Remote Access Virtual Private Network on AWS

Partner Solution Deployment Guide

QS

August 2023
Pal Lakatos-Toth, Cisco Systems
Muffadal Quettawala and Shivanash Singh, AWS Integration & Automation

Refer to the GitHub repository to view source files, report bugs, submit feature ideas, and post feedback about this Partner Solution. To comment on the documentation, refer to Feedback.

This Partner Solution was created by Cisco Systems in collaboration with Amazon Web Services (AWS). Partner Solutions are automated reference deployments that help people deploy popular technologies on AWS according to AWS best practices. If you’re unfamiliar with AWS Partner Solutions, refer to the AWS Partner Solution General Information Guide.

Overview

This guide covers the information you need to deploy the Remote Access Virtual Private Network Partner Solution in the AWS Cloud.

This Partner Solution reference deployment guide provides step-by-step instructions for deploying a scalable Cisco Remote Access Virtual Private Network (RA-VPN) on the AWS Cloud. This Partner Solution is for users who want to deploy or learn about Cisco AnyConnect RA-VPN services on Cisco Adaptive Security Virtual Appliance (ASAv) firewalls using the AWS Cloud architecture.

Cisco scalable RA-VPN on AWS

As companies address the ever-increasing demand for secure remote connectivity, the need for a stable and scalable RA-VPN has increased. For many organizations, investing in additional hardware appliances to scale up a network’s infrastructure may not meet timeline objectives and available budgets. But, cloud-based architectures provide computing environments that are highly scalable and flexible in terms of both costs and resources.

Note: This deployment can be integrated with both multi-factor authentication (MFA) and authentication, authorization, and accounting (AAA), such as Cisco Duo. For more information, see Duo MFA on AWS.

Please know that we may share who uses AWS Quick Starts with the AWS Partner that collaborated with AWS on the content of the Quick Start.

Costs and licenses

There is no cost to use this Partner Solution, but you will be billed for any AWS services or resources that this Partner Solution deploys. For more information, refer to the AWS Partner Solution General Information Guide.

This Quick Start requires an RA-VPN license from Cisco. The Cisco ASAv virtual firewall provides the following licensing options:

  • Option 1: Use AWS pay-as-you-go licensing, which is based on hourly billing. This is the default option for this Quick Start.

  • Option 2: Use Amazon’s Bring Your Own License (BYOL) model in conjunction with Cisco’s Smart Licensing.

To use this Quick Start in a production environment, see Cisco Adaptive Security Virtual Appliance (ASAv) — Standard Package. Ensure that you subscribe to the image using the correct Region. If you want to use option 2, you must use the correct Amazon Machine Image (AMI). For more information, see how to Deploy the ASAv on the AWS Cloud.

Note: If you don’t have your own license, the ASAv uses a trial license with reduced capacity. It provides 90 days of free usage and up to two AnyConnect VPN sessions within a nonproduction environment where firewall throughput is limited to 100 Kbps. To upgrade to a production license, see the Cisco documentation.

This Quick Start requires a subscription to the Amazon Machine Image (AMI) for Cisco RA‑VPN, which is available from AWS Marketplace. Additional pricing, terms, and conditions may apply. For more information, see the Deployment steps.

Architecture

This section provides details about some of the resources that are critical for understanding this deployment’s configuration and post-deployment steps. It also describes where, within the subnets, the ASAvs are deployed and how the interfaces function.

The ASAv’s OUTSIDE interfaces are in the public subnet, and there is an Elastic IP address associated with each ASAv’s OUTSIDE interface. When using RA-VPN, you receive the Elastic IP addresses after the Domain Name System (DNS) responds, which depends on the Amazon Route 53–weighted load balancing policy. On the ASAvs, there is a zero-day configuration deployed with AnyConnect, and different VPN pools are configured per ASAv.

In the private subnets, there are INSIDE interfaces for the ASAvs. These subnets are used for routing traffic toward on-premises networks through the transit gateway. Every ASAv has a default route that points toward its default gateway, denoted by the x.x.x.1 subnet address. In addition, each private subnet has a default route that points to on-premises networks via AWS Transit Gateway.

In the management subnet, there are ASAv interfaces. If you prefer to use a Jumpbox to help secure the ASAv management interface, deploy it in this subnet. ASAvs are managed through the OUTSIDE interface’s Elastic IP address. Optionally, this management subnet can provide outbound internet access through network address translation (NAT) gateways.

