AWSTemplateFormatVersion: 2010-09-09 Description: >- Cisco Systems - Creates the necessary policies, roles, security group and launches Cisco ASAv Instance(s). (qs-1qp7e9tnh) Metadata: AWSAMIRegionMap: Filters: HVM64: name: asav9-17-1-ENA-87868dac-850c-4c36-ba33-ff3d39a724ac owner-alias: aws-marketplace product-code.type: marketplace product-code: 663uv4erlxz65quhgaz9cida0 ParameterLabels: InstanceTypeParam: default: ASAv instance type KeyPair: default: keypair name MgmtSubnet1CIDR: default: Mgmt subnet 1 PrivateSubnet1ID: default: Private subnet 1 PublicSubnet1ID: default: Public subnet 1 VPCID: default: VPC ID DnsName: default: Dns name ASAv1HostName: default: ASAv1 Hostname VPNPoolFrom1: default: VPN Pool Start VPNPoolTo1: default: VPN Pool Finish VPNPoolCIDRMask1: default: NETMASK of VPN Pool VPCCIDRMASK: default: netmask of VPCCIDR VPCPOOL: default: pool of VPC VPNUser: default: VPN User VPNPassword: default: VPN Password OnPremCIDRMask: default: onprem network MASK OnPremPool: default: onprem pool PrivateSubnet1GW: default: private subnet GW PrivateSubnet1CIDR: default: private subnet CIDR format PrivateSubnet1Pool: default: Private subnet pool PrivateSubnet1CIDRMask: default: Private subnet mask PublicHostedZone: default: Private hosted zone Id MgmtRouteTable: default: Management route table Id ASAvInstanceSGMGMT: default: ASAv Instance Management Security group Id ASAvInstanceSGOUTSIDE: default: ASAv Instance Outside Security group Id ASAvInstanceSGINSIDE: default: ASAv Instance Inside Security group Id Parameters: InstanceTypeParam: Type: String Default: c5.large AllowedValues: - m4.large - m4.xlarge - m4.2xlarge - c3.large - c3.xlarge - c3.2xlarge - c4.large - c4.xlarge - c4.2xlarge - c5.large - c5.xlarge - c5.2xlarge Description: Select an instance size for the ASAv. KeyPair: Type: AWS::EC2::KeyPair::KeyName Description: ASAv instances will launch with this keypair VPCID: Type: AWS::EC2::VPC::Id Description: Select VPC which ASAv will be deployed in VPNUser: Type: String Description: Test VPN Username VPNPassword: Type: String Description: Test VPN Password NoEcho: true MgmtSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Description: CIDR block for Mgmt subnet 1 in Availability Zone 1 Type: String PrivateSubnet1ID: Type: AWS::EC2::Subnet::Id Description: Private Subnet 1 ID PublicSubnet1ID: Type: AWS::EC2::Subnet::Id Description: Public Subnet 1 ID DnsName: Type: String Description: DNS name of PublicHostedZone ASAv1HostName: Type: String Description: ASAv1 Hostname VPNPoolFrom1: Type: String Description: VPN Pool Start VPNPoolTo1: Type: String Description: VPN Pool Finish VPNPoolCIDRMask1: Type: String Description: NETMASK of VPN CIDR Pool VPCCIDRMASK: Type: String Description: netmask of VPC VPCPOOL: Type: String Description: pool of VPC OnPremCIDRMask: Type: String Description: onprem network MASK OnPremPool: Type: String Description: onprem pool PrivateSubnet1GW: Type: String Description: private subnet GW PrivateSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Description: CIDR block for the On-prem network Type: String PrivateSubnet1Pool: Type: String Description: Private subnet pool PrivateSubnet1CIDRMask: Type: String Description: Private subnet mask PublicHostedZone: Type: String Description: Resource ID of the Public Hosted Zone MgmtRouteTable: Type: String Description: Resource ID of the Management Route Table ASAvInstanceSGMGMT: Type: String Description: Security Group