Merge pull request #12 from CiscoDevNet/saml-samples

CiscoDevNet · Sep 15, 2021 · 1d8f3a0 · 1d8f3a0
2 parents e8fe64f + 78224af
commit 1d8f3a0
Show file tree

Hide file tree

Showing 20 changed files with 653 additions and 252 deletions.
diff --git a/samples/ra-vpn/redirector-lb/ca-certificate.yaml b/samples/ra-vpn/redirector-lb/ca-certificate.yaml
@@ -1,3 +1,12 @@
+# This certificate is provided by you. It is a PKCS12 formatted cert
+# generated on the domains used in your Route53Ingress config. 
+# For VPN Redirector topology, this should be a wildcard cert which 
+# covers the parent and subdomains used for VPN. 
+# 
+# Example: if using "domain.com" as the parent domain, with 
+# "us.domain.com" and "eu.domain.com" as subdomains, your wildcard
+# should include "*.domain.com", "*.us.domain.com", and "*.eu.domain.com"
+# 
 apiVersion: v1
 kind: Secret
 metadata:
@@ -6,106 +15,21 @@ metadata:
 stringData:
   trustpoint: ssltp
   password: test
-  # Change to your own CA Certificate
   value: |
     MIIS2gIBAzCCEqAGCSqGSIb3DQEHAaCCEpEEghKNMIISiTCCDQcGCSqGSIb3DQEH
     BqCCDPgwggz0AgEAMIIM7QYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIh63X
     549tUD0CAggAgIIMwHVhJkKRWCORnqaj4ixxBJL80fmIH327kRtftzBY59Rjz93s
     ZwNibpOx2/UadS+LYaB9G9+ZfK38fxyRkPIejME1BEQXhok3uhlijFqaoCpAY5xz
-    9uJK5fOBxuOzGaImc8I1Y5+S+NE6kNv+UJxJvQkgiId5WUt9ziTC31Kcb9DFTtUT
-    1kAj1//nry3QWuOHkT5qkBFq03ZLFlzYJi8IJNYbmqf76K4HgKtjLl3k89qc6/3b
-    +jlryN0bsK1xacKlfSXMQO20g8R2+NdTIFBGQKj59YF1vfL1jQa0RN4tR7gFRDvE
-    eH5MNegdgcI9ZjODaJUvzKIjyBUhFwry0OLTy+kJs7hHTQfMwj0L+km4BLhl5s+H
-    YE6wiBmWmgwgFHPas8I3lx75wTeu3wEXu+xXSdA33xOA/UfavgukVOYRwiuJaEoc
-    lYdH0wcgYh33pYQ0JpttvFoLtTzo3fyw+qnPSugs3CLovxGWIyVV/VEGkGWE7tPe
-    /CkOJa8wNrI8bLgpFBnc11+FQ0PIhsDA9pQ51CQ+xf6ydxW7SCQZQXjDxr7OLZ8b
-    AqFzaZh45dtLKks0kv+zk1CPvnefyKdveA9hXUVjaydnLMWYYFpXB6tnckKKQ48a
-    W1L54Rzk5j2+AAkckA7FcmAAZkwAfQUxQtAlv7XqW5bRqukDtNPBhGW+Da7KGtBi
-    /9GiudWrGe0kbIPO9VkUNDHJC/+7RofkIZyRGRJ4MFDOV5HfF0ak5TGT5lKgotv+
-    JOz4XpwejLM0lLJuxGOY8Fu19dJKkyZ7wj/5/gj4K2aqyGm3zKsssv34eT4iTxWQ
-    11RUJZQF/oHWmYNv+IKH1mjNoHFhWpOSUwxBwZnaqMsGr21r6UBvOSOtO8bWpMdg
-    cbCAuIcx/rnYaSpM0UFbeQSJmS7GXRMjJjfB1vQJmwtBp654YHy16UmP3dqmjRGG
-    NlRPEbKn6Mj096O7wMhOEIstlWQ/AZAWpYF43tFYDs3jDCdyo3/0ZZzaG5NodLVG
-    g0GW2UVVlISXJdRgmCVuAREA9BJRBiLbC7bMdDxIaJ0XxOzKgY/e+JOozwlW0evv
-    R9MMyTNm7LI0K9kUzrsAcdWSaQxCeS/EJM7z9AU3641AoQIGjKQaUmdWGlNSJdV6
-    s2JHBDdgeAXfRk3bMAFo8eAsnKuWT/QvMV2eqcRfylv1LzteVpJcsAJyIYe5Ge5M
-    gnqgrPpVQDdUjglsBruQQfKZlUimLdyGsCZJxmQJwhGbRdD6dxhs8V20dANmbxOA
-    sqF77/EwGOjMtL5g3BGfwWDeKwf3LyS0awk8Zx+ZGKJjg97DNZYbqVbPpYo4VYi9