For peering purposes, an AWS Transit Gateway subnet and a route table are deployed into the VPC (not to be confused with the routing tables for AWS Transit Gateway). These subnets are used to peer into AWS Transit Gateway, and their associated route tables direct VPN pools toward the elastic network interfaces of the ASAvs.

AWS Transit Gateway extends your connectivity to on-premises resources via dedicated connections, such as AWS Site-to-Site VPN or AWS Direct Connect. It also enables communication between VPCs, which open new-use cases, such as a centralized security VPC or dedicated VPC functions, for both inbound and outbound connections.

The VPC attachment uses a transit gateway to peer into the VPC and propagate the VPC’s Classless Inter-Domain Routing (CIDR) range into the AWS Transit Gateway’s routing tables. It is also used as a target for the routing tables.

The VPN attachment establishes an AWS Site-to-Site VPN tunnel between your on-premises location and the AWS Cloud. This might be your preferred option if you don’t use Direct Connect.

Note: If you use AWS Direct Connect, you can manually set up peering within the transit gateway. This Quick Start guide, however, does not cover how to prevent interruptions with production services when used with a Direct Connect gateway.

The route table for AWS Transit Gateway is used to automatically propagate the VPC CIDR range through the VPC attachment. This includes static route entries, one of which points to your on-premises subnets through the VPN or Direct Connect attachment. A separate static route points to VPN pools through the VPC attachment.

Following best practices, a spoke-VPC route table is used for host-VPC connectivity. This route table does not have any route definitions. You can add a route that points to the host VPCs in your environment.

Deploying this Partner Solution with default parameters builds the following Remote Access Virtual Private Network environment in the AWS Cloud.

Architecture
Figure 1. Partner Solution architecture for Remote Access Virtual Private Network on AWS

As shown in Figure 1, this Partner Solution sets up the following:

  • A highly available architecture that spans two or more Availability Zones (up to four, depending on the number of ASAvs).

  • An Amazon Route 53–hosted zone, including associated records with a weighted policy for DNS-based load balancing.

  • An internet gateway for connecting users to the AWS Cloud.

  • ASAv instances (up to four) with zero-day configuration. This sets up the AnyConnect client VPN, elastic network interfaces, and options to accept RA‑VPN clients. ASAv instances are spread across Availability Zones for redundancy and to maintain a fixed one-to-one ratio of ASAvs to Availability Zones.

  • A VPC to provide you with your own virtual network.

  • In the VPC, a public route table, VPC route table, and AWS Transit Gateway route table.

  • A private route table in each availability zone.

  • In the public subnets:

  • Public network interfaces, which have associated Elastic IP addresses.

  • Cisco ASAv instances.

  • In the private subnets:

    • An elastic network interface with a private IP address for the management subnet.

    • An elastic network interface with a private IP address for the private subnet.

    • An elastic network interface with a private IP address for the AWS Transit Gateway.

  • AWS Transit Gateway to extend connectivity to on-premises resources that use either an AWS Site-to-Site VPN or an AWS Direct Connect gateway.

  • AWS Direct Connect for private connectivity between AWS and your data center, office, or colocation environment.

Deployment options

This Partner Solution provides the following deployment option:

Predeployment steps

Configuration options

Configuring VPN pools

  • The VPN pools are customer-owned CIDR ranges used in the ASAv configuration, which are assigned to the clients when they establish VPN connections. These pools are not defined. The following section explains how to create such pools.

  • You have two options to configure VPN pools. Option 1 uses a ghost (routed-IP) pool. Option 2 defines a unique IP pool for all ASAvs, and you then choose NAT or port address translation (PAT). As part of this Quick Start, we implemented the ghost (routed-IP) pool because it’s more popular with customers who want to identify on-premises VPN clients. If you elect option 2, all of the VPN client traffic is visible through the INSIDE IP address of your ASAvs for on-premises networks.

Note: It’s called a “ghost pool” because AWS does not define this network. It only exists in the routing tables.

The Quick Start deployment handles zero-day configurations, but if you want to manually configure it, complete the following steps.

  1. Ghost pool/routed IP pool (used in this Quick Start): For this option, NAT is not required on the ASAvs. You must allocate a VPN pool per ASAv from a CIDR and use an IP range outside of the VPC CIDR (for example, 172.16.100.0/24 is outside of the range 10.0.0.0/16).

    Allocation is theoretical because you must mind the subnets (for example, if your VPN pool is 172.16.100.0/24, and it’s used by ASAv1 in a given Availability Zone). For AWS to interpret the routing, you must define two additional entries in the AWS Transit Gateway routing table. The table must be the one created for AWS Transit Gateway peering. The first entry points traffic to 172.16.100.0/24 via the VPC. The second entry defines the ghost VPN pool and points to the INSIDE interface of the ASAv in that Availability Zone.