ID for Management instance ASAvInstanceSGOUTSIDE: Type: String Description: Security Group ID for Outside instance ASAvInstanceSGINSIDE: Type: String Description: Security Group ID for Inside instance InstanceIdentifier: Type: Number Description: RAVPN Instance No. Mappings: AWSAMIRegionMap: AMI: HVM64: asav9-17-1-ENA-87868dac-850c-4c36-ba33-ff3d39a724ac eu-north-1: HVM64: ami-029bd048299b70723 ap-south-1: HVM64: ami-081a415556b1c6d01 eu-west-3: HVM64: ami-0c322c74504c0de46 eu-west-2: HVM64: ami-0f2d4d8451e86905a eu-west-1: HVM64: ami-0dcb38f97ec692846 ap-northeast-2: HVM64: ami-0bb8b0a4f48ba64c9 ap-northeast-1: HVM64: ami-0292946c1fa3214f3 sa-east-1: HVM64: ami-00007f37e1b8f76d7 ca-central-1: HVM64: ami-08cdc900ae17e4d45 ap-southeast-1: HVM64: ami-0935fb9f373b65eec ap-southeast-2: HVM64: ami-0c6fa1eec3f2e98a0 eu-central-1: HVM64: ami-0e35a84a866500703 us-east-1: HVM64: ami-01426821ff0f3a449 us-east-2: HVM64: ami-02881c12c63d013d3 us-west-1: HVM64: ami-009f2fcce82c121d6 us-west-2: HVM64: ami-0c573611f221e8ea3 CIDRtoSubnetmask: '16': mask: '255.255.0.0' '17': mask: '255.255.128.0' '18': mask: '255.255.192.0' '19': mask: '255.255.224.0' '20': mask: '255.255.240.0' '21': mask: '255.255.248.0' '22': mask: '255.255.252.0' '23': mask: '255.255.254.0' '24': mask: '255.255.255.0' '25': mask: '255.255.255.128' '26': mask: '255.255.255.192' '27': mask: '255.255.255.224' '28': mask: '255.255.255.240' Resources: ASAvDNSRecord: Type: AWS::Route53::RecordSet Properties: HostedZoneId: !Ref PublicHostedZone Name: !Join - '.' - - 'vpn' - !Ref DnsName TTL: 5 Type: A HealthCheckId: !Ref R53HealthCheck SetIdentifier: !Sub 'Frontend-${InstanceIdentifier}' Weight: 4 ResourceRecords: - !Ref outsideIP R53HealthCheck: Type: 'AWS::Route53::HealthCheck' Properties: HealthCheckConfig: IPAddress: !Ref outsideIP Port: 443 Type: HTTPS_STR_MATCH ResourcePath: '/' RequestInterval: 30 FailureThreshold: 5 MeasureLatency: true SearchString: '+CSCOE+' HealthCheckTags: - Key: Name Value: ASAvHealthcheck MgmtSubnet1: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPCID CidrBlock: !Ref 'MgmtSubnet1CIDR' AvailabilityZone: Fn::Select: - !Ref InstanceIdentifier - Fn::GetAZs: "" Tags: - Key: Name Value: !Sub 'Mgmt subnet ${InstanceIdentifier}' MGMTRouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref 'MgmtSubnet1' RouteTableId: !Ref 'MgmtRouteTable' outsideIP: Type: AWS::EC2::EIP Properties: Domain: vpc associateOutsideIP: Type: AWS::EC2::EIPAssociation Properties: AllocationId: !GetAtt outsideIP.AllocationId NetworkInterfaceId: !Ref outsideENI mgmtENI: Type: AWS::EC2::NetworkInterface Properties: Tags: - Key: Name Value: MgmtEni Description: A nice description. SourceDestCheck: false GroupSet: - !Ref 'ASAvInstanceSGMGMT' SubnetId: !Ref MgmtSubnet1 outsideENI: Type: AWS::EC2::NetworkInterface Properties: Tags: - Key: Name Value: OutsideEni Description: A nice description. SourceDestCheck: false GroupSet: - !Ref 'ASAvInstanceSGOUTSIDE' SubnetId: !Ref PublicSubnet1ID InsideENI: Type: AWS::EC2::NetworkInterface Properties: Tags: - Key: Name Value: InsideEni Description: A nice description. SourceDestCheck: false GroupSet: - !Ref 'ASAvInstanceSGINSIDE' SubnetId: !Ref PrivateSubnet1ID ASAvInstance: Type: 'AWS::EC2::Instance' Properties: Tags: - Key: Name Value: !Ref ASAv1HostName InstanceType: !Ref InstanceTypeParam KeyName: !Ref KeyPair ImageId: !FindInMap - AWSAMIRegionMap - !Ref 'AWS::Region' - HVM64 NetworkInterfaces: - NetworkInterfaceId: !Ref 'mgmtENI' DeviceIndex: '0' - NetworkInterfaceId: !Ref 'outsideENI' DeviceIndex: '1' - NetworkInterfaceId: !Ref 'InsideENI' DeviceIndex: '2' UserData: Fn::Base64: !Sub - | ! ASA Version hostname ${ASAv1HostName} ! ip local pool VPN-POOL ${VPNPoolFrom1}-${VPNPoolTo1} mask ${VPNPoolMask1} access-list split standard permit ${VPCPOOL} ${VPCMASK} access-list split standard permit ${OnPremPool} ${OnPremMask} ! username ${VPNUser} password ${VPNPassword} username ${VPNUser} attributes service-type remote-access ! int tengi 0/0 nameif outside security-level 0 ip address dhcp setroute no shut int tengi 0/1 nameif inside security-level 100 ip address dhcp no shut interface management0/0 nameif management security-level 100 ip address dhcp no shut ! ! webvpn enable outside anyconnect image disk0:/anyconnect-macos-4.8.02045-webdeploy-k9.pkg 1 anyconnect enable tunnel-group-list enable group-policy LAB internal group-policy LAB attributes vpn-tunnel-protocol ssl-client ssl-clientless address-pools value VPN-POOL split-tunnel-policy tunnelspecified split-tunnel-network-list value split dynamic-access-policy-record DfltAccessPolicy username admin nopassword privilege 15 tunnel-group LAB type remote-access tunnel-group LAB general-attributes default-group-policy LAB address-pool VPN-POOL tunnel-group LAB webvpn-attributes group-alias LAB-VPN enable ! dns domain-lookup outside dns server-group DefaultDNS name-server 208.67.222.222 name-server 208.67.220.220 ! same-security-traffic permit inter-interface same-security-traffic permit intra-interface ! route inside ${OnPremPool} ${OnPremMask} ${PrivateSubnet1GW} ! policy-map global_policy class inspection_default inspect icmp ! access-list 101 extended permit ip any any access-group 101 in interface outside access-group 101 in interface inside ! object network NET-${PrivateSubnet1CIDR} subnet ${PrivateSubnet1Pool} ${PrivateSubnet1Mask} nat (inside,outside) dynamic interface ! crypto key generate rsa modulus 2048 ssh 0 0 inside ssh 0 0 outside ssh 0 0 management ssh timeout 30 aaa authentication ssh console LOCAL username admin nopassword privilege 15 username admin attributes service-type admin ! name 129.6.15.28 time-a.nist.gov name 129.6.15.29 time-b.nist.gov name 129.6.15.30 time-c.nist.gov ntp server time-c.nist.gov ntp server time-b.nist.gov ntp server time-a.nist.gov icmp permit any outside icmp permit any inside icmp permit any management ! - VPCMASK: !FindInMap - CIDRtoSubnetmask - !Ref VPCCIDRMASK - mask VPNPoolMask1: !FindInMap - CIDRtoSubnetmask - !Ref VPNPoolCIDRMask1 - mask OnPremMask: !FindInMap - CIDRtoSubnetmask - !Ref OnPremCIDRMask - mask PrivateSubnet1Mask: !FindInMap - CIDRtoSubnetmask - !Ref PrivateSubnet1CIDRMask - mask Outputs: AccountId: Description: Amazon Account ID Value: !Ref 'AWS::AccountId' MgmtSubnet1CIDR: Description: Mgmt subnet CIDR Value: !Ref 'MgmtSubnet1CIDR' MgmtSubnet1ID: Description: Mgmt subnet ID Value: !Ref 'MgmtSubnet1' InsideENI: Description: ASAv Instance Inside Network Interface ID Value: !Ref 'InsideENI' ASAv1MGMTIP: Description: ASAv Instance Management IP Value: !GetAtt mgmtENI.PrimaryPrivateIpAddress ASAv1PublicIP: Description: ASAv Instance Public IP Value: !Ref outsideIP VPNPoolFrom1: Description: ASAv Instance VPN Pool From Value: !Ref VPNPoolFrom1 VPNPoolTo1: Description: ASAv Instance VPN Pool To Value: !Ref VPNPoolTo1 VPNPoolCIDRMask1: Description: ASAv Instance VPN Pool Mask Value: !Ref VPNPoolCIDRMask1