-    k/YD7JF12pyZjhGiOXjZhtjw+92AWi/v6a2czO+X6As8ws5ZkP+OzsY95kJ69B1a
-    X7AU6/Y8Ix0kSQaONYzdlL+ivQ3EC1ANDpGfDhlgB4gHCCTi0CSRUp9S5/0Doo0d
-    bWvIeKGoluu92tOxeWWaP0z2Sj9uorrbekqbTFzWBNmru+HIkcwdRs21R/eaMAJu
-    QNV/BF/t7GojmDZov4g6a1ltvpxAl0WC+9+u3mPaa+A9CR9BAW97KRSW/nVCUhP7
-    b1XWXNrrump5DjNKaluSCs2OOvtUDZl0P/Qk7C+NNGhmZif4c4yDtHCU69J8FoK9
-    zWJT941axYgSGQkIuaMo8NeXCYsWp6kwHh1LH+3v9AbqOnMFuxE/jIUVFhGoj1Jz
-    u59AYG+SZn8aZe16XC3NqroeiyiK2BU/4Hiky9wmDsKTLHKrDpPjaMJWVgIxQYkY
-    AX1WRJgmClhrb7epxmb+MleO+t3zvpDHMy2b60afrR8/GmZmr++CWXJTTX2r2J1k
-    /uGVB5SAUoSulW+4I4CjETww+hab3UnF7yEugeg7eyI62dA/R9Q7yESuMwATmyhm
-    CWs3Why9MiFxJAfqaeyGKPFnphB7QD+1F10Wz8Qj6S73pP7d+xhmEigHbIs6apVX
-    j1HfwGKSRSkrjDhBpBRjaYN/D07ipZE7IkTHwhrLy4bJoDfXDlp6oH3eAwEX9xnK
-    22VtEWbmJ3Wzggwi77qb3EK5z6l6exVtn1lbFAKHlCO70Fl4U0YAYGlSqGtUQ6rG
-    X6cwxn1aY7loZfk+i4aONmPNHtOd6BNFnVVXKAbEjxsNguDivSPH+6z8KyhQEr5M
-    l4znmL0aMqnibpelDqOMnz43k/RcaLjTNyXdKyETOs4IoKYoD2dApSH9J8ouZ4mx
-    lFQOdLd2G5wHV7Y/G52fp2l2AzaZWovPVWzeYffxGhpeycTeP04jQnVlXc1/0l4i
-    VTXKi1//C+aky/PkLMQif8VbbBpP/31eLgXnS1uYkVxg2lvSTkdM5I32b6TMhPT7
-    zI/tU+x4RsIi+zx4fPTVrhyOB/oMzkHkBQyYLd5g37fpiAOxnZiod4X4ALIC6de2
-    Ybqv1vi4Kduh5sAozhiSM3wpemtKr6X7wvzR5RftcPOWM2AE9MR15aMSRLVjoxGQ
-    Wn1K+zxoNZX0PCFTGmMDkU/DRH2abAqCaxuN4iQO98LaIVJfcyI3YeVBd3mAhX4u
-    vkZ5fcPFReYW6FknJY0cMqlFP4/aHNmiAEZla3OO2xCCxsjNgFfv0d+9hzlQaPeu
-    xYF/BGICncYllVYNG1Sfst+y7/UW/OSSrEtCy/gf/JKrGLA9xN/hVFssmonIjMBy
-    MYyJDM0cesMC1Fus8rESAhQ+swbhPI8jVOk5wB0NrnOLz13FMAVbEzY7HpXy0Rcc
-    6ELhKVFLzWeH2Tl/omuAKvUttZfqF75z6NJhx2DZe7HOgnV78ESYNlbAFBOEq91C
-    zlN4rSMC3gtUeTFT78Zc1X/QvbvJ59zmqHg3mGNA0kyCK3o9c84HW1CZ0oZ7aLD6
-    qeYHkceFP65AKo1kCQGTGO+GzffhqnsKBFo5Vo56QKAu/IOyTuvUHHiOhM/Llj8f
-    YycuZUL3Qtahq2gJJXSoRsRzK8BPy/IZ2Zo7YtUYvfDv1Ks2rRaP8VT8z6tTUwwl
-    udMYibYzZ+8bj5C6O75ng9+k9f7/SNwzts3Pi4zEChHbO+med3vNdpfyYjyMJLTL
-    955lSPCAeLCTaWSjMHRIap6sCKsXfn51/YV9tnG8XCLh3ImpZ6LNGEU3QObhPVqK
-    3vYKNi5MG1/C9RGUYB0bUFLgZTfKm2jyHCkN35EqtFRQwQ9iuhJVYc+g6xCTmVRc
-    DhulhN9BW9pW4WUlE4Vnejd+yplnhKjCZWWeOApqfEciLWTSCK7o8K0WCIp/NegF
-    YNJxfz5neXipXWooU/g6XdWxbig7BEw9Zt1dhuChxC8AJhg7HdxNv68o7tKB/Ln+
-    VRcJdqBGNOq8ekVAJtE/DCkOfb4vso/j4r91oqzo20r0Rw6yral+JpWzJvlq9Fbx
-    JRhttK/fG8bz9giJjIw1jtFegfOMZcBkVNktNeEpgIL0t9iMhPjRi4ykZeCdIE8C
-    LlM3O+Xy81Msq4a0mH4QQpEdiTTFm223utDoZCjAnpakrFclEOxVSiVqny5t97P/
-    krcaYKnq6bmab2oXj1Uj0KwW1xNw9PU7x4ZUpx3FHRWPLfbrbsDI1h+SBLH9uQdd
-    Xd6Ko6RJxb7tajbFBYIXmtLhBi0B/Zn871AaHZLU0IG3PerrNkeOBL/5b/IJJqnx
-    RSEFPt1Wl3W725APsWHXQCpWtEPA4I1ATRRI6U8LbUksGjApLpt1VqIQGG9FlVQK