  2. NAT or PAT (out of scope for this deployment): In this deployment, AWS is unaware of VPN pools, so NAT or PAT is required to tell AWS where to route return traffic. The VPN pool can be the same on all ASAvs because they exist behind the individual ASAv INSIDE interface.

Note: A customized configuration using MFA or Active Directory/AAA servers is beyond the scope of this Quick Start. This deployment, however, can be modified to implement MFA by using Cisco Duo MFA in combination with any form of Active Directory. This can be done after the ASAvs are running.

Customize the deployment

The following are ways to customize or replace some of this deployment’s components in a production environment:

  • Cisco DUO for MFA:

  • Use DUO to add MFA to your RA-VPN Deployment. For more information, see Duo MFA on AWS.

  • Cisco Umbrella for DNS/SIG (Secure Internet Gateway):

  • Customers can integrate ASAv with Umbrella SIG and DNS services to protect endpoints against advanced persistent threats. For more information, see how to Configure the Umbrella Connector.

  • AWS Transit Gateway for east–west segmentation:

  • For east–west segmentation, use AWS Transit Gateway to manage routing between your VPCs. It not only provides a way to connect onsite resources but also controls east–west traffic within your cloud environment.

  • To provide VPN clients with access to cloud-hosted services in different VPCs, use the AWS Transit Gateway service, which is automatically provisioned for you. Create VPC attachments to the AWS Transit Gateway from your spoke VPCs and set up the routes according to the following guidelines:

    1. Associate spoke VPCs with the spoke AWS Transit Gateway route table.

    2. Propagate the subnets of the spoke VPCs into that route table.

    3. Add a static route entry in the table that points to the VPN pools through the VPC attachment of the ASAvs VPC.

    4. Add a static route entry in the Security AWS Transit Gateway route table that points to the spoke VPC CIDR ranges through the VPC attachment of the spoke VPCs.

    5. Add a static route entry that points to the AWS Transit Gateway for the VPN pools in the spoke VPC.

    6. Add a static route entry for the spoke VPC CIDR range in the private subnet route tables (where the ASAvs interfaces are).

    7. Add a static route on the ASAvs towards the spoke VPC CIDR range pointing to the x.x.x.1 address of the private subnets.

  • AWS Global Accelerator:

  • AWS Global Accelerator helps RA-VPN clients route to the closest AWS entry point. The traffic travels through AWS to VPN concentrators, which may help to reduce latency. For more information, see AWS Global Accelerator.

Subscribe to the Cisco RA-VPN AMI

This Quick Start requires a subscription to the AMI for Cisco ASAv software in AWS Marketplace.

  1. Sign-in to your AWS account.

  1. Open the page for the Cisco ASAv AMI in AWS Marketplace, and then choose Continue to Subscribe.

  2. Review the terms and conditions for software usage, and then choose Accept Terms.

A confirmation page loads and an email confirmation is sent to the account owner. For detailed subscription instructions, see the AWS Marketplace documentation.

  1. When the subscription process is complete, exit out of AWS Marketplace without further action.

Important: Do not provision the software from AWS Marketplace—the Quick Start deploys the AMI for you.

Deployment steps

  1. Sign in to your AWS account, and launch this Partner Solution, as described under Deployment options. The AWS CloudFormation console opens with a prepopulated template.

  2. Choose the correct AWS Region, and then choose Next.

  3. On the Create stack page, keep the default setting for the template URL, and then choose Next.

  4. On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. When you finish reviewing and customizing the parameters, choose Next.

    Unless you’re customizing the Partner Solution templates or are instructed otherwise in this guide’s Predeployment section, don’t change the default settings for the following parameters: QSS3BucketName, QSS3BucketRegion, and QSS3KeyPrefix. Changing the values of these parameters will modify code references that point to the Amazon Simple Storage Service (Amazon S3) bucket name and key prefix. For more information, refer to the AWS Partner Solutions Contributor’s Guide.

  5. On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you finish, choose Next.

  6. On the Review page, review and confirm the template settings. Under Capabilities, select all of the check boxes to acknowledge that the template creates AWS Identity and Access Management (IAM) resources that might require the ability to automatically expand macros.

  7. Choose Create stack. The stack takes about 20 minutes to deploy.

  8. Monitor the stack’s status, and when the status is CREATE_COMPLETE, the Remote Access Virtual Private Network deployment is ready.

  9. To view the created resources, choose the Outputs tab.

Postdeployment steps

To view the created resources, use the URLs displayed in the Outputs tab for the stack.

