jmelloy/gist:5832979

## gistfile1.txt
! Amazon Web Services
! Virtual Private Cloud
!
! AWS utilizes unique identifiers to manipulate the configuration of
! a VPN Connection. Each VPN Connection is assigned an identifier and is
! associated with two other identifiers, namely the
! Customer Gateway Identifier and Virtual Private Gateway Identifier.
!
! Your VPN Connection ID                  : vpn-4bfe2c55
! Your Virtual Private Gateway ID         : vgw-b5cb19ab
! Your Customer Gateway ID                : cgw-23f92b3d
!
!
! This configuration consists of two tunnels. Both tunnels must be
! configured on your Customer Gateway. Only a single tunnel will be up at a
! time to the VGW.
!
! You may need to populate these values throughout the config based on your setup:
! <outside_interface> - External interface of the ASA
! <outside_access_in> - Inbound ACL on the external interface
! <amzn_vpn_map> - Outside crypto map
! <vpc_subnet> and <vpc_subnet_mask> - VPC address range
! <local_subnet> and <local_subnet_mask> - Local subnet address range
! <sla_monitor_address> - Target address that is part of acl-amzn to run SLA monitoring

! --------------------------------------------------------------------------------
! IPSec Tunnels
! --------------------------------------------------------------------------------
! #1: Internet Key Exchange (IKE) Configuration
!
! A policy is established for the supported ISAKMP encryption,
! authentication, Diffie-Hellman, lifetime, and key parameters.
!
! Note that there are a global list of ISAKMP policies, each identified by
! sequence number. This policy is defined as #201, which may conflict with
! an existing policy using the same number. If so, we recommend changing
! the sequence number to avoid conflicts.
!
crypto isakmp identity address
crypto isakmp enable <outside_interface>
crypto isakmp policy 201
  encryption aes
  authentication pre-share
  group 2
  lifetime 28800
  hash sha
exit
!
! The tunnel group sets the Pre Shared Key used to authenticate the
! tunnel endpoints.
!
tunnel-group 205.251.233.121 type ipsec-l2l
tunnel-group 205.251.233.121 ipsec-attributes
   pre-shared-key BeXZZb6wbX2Lk3zkrJHzjaYHsgbTVHSK
!
! This option enables IPSec Dead Peer Detection, which causes periodic
! messages to be sent to ensure a Security Association remains operational.
!
   isakmp keepalive threshold 10 retry 3
exit
!
tunnel-group 205.251.233.122 type ipsec-l2l
tunnel-group 205.251.233.122 ipsec-attributes
   pre-shared-key I.PRxigV30Wz.xIUJ3YEck5MJ8R0jupU
!
! This option enables IPSec Dead Peer Detection, which causes periodic
! messages to be sent to ensure a Security Association remains operational.
!
   isakmp keepalive threshold 10 retry 3
exit

! --------------------------------------------------------------------------------
! #2: Access List Configuration
!
! Access lists are configured to permit creation of tunnels and to send applicable traffic over them.
! This policy may need to be applied to an inbound ACL on the outside interface that is used to manage control-plane traffic.
! This is to allow VPN traffic into the device from the Amazon endpoints.
!
access-list <outside_access_in> extended permit ip host 205.251.233.121 host 65.150.173.97
access-list <outside_access_in> extended permit ip host 205.251.233.122 host 65.150.173.97
! The following access list named acl-amzn specifies all traffic that needs to be routed to the VPC. Traffic will
! be encrypted and transmitted through the tunnel to the VPC. Association with the IPSec security association
! is done through the "crypto map" command.
!
! This access list should contain a static route corresponding to your VPC CIDR and allow traffic from any subnet.
! If you do not wish to use the "any" source, you must use a single access-list entry for accessing the VPC range.
! If you specify more than one entry for this ACL without using "any" as the source, the VPN will function erratically.
! See section #4 regarding how to restrict the traffic going over the tunnel
!
!
access-list acl-amzn extended permit ip any <vpc_subnet> <vpc_subnet_mask>