-    2d6szUKsciKX1Ah/aWKW/g0e+XTYasmE5pYAFP/uDKFpcZy2XF28NcCnA2ukKO/A
-    F1Z1MobDOgr/efZWPDlO1DupX65Q1LRhwsAu4JJjcB15Usdlx0pXexm6UZ+5EhaS
-    b2mkl0L4h9ilYl8TQx2jKGQ/LtRD5UaYjiCs2ROkzbLt/SMixWHBjfBKlc/vVdxf
-    zgogcGF/C7i5FVsii4hnfion5SidoL4JXddWtwuCG7A2coDw8JTyruHXeyGuuy5u
-    54HHBv+PHzQ3bnIT1aMADvapo+MIE4PInFQZGHdq8d37F0wgisH6bJc+FcK9qKl/
-    SATp5UFlPvnB1CliZ0VB+iwxtjbu3hgwmS18OcZuFoeSlmjgR7AoaOp5pjr5fCA5
-    iclOZMCFq2jnfLtepalPzJFFcc3RDOI3aDbqFmVkmQWX7f7lwQMSjXJ9xq6mf0p7
-    bFBdB153uQeJlkpu7nmuL1NPT7jhw3UCxEJZ7UP4bzxigvMEycUUH9cln4nLpSLb
-    mVw9Ibe918wOuzkBxPrasRGF1p1eWCKAx6CldZlN1FBPWPx7oCF4Qh4X7iWuOEjq
-    TEukZhssTymYDc3SUq33gU/kzsyrRgLXFFl8JaEHv5H04rKeboB09DF2pr/qQU/q
-    SY35bMckfkwIrBXnkDCCBXoGCSqGSIb3DQEHAaCCBWsEggVnMIIFYzCCBV8GCyqG
-    SIb3DQEMCgECoIIE7jCCBOowHAYKKoZIhvcNAQwBAzAOBAiOc2uYfUs5/AICCAAE
-    ggTIj7mC9S+YQYBp+9K6rRbmMTCmbmZBMPzZJwdx/A+bRH74zAPDQGmNc5wgmm3+
-    e28tCx7TNJ71Hee+wgTC1xe1zPu3LUcalr6WWiPWkPcXCe2og+YiqLPpyviu/bkZ
-    SHX29FWUe+MW21dIsN+gd8HM1FUzoCo6P5r1IL2ytyEvX7RNpIM3GPtyHEjYNAkH
-    WK2ECtVhSyVgthhjBkc6sSIWS28JYYkOBXkYKZFF4Nct6zdxhBL5u+c+APOrcJSq
-    FpM45W5jUo+w+1UWQ7qLYyxV/iKiYASQHVNLcKVw6wtfWhDEMxOLuyJG5SDM7S0C
-    5i+cedL2tVbKK13HC2bhKH4kYClpkTctEnjbGiiEopfElGq9cdYxz/qEX5mWhU/v
-    UdTw8sWTYYyg2ZlYy41KXdE12tiXXNg4PnH9ho9QQua8JRYYnbdE3d6LTBy0/TP0
-    UtQA60FN4C6+CixN7zHu48HlbwYga5qZFsWJp+OTChdsK63h1TNHZHT/m1E1h8Wt
-    R4NbpTnaYszUJp9TdaU/eizHq3/675gfKGDv3gnpvxezZk8DaYOzRBHTTgRK55iB
-    I1e/RESY9E7L/ASi8rr7zBkCx3KSFT+1qdIPoRS9YJ7ZghW3fg7agEAZEyPWzMGW
-    5bRN8TCZk/FfXlzsuzzR0aEY4EqaXUoLsgYLVnuVSfWZTK2VI7Hsljyi8vbcw2Eg
-    EMFIqiEIZV0bD/QzHSR2QZADsgf22RewZaynKg4xju3d+SzzElGS243v5Z3KaQju
-    pK3Ty9C690dJw0Hhea05Ld0G5fTGgh7R+V2qREZtKTOKIIVob1+LpaLxkkVAmKvp
     EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs
-    NOxZTFvzmOK/ReAbAof2gp8HMpNDqpIrHliS6zj/2jvvy/2dkQLswwrwTIN4nps4
-    sFWMx9bC/UE2gXkT0RG/lzSyu6BwElx6Bob93vSG6DQSi5WNs6Lfz2YEOrzkTjRw
-    gWkafU22nyFSPDy8SSTOR5nXP4q+OYlAMAcx0F8PbThKTZdSNa0N1RGj7jVddAkp
-    xVpid+Si4Nuoh/Gq4jIMpexIpMKgtHFng9AUxqL99xv4PFXzGSD2T/+Kmber6Jpf
-    gaUtXw1X5PJzlBXb5+5Bw3LnhYXKXykMKPhQ8E9Lr2wvycnC0/Xn1/l792PRj0Ii
-    akXRw/X9L/Ss/cY7c1X0GyS1u7mXxbgHPSkbCnhLtVNC49xT43Dn35vHgfqKKDy8
-    t7se7rG/fDCE1S27xxywHnbhuOFcB5CUpdhvwk2+bUQMHaeKFscyY2BtwhzxQwsf
-    53LrVosGd7RpKAXTb9EX23qMm/cTMBpB7bwe6oZFQxfRoAjjZyfuaEkXdu2YuivQ
-    g9hUZDEPZSZRcp0ZROlFV5a5EbWQG/ofHMtVFSotNwJyqU0LiYih7VAfdoA1XplZ
-    zFQgmO+IfUhOKMdkjCl8AR+gjERmjwiBnetATZETsM+g/mXAbkaslTZ0l2PUX/uK
-    U8sArPvJ46pC47JtlIJ2kgWcXe9PchFJ8OsWdGQ1luscefar0GFsKCHBJRkmbc4V