Postdeploy
Figure 2. Cisco RA-VPN outputs after successful deployment

Test the deployment

To test the deployment, use the defined user name and password (VPNUser and VPNPAssword) as part of the Quick Start process to initiate an AnyConnect RA-VPN connection to the DNS name you defined (for example, vpn.example.com).

Postdeploy
Figure 3. AnyConnect client

This deployment does not include proper certificates for your ASAvs, so you must change the AnyConnect configuration to avoid blocking connections to untrusted servers.

Postdeploy
Figure 4. AnyConnect settings

Add a connection to the AnyConnect server. You are notified that the certificates are not trusted because there are no proper ASAv certificates at this point. Choose Connect Anyway.

Postdeploy
Figure 5. AnyConnect warning of untrusted server

The ASAv asks for your user name and password. Enter your credentials.

Postdeploy
Figure 6. Logging in to AnyConnect

You are connected to the AWS-hosted VPN service. You can check the IP address you received from the ASAv, which allows you to identify your connected ASAv (VPN pools are unique). Ensure that you configure the AWS Site-to-Site VPN or Direct Connect gateways accordingly so you have end-to-end connectivity between the VPN client and on-premises resources. The configuration of those elements is not within the scope of this Quick Start.

If you want to check the configuration of the ASAvs, use your configured SSH key pair. To ease testing, we configured the ASAvs to be accessible via SSH. Use the following command to access them:

ssh -i <public-key-file> admin@<ELASTIC-IP of the ASAv instance>

If you don’t use this method, set up a Jumpbox in the management subnet of each Availability Zone. Use it to log in to the management IP of the ASAv, and remove the configuration that enables SSH connections from external interfaces (you must do this for each ASAv instance).

Best practices for using Cisco RA-VPN

After deploying this Quick Start, note the following:

  • The ASAv does not have AnyConnect VPN packages deployed with them. If you installed AnyConnect version 4.8, they are ready to use.

  • If you want to add more packages, you must enable Scopy on the ASA. You can use the management subnet to upload AnyConnect images from your Jumpbox the same way you would upload a DUO sign-in page. For more information, see Cisco ASA SSL VPN for browser and AnyConnect.

  • If you want to use Adaptive Security Device Manager (ASDM) to manage the ASAvs, you must use Scopy to upload that package to your device.

  • Set up a proper certificate on the ASAvs to host a trusted RA-VPN. You can use your existing public key infrastructure (PKI). Alternatively, use the AWS PKI.

For additional help configuring an AnyConnect VPN, see Quick Links to NGFW Resources.

The current recommended option for load balancing is DNS based. This can be managed through Route 53 or another global traffic manager. If you want to use a different mechanism, such as a Network Load Balancer, you might have issues with the Datagram Transport Layer Security (DTLS) protocol.

Security

We recommend that you review the zero-day configuration (see the template) deployed on the ASAvs because they only provide a default setup. You are responsible for hardening the configuration as well as expanding or removing configuration lines to comply with your company’s security policies. We recommend that you use this as a template to make your own customized deployment. Consider all of the security hardening and compliancy elements mandated by your organization before deploying a production environment.

Important: By default, the zero-day configuration enables SSH access on the OUTSIDE interface of the ASAv and allows all VPN traffic through. This is only intended to get the customers up and running. We recommend changing the SSH lockdown settings and reviewing the rest of the configuration to match your company’s security policies.

Note that the zero-day configuration does not include an MFA or AAA server configuration. It uses local database authentication from the ASAv. If you must integrate these external entities, adjust your ASAv configuration accordingly. To automate your ASAv configuration, use Ansible playbooks.

For more information, see Duo for Cisco AnyConnect VPN with ASA or Firepower.

Troubleshooting

For troubleshooting common Partner Solution issues, refer to the AWS Partner Solution General Information Guide and Troubleshooting CloudFormation.

Customer responsibility

After you deploy a Partner Solution, confirm that your resources and services are updated and configured—including any required patches—to meet your security and other needs. For more information, refer to the Shared Responsibility Model.

Feedback

To submit feature ideas and report bugs, use the Issues section of the GitHub repository for this Partner Solution. To submit code, refer to the Partner Solution Contributor’s Guide. To submit feedback on this deployment guide, use the following GitHub links:

Notices

This document is provided for informational purposes only. It represents current AWS product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS products or services, each of which is provided "as is" without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at https://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "as is" basis, without warranties or conditions of any kind, either expressed or implied. Refer to the License for specific language governing permissions and limitations.