!---------------------------------------------------------------------------------
! #3: IPSec Configuration
!
! The IPSec transform set defines the encryption, authentication, and IPSec
! mode parameters.
!
crypto ipsec transform-set transform-amzn esp-aes esp-sha-hmac
! The crypto map references the IPSec transform set and further defines
! the Diffie-Hellman group and security association lifetime. The mapping is created
! as #1, which may conflict with an existing crypto map using the same
! number. If so, we recommend changing the mapping number to avoid conflicts.
!
crypto map <amzn_vpn_map> 1 match address acl-amzn
crypto map <amzn_vpn_map> 1 set pfs group2
crypto map <amzn_vpn_map> 1 set peer  205.251.233.121 205.251.233.122
crypto map <amzn_vpn_map> 1 set transform-set transform-amzn
!
! Only set this if you do not already have an outside crypto map, and it is not applied:
!
crypto map <amzn_vpn_map> interface <outside_interface>
!
! Additional parameters of the IPSec configuration are set here. Note that
! these parameters are global and therefore impact other IPSec
! associations.
! Set security association lifetime until it is renegotiated.
crypto ipsec security-association lifetime seconds 3600
!
! This option instructs the firewall to clear the "Don't Fragment"
! bit from packets that carry this bit and yet must be fragmented, enabling
! them to be fragmented.
!
crypto ipsec df-bit clear-df <outside_interface>
!
! This configures the gateway's window for accepting out of order
! IPSec packets. A larger window can be helpful if too many packets
! are dropped due to reordering while in transit between gateways.
!
crypto ipsec security-association replay window-size 128
!
! This option instructs the firewall to fragment the unencrypted packets
! (prior to encryption).
!
crypto ipsec fragmentation before-encryption <outside_interface>
!
! This option causes the firewall to reduce the Maximum Segment Size of
! TCP packets to prevent packet fragmentation.
sysopt connection tcpmss 1387
!
! In order to keep the tunnel in an active state, the ASA needs to send traffic to the subnet
! defined in acl-amzn. SLA monitoring can be configured to send pings to a destination in the subnet and
! keep the tunnel active. A possible destination for the ping is the VPC Gateway IP, which is the
! first IP address in one of your subnets.
! For example: a VPC with a CIDR range of 192.168.50.0/24 will have a gateway: 192.168.50.1.
!
! The monitor is created as #1, which may conflict with an existing monitor using the same
! number. If so, we recommend changing the sequence number to avoid conflicts.
!
sla monitor 1
   type echo protocol ipIcmpEcho <sla_monitor_address> interface <outside_interface>
   frequency 5
exit
sla monitor schedule 1 life forever start-time now
!
! The firewall must allow icmp packets to use "sla monitor"
icmp permit any <outside_interface>

!---------------------------------------------------------------------------------------
! #4: VPN Filter
! The VPN Filter will restrict traffic that is permitted through the tunnels. By default all traffic is denied.
! The first entry provides an example to include traffic between your VPC Address space and your office.
! You may need to run 'clear crypto isakmp sa', in order for the filter to take effect.
!
! access-list amzn-filter extended permit ip <vpc_subnet> <vpc_subnet_mask> <local_subnet> <local_subnet_mask>
access-list amzn-filter extended deny ip any any
group-policy filter internal
group-policy filter attributes
vpn-filter value amzn-filter
tunnel-group 205.251.233.121 general-attributes
default-group-policy filter
exit
tunnel-group 205.251.233.122 general-attributes
default-group-policy filter
exit

!---------------------------------------------------------------------------------------
! #5: NAT Exemption
! If you are performing NAT on the ASA you will have to add a nat exemption rule.
! This varies depending on how NAT is set up.  It should be configured along the lines of:
! object network obj-SrcNet
!   subnet 0.0.0.0 0.0.0.0
! object network obj-amzn
!   subnet <vpc_subnet> <vpc_subnet_mask>
! nat (inside,outside) 1 source static obj-SrcNet obj-SrcNet destination static obj-amzn obj-amzn
! If using version 8.2 or older, the entry would need to look something like this:
! nat (inside) 0 access-list acl-amzn
! Or, the same rule in acl-amzn should be included in an existing no nat ACL.
!
!---------------------------------------------------------------------------------------
!  Additional Notes and Questions
!  - Amazon Virtual Private Cloud Getting Started Guide:
!       http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide
!  - Amazon Virtual Private Cloud Network Administrator Guide:
!       http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide
!  - Troubleshooting Cisco ASA Customer Gateway Connectivity:
!       http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide/Cisco_ASA_Troubleshooting.html
!  - XSL Version: 2009-07-15-1119716
	! Amazon Web Services
	! Virtual Private Cloud
	!
	! AWS utilizes unique identifiers to manipulate the configuration of
	! a VPN Connection. Each VPN Connection is assigned an identifier and is
	! associated with two other identifiers, namely the
	! Customer Gateway Identifier and Virtual Private Gateway Identifier.
	!
	! Your VPN Connection ID : vpn-4bfe2c55
	! Your Virtual Private Gateway ID : vgw-b5cb19ab
	! Your Customer Gateway ID : cgw-23f92b3d
	!
	!
	! This configuration consists of two tunnels. Both tunnels must be
	! configured on your Customer Gateway. Only a single tunnel will be up at a
	! time to the VGW.
	!
	! You may need to populate these values throughout the config based on your setup:
	! <outside_interface> - External interface of the ASA
	! <outside_access_in> - Inbound ACL on the external interface
	! <amzn_vpn_map> - Outside crypto map
	! <vpc_subnet> and <vpc_subnet_mask> - VPC address range
	! <local_subnet> and <local_subnet_mask> - Local subnet address range
	! <sla_monitor_address> - Target address that is part of acl-amzn to run SLA monitoring

