 3

Click the Routing tab.

Step 4

In the left pane, click BGP under General Settings.

Step 5

Check the Enable BGP check box.

Step 6

In the AS Number field, enter the AS number of the Threat Defense device that you configured for the AWS customer gateway.

In our example, it is 65000.

Step 7

Click Save.

Step 8

In the left pane, choose BGP > IPv4.

Step 9

Check the Enable IPv4 check box.

Step 10

Click the Neighbor tab and click +Add.

Step 11

Configure the following parameters in the Add Neighbor dialog box:

BGP Add Neighbor

  1. In the IP Address field, enter the AWS VTI IP address (Tunnel1) from the AWS VPN configuration.

    In our example, the AWS IP address is 198.51.100.9.

  2. In the Remote AS field, enter the AWS AS number from the AWS VPN configuration.

    In our example, the AWS AS number is 64512.

  3. Click OK.

Step 12

Repeat Step 11a to Step 11c to add the backup AWS IP address (Tunnel2) as the neighbor.

In our example, the IP address is 192.0.2.129 and the AWS AS number is 64512.

Step 13

Click Save.

Verify the VTI Tunnel Statuses and Configurations

After deploying the configurations on the Threat Defense device, you can verify the VTI tunnel configuration and status on the device, the Management Center, and AWS.

Verify Tunnel Statuses in AWS

To verify the VPN tunnels in AWS:

  1. Choose Virtual private network (VPN) > Site-to-Site VPN connections.

  2. Click the radio button adjacent to the VPN.

  3. Click the Tunnel details tab. The Status of the tunnels should be Up.

VPN Tunnel Statuses in AWS

Verify Tunnel and Routing Configuration on the Threat Defense Device

  • To verify the interface configuration on the Threat Defense device, use the show running-config interface command.

    Output of show running-config interface Command

  • To verify the BGP configuration of the Threat Defense device, use the show bgp command.

Verify Tunnel Status in Site-to-Site VPN Summary Page

To verify the status of the VPN tunnels, choose Device > VPN > Site To Site.

Tunnel Statuses in Site-to-Site VPN Summary Page

Verify Tunnel Status in Site-to-Site VPN Dashboard

To view details of the VPN tunnel, choose Overview > Dashboards > Site to Site VPN.Tunnel Statuses in Site-to-Site VPN Dashboard