-    NB/qKalRbzpZyLHKvLGwR+eSZcJNgMR1tgnaMV4wIwYJKoZIhvcNAQkVMRYEFDU2
-    NwYrJrvSiWR8adr1GPsUvcVcMDcGCSqGSIb3DQEJFDEqHigAbQB1AHMAaABlAHQA
-    aAAuAGsAYQBzAGEALQB2AHAAbgAuAGMAbwBtMDEwITAJBgUrDgMCGgUABBTXA3/u
+    EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs
+    EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs
+    EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs
+    EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs
+    EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs
+    EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs
+    EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs
+    EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs
+    EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs
+    EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs
+    <shortened for brevity>
     MRpjKvfSuc8qmM5TPxnLJwQILJ/u4ij4txACAggA
diff --git a/samples/ra-vpn/redirector-lb/ravpn-enforcer-config.yaml b/samples/ra-vpn/redirector-lb/ravpn-enforcer-config.yaml
@@ -22,35 +22,31 @@ spec:
     - "sfcn-redis"
   cliLines: |
     interface Management0/0
-     no management-only
-     nameif management
-     security-level 0
-     ip address dhcp
+      no management-only
+      nameif management
+      security-level 0
+      ip address dhcp
     interface TenGigabitEthernet0/0
-     nameif outside
-     security-level 0
-     ip address dhcp
+      nameif outside
+      security-level 0
+      ip address dhcp
     interface TenGigabitEthernet0/1
-     nameif inside
-     security-level 100
-     ip address dhcp
+      nameif inside
+      security-level 100
+      ip address dhcp
+    
     # Configure route to internet over outside interface
     route outside 0 0 {{ index .nodeLabels "sfcn.cisco.com.interface.2/gateway-ipv4" }} 1
     # configure route to vpc addresses over inside interface
     route inside 10.37.0.0 255.255.0.0 {{ index .nodeLabels "sfcn.cisco.com.interface.3/gateway-ipv4" }} 2
-    # Add an explicit route to Redis server IP address over outside interface
-    route outside <your_redis_ip> 255.255.255.255 {{ index .nodeLabels "sfcn.cisco.com.interface.2/gateway-ipv4" }}
-    # Add the following DNS configuration to have ASA contact R53 for DNS lookup
     dns domain-lookup outside
     dns server-group DefaultDNS
-    # published AWS DNS server
     name-server 169.254.169.253
+    
     # Configure the IP address pool from where the clients will receive an IP address
     ip local pool VPN_AC_pool {{.ipv4SubnetPools.ravpnpool.assignedRange}} mask 255.255.255.0
-    # Define access lists as required.