	! --------------------------------------------------------------------------------
	! IPSec Tunnels
	! --------------------------------------------------------------------------------
	! #1: Internet Key Exchange (IKE) Configuration
	!
	! A policy is established for the supported ISAKMP encryption,
	! authentication, Diffie-Hellman, lifetime, and key parameters.
	!
	! Note that there are a global list of ISAKMP policies, each identified by
	! sequence number. This policy is defined as #201, which may conflict with
	! an existing policy using the same number. If so, we recommend changing
	! the sequence number to avoid conflicts.
	!
	crypto isakmp identity address
	crypto isakmp enable <outside_interface>
	crypto isakmp policy 201
	encryption aes
	authentication pre-share
	group 2
	lifetime 28800
	hash sha
	exit
	!
	! The tunnel group sets the Pre Shared Key used to authenticate the
	! tunnel endpoints.
	!
	tunnel-group 205.251.233.121 type ipsec-l2l
	tunnel-group 205.251.233.121 ipsec-attributes
	pre-shared-key BeXZZb6wbX2Lk3zkrJHzjaYHsgbTVHSK
	!
	! This option enables IPSec Dead Peer Detection, which causes periodic
	! messages to be sent to ensure a Security Association remains operational.
	!
	isakmp keepalive threshold 10 retry 3
	exit
	!
	tunnel-group 205.251.233.122 type ipsec-l2l
	tunnel-group 205.251.233.122 ipsec-attributes
	pre-shared-key I.PRxigV30Wz.xIUJ3YEck5MJ8R0jupU
	!
	! This option enables IPSec Dead Peer Detection, which causes periodic
	! messages to be sent to ensure a Security Association remains operational.
	!
	isakmp keepalive threshold 10 retry 3
	exit

	! --------------------------------------------------------------------------------
	! #2: Access List Configuration
	!
	! Access lists are configured to permit creation of tunnels and to send applicable traffic over them.
	! This policy may need to be applied to an inbound ACL on the outside interface that is used to manage control-plane traffic.
	! This is to allow VPN traffic into the device from the Amazon endpoints.
	!
	access-list <outside_access_in> extended permit ip host 205.251.233.121 host 65.150.173.97
	access-list <outside_access_in> extended permit ip host 205.251.233.122 host 65.150.173.97
	! The following access list named acl-amzn specifies all traffic that needs to be routed to the VPC. Traffic will
	! be encrypted and transmitted through the tunnel to the VPC. Association with the IPSec security association
	! is done through the "crypto map" command.
	!
	! This access list should contain a static route corresponding to your VPC CIDR and allow traffic from any subnet.
	! If you do not wish to use the "any" source, you must use a single access-list entry for accessing the VPC range.
	! If you specify more than one entry for this ACL without using "any" as the source, the VPN will function erratically.
	! See section #4 regarding how to restrict the traffic going over the tunnel
	!
	!
	access-list acl-amzn extended permit ip any <vpc_subnet> <vpc_subnet_mask>

	!---------------------------------------------------------------------------------
	! #3: IPSec Configuration
	!
	! The IPSec transform set defines the encryption, authentication, and IPSec
	! mode parameters.
	!
	crypto ipsec transform-set transform-amzn esp-aes esp-sha-hmac
	! The crypto map references the IPSec transform set and further defines
	! the Diffie-Hellman group and security association lifetime. The mapping is created
	! as #1, which may conflict with an existing crypto map using the same
	! number. If so, we recommend changing the mapping number to avoid conflicts.
	!
	crypto map <amzn_vpn_map> 1 match address acl-amzn
	crypto map <amzn_vpn_map> 1 set pfs group2
	crypto map <amzn_vpn_map> 1 set peer 205.251.233.121 205.251.233.122
	crypto map <amzn_vpn_map> 1 set transform-set transform-amzn
	!
	! Only set this if you do not already have an outside crypto map, and it is not applied:
	!
	crypto map <amzn_vpn_map> interface <outside_interface>
	!
	! Additional parameters of the IPSec configuration are set here. Note that
	! these parameters are global and therefore impact other IPSec
	! associations.
	! Set security association lifetime until it is renegotiated.
	crypto ipsec security-association lifetime seconds 3600
	!
	! This option instructs the firewall to clear the "Don't Fragment"
	! bit from packets that carry this bit and yet must be fragmented, enabling
	! them to be fragmented.
	!
	crypto ipsec df-bit clear-df <outside_interface>
	!
	! This configures the gateway's window for accepting out of order
	! IPSec packets. A larger window can be helpful if too many packets
	! are dropped due to reordering while in transit between gateways.
	!
	crypto ipsec security-association replay window-size 128
	!
	! This option instructs the firewall to fragment the unencrypted packets
	! (prior to encryption).
	!
	crypto ipsec fragmentation before-encryption <outside_interface>
	!
	! This option causes the firewall to reduce the Maximum Segment Size of
	! TCP packets to prevent packet fragmentation.
	sysopt connection tcpmss 1387
	!
	! In order to keep the tunnel in an active state, the ASA needs to send traffic to the subnet
	! defined in acl-amzn. SLA monitoring can be configured to send pings to a destination in the subnet and
	! keep the tunnel active. A possible destination for the ping is the VPC Gateway IP, which is the
	! first IP address in one of your subnets.
	! For example: a VPC with a CIDR range of 192.168.50.0/24 will have a gateway: 192.168.50.1.
	!
	! The monitor is created as #1, which may conflict with an existing monitor using the same
	! number. If so, we recommend changing the sequence number to avoid conflicts.
	!
	sla monitor 1
	type echo protocol ipIcmpEcho <sla_monitor_address> interface <outside_interface>
	frequency 5
	exit
	sla monitor schedule 1 life forever start-time now
	!
	! The firewall must allow icmp packets to use "sla monitor"
	icmp permit any <outside_interface>

	!---------------------------------------------------------------------------------------
	! #4: VPN Filter
	! The VPN Filter will restrict traffic that is permitted through the tunnels. By default all traffic is denied.
	! The first entry provides an example to include traffic between your VPC Address space and your office.
	! You may need to run 'clear crypto isakmp sa', in order for the filter to take effect.
	!
	! access-list amzn-filter extended permit ip <vpc_subnet> <vpc_subnet_mask> <local_subnet> <local_subnet_mask>
	access-list amzn-filter extended deny ip any any
	group-policy filter internal
	group-policy filter attributes
	vpn-filter value amzn-filter
	tunnel-group 205.251.233.121 general-attributes
	default-group-policy filter
	exit
	tunnel-group 205.251.233.122 general-attributes
	default-group-policy filter
	exit

	!---------------------------------------------------------------------------------------
	! #5: NAT Exemption
	! If you are performing NAT on the ASA you will have to add a nat exemption rule.
	! This varies depending on how NAT is set up. It should be configured along the lines of:
	! object network obj-SrcNet
	! subnet 0.0.0.0 0.0.0.0
	! object network obj-amzn
	! subnet <vpc_subnet> <vpc_subnet_mask>
	! nat (inside,outside) 1 source static obj-SrcNet obj-SrcNet destination static obj-amzn obj-amzn
	! If using version 8.2 or older, the entry would need to look something like this:
	! nat (inside) 0 access-list acl-amzn
	! Or, the same rule in acl-amzn should be included in an existing no nat ACL.
	!
	!---------------------------------------------------------------------------------------
	! Additional Notes and Questions
	! - Amazon Virtual Private Cloud Getting Started Guide:
	! http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide
	! - Amazon Virtual Private Cloud Network Administrator Guide:
	! http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide
	! - Troubleshooting Cisco ASA Customer Gateway Connectivity:
	! http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide/Cisco_ASA_Troubleshooting.html
	! - XSL Version: 2009-07-15-1119716