-    # access-list <ACL name> standard <permit/deny> <subnet> <netmask>
-    # access-list for optional split tunnel access to AWS VPC
     access-list Split_Tunnel_ACL extended permit ip 10.37.0.0 255.255.0.0 any4
+    
     webvpn
       enable outside
       anyconnect profiles my_AC_profile {{ .fileObjects.ravpnprofile.path }}
@@ -62,44 +58,41 @@ spec:
     group-policy VPN_group_policy internal
     group-policy VPN_group_policy attributes
       vpn-tunnel-protocol ssl-client
-      # Enable split tunnel if required.
-      # Example:
-      #split-tunnel-policy tunnelspecified
-      #split-tunnel-network-list value Split_Tunnel_ACL
       webvpn
         anyconnect profiles value my_AC_profile type user
     username {{ .secrets.userinfo.username }} password {{ .secrets.userinfo.password }} privilege {{ .secrets.userinfo.privilege }} 
     tunnel-group VPN_tunnel_group type remote-access
     tunnel-group VPN_tunnel_group general-attributes
-     address-pool VPN_AC_pool
-     default-group-policy VPN_group_policy
+      address-pool VPN_AC_pool
+      default-group-policy VPN_group_policy
     tunnel-group VPN_tunnel_group webvpn-attributes
-     group-alias VPN_tunnel_group enable
+      group-alias VPN_tunnel_group enable
+    
     # Configure Redis server IP and enable external database.
     external-database
-     host <your_redis_ip>
-     port 6379
+      host {{ index .secrets "sfcn-redis" "host" }}
+      port 6379
       # this should match the token used for elasticache creation (EnforcerCacheAuthToken). If you omitted that field, then
       # you should also omit the `db-password` line below.
       db-password {{ index .secrets "sfcn-redis" "token" }}
      enable
-    vpn load-balancing
-     external-database
+    
     # Any priority value other than 10 designates the ASAc
     # as a member.
-     priority 1
-     interface lbpublic outside
-    # We add the public IP of the "outside" interface for NAT command
-    # The interface indices for "management", "outside" and "inside" interfaces
-    # are 1, 2 and 3 respectively.
-     nat {{ index .nodeLabels "sfcn.cisco.com.interface.2/public-ip" }}
+    vpn load-balancing
+      external-database
+      priority 1
+      interface lbpublic outside
+      nat {{ index .nodeLabels "sfcn.cisco.com.interface.2/public-ip" }}
     vpn-sessiondb external-database
+    
     # Configure the Redis CA certificate
     crypto ca trustpoint {{ .secrets.redisca.trustpoint }}
-     enrollment terminal
+      enrollment terminal
     crypto ca authenticate {{ .secrets.redisca.trustpoint }} nointeractive
     {{ .secrets.redisca.value }}
     quit
+
     # Import PKCS12 certificate for SSL connection
     crypto ca import {{ .secrets.mypkcs.trustpoint }} pkcs12 {{ .secrets.mypkcs.password }} nointeractive
     {{ .secrets.mypkcs.value }}

diff --git a/samples/ra-vpn/redirector-lb/ravpn-pool.yaml b/samples/ra-vpn/redirector-lb/ravpn-pool.yaml
@@ -9,7 +9,7 @@ metadata:
     # EP's node interface index that will be used as route target
     aws.cnfw.cisco.com/interface-index: "3"
     # AWS Route Table ID that will be synced with assigned subnets.
-    # This should be the table that includes your outside and inside networks, usually named "Public Subnets"
+    # This should be the table that includes your inside networks, usually named "Inside Subnets"
     aws.cnfw.cisco.com/route-table-id: <your_route_table_id>
 spec:
   address: "10.10.0.0"

diff --git a/samples/ra-vpn/redirector-lb/ravpn-redirector-config.yaml b/samples/ra-vpn/redirector-lb/ravpn-redirector-config.yaml
@@ -27,37 +27,43 @@ spec:
       nameif management
       ip address dhcp
       no shutdown
-    hostname redirector
+    
+    # create a route to the internet over the outside interface
+    route outside 0 0 {{ index .nodeLabels "sfcn.cisco.com.interface.2/gateway-ipv4" }}
+    # Add the following DNS configuration to have ASA contact R53 for DNS lookup
+    dns domain-lookup outside
+    dns server-group DefaultDNS
+    name-server 169.254.169.253
+    
     external-database
-      host <your_redis_ip>
+      host {{ index .secrets "sfcn-redis" "host" }}
       port 6379
       # this should match the token used for elasticache creation (EnforcerCacheAuthToken). If you omitted that field, then
       # you should also omit the `db-password` line below.
       db-password {{ index .secrets "sfcn-redis" "token" }}
       enable
+    
     vpn load-balancing
       external-database
       # A priority of 10 designates an ASAc as a redirector
       priority 10
       interface lbpublic outside
       # Set the following to enable FQDN based redirects. Redirects will be IPs otherwise
       redirect-fqdn enable
+    
     # Set the domain name used in your Route53Ingress; required for FQDN redirects and SSL connections.
     domain-name vpn.domain.com
-    # create a route to the internet over the outside interface
-    route outside 0 0 {{ index .nodeLabels "sfcn.cisco.com.interface.2/gateway-ipv4" }}
-    # Add the following DNS configuration to have ASA contact R53 for DNS lookup
-    dns domain-lookup outside
-    dns server-group DefaultDNS
-    name-server 169.254.169.253
+
     webvpn
       enable outside
+    
     # Configure the Redis CA certificate
     crypto ca trustpoint {{ .secrets.redisca.trustpoint }}
       enrollment terminal
     crypto ca authenticate {{ .secrets.redisca.trustpoint }} nointeractive
     {{ .secrets.redisca.value }}
     quit
+    
     # Import PKCS12 certificate for SSL connection
     crypto ca import {{ .secrets.mypkcs.trustpoint }} pkcs12 {{ .secrets.mypkcs.password }} nointeractive
     {{ .secrets.mypkcs.value }}

diff --git a/samples/ra-vpn/redirector-lb/redis-ca.yaml b/samples/ra-vpn/redirector-lb/redis-ca.yaml
@@ -1,12 +1,17 @@
+# This establishes trust between AWS Elasticache and your cluster. This cert
+# doesn't often change, so most of the time you can just apply this
+# secret directly. However, if you want to ensure you have an 
+# up-to-date cert you can issue the following command:
+# 
+# kubectl exec -it -n sfcn-system -c asac <enforcer-pod-name> -- bash -c "echo QUIT | openssl s_client -connect <redis-host-ip>:6379 -showcerts" 
+# The intermediate cert should be captured and applied into this secret value.
 apiVersion: v1
 kind: Secret
 metadata:
   name: redisca
   namespace: sfcn-system
 stringData:
   trustpoint: redisca
-  # Change to your redis issuer certificate.
-  # Use the following command: kubectl exec -it -n sfcn-system -c asac <enforcer-pod-name> -- bash -c "echo QUIT | openssl s_client -connect <redis-host-ip>:6379 -showcerts" 
   value: |
     MIIESTCCAzGgAwIBAgITBn+UV4WH6Kx33rJTMlu8mYtWDTANBgkqhkiG9w0BAQsF
     ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6

diff --git a/samples/ra-vpn/redirector-lb/route53-ingress.yaml b/samples/ra-vpn/redirector-lb/route53-ingress.yaml
@@ -23,3 +23,9 @@ spec:
   # Change to your VPN domain name
   recordSetName: vpn.domain.com
   recordUpdate: SUBDOMAIN
+  endpointSelector: 
+    serviceRole: default
+    interfaceIndex: 2
+    addressType: public
+
+