xdr-terraform-modules/base/_archive/cisco_vpn/quickstart-cisco-asav-ravpn/templates/quickstart-cisco-asav-ravpn-main.yaml

AWSTemplateFormatVersion: 2010-09-09
Description: >-
  Cisco Systems - Main Stack - Creates VPC and the necessary policies, roles,
  security group and launches the Cisco ASAv RAVPN instances. **WARNING** You
  will be billed for the AWS resources used if you create a stack from this
  template. (qs-1qp7e9tnp)
Metadata:
  'AWS::CloudFormation::Interface':
    ParameterGroups:
      - Label:
          default: Availability Zone Configuration
        Parameters:
          - AvailabilityZones
          - NumberOfAZs
      - Label:
          default: VPC Network Configuration
        Parameters:
          - VPCCIDR
          - PublicSubnet1CIDR
          - PublicSubnet2CIDR
          - PublicSubnet3CIDR
          - PublicSubnet4CIDR
          - PrivateSubnet1CIDR
          - PrivateSubnet2CIDR
          - PrivateSubnet3CIDR        
          - PrivateSubnet4CIDR       
      - Label:
          default: ASAv Configuration
        Parameters:
          - NumberOfASAv
          - ASAv1HostName
          - ASAv2HostName
          - ASAv3HostName
          - ASAv4HostName
          - DnsName
          - InstanceTypeParam
          - KeyPair
          - VPNUser
          - VPNPassword
          - SSHLockDownCIDR
          - MgmtSubnet1CIDR
          - MgmtSubnet2CIDR
          - MgmtSubnet3CIDR
          - MgmtSubnet4CIDR
          - VPNPoolCIDR1
          - VPNPoolCIDR2
          - VPNPoolCIDR3
          - VPNPoolCIDR4
      - Label:
          default: AWS Transit Gateway configuration
        Parameters:
          - TGWSubnet1CIDR
          - TGWSubnet2CIDR
          - TGWSubnet3CIDR
          - TGWSubnet4CIDR
          - AmazonSideAsn
      - Label:
          default: On-Premises Gateway Configuration
        Parameters:
          - OnPremFirewallPublicIP
          - OnPremFirewallASN
          - PreSharedKeyForVPNAttachment
          - VPNTunnelCIDRs
          - OnPremCIDR
      - Label:
          default: AWS Quick Start Configuration
        Parameters:
          - QSS3BucketName
          - QSS3BucketRegion
          - QSS3KeyPrefix
    ParameterLabels: 
      AvailabilityZones:
        default: Availability Zones
      NumberOfAZs:
        default: Number of Availability Zones 
      VPCCIDR:
        default: VPC CIDR
      PublicSubnet1CIDR:
        default: Public subnet 1 CIDR
      PublicSubnet2CIDR:
        default: Public subnet 2 CIDR
      PublicSubnet3CIDR:
        default: Public subnet 3 CIDR
      PublicSubnet4CIDR:
        default: Public subnet 4 CIDR
      PrivateSubnet1CIDR:
        default: Private subnet 1 CIDR
      PrivateSubnet2CIDR:
        default: Private subnet 2 CIDR
      PrivateSubnet3CIDR:
        default: Private subnet 3 CIDR
      PrivateSubnet4CIDR:
        default: Private subnet 4 CIDR
      NumberOfASAv:
        default: Number of ASAv instances
      ASAv1HostName:
        default: ASAv1 hostname
      ASAv2HostName:
        default: ASAv2 hostname
      ASAv3HostName:
        default: ASAv3 hostname
      ASAv4HostName:
        default: ASAv4 hostname
      DnsName:
        default: DNS name
      InstanceTypeParam:
        default: Instance type of ASAv
      VPNUser:
        default: VPN user
      VPNPassword:
        default: VPN password
      KeyPair:
        default: ASAv instance key pair
      SSHLockDownCIDR:
        default: SSH lockdown CIDR
      MgmtSubnet1CIDR:
        default: Management subnet 1 CIDR
      MgmtSubnet2CIDR:
        default: Management subnet 2 CIDR
      MgmtSubnet3CIDR:
        default: Management subnet 3 CIDR
      MgmtSubnet4CIDR:
        default: Management subnet 4 CIDR
      VPNPoolCIDR1:
        default: VPN pool for ASAv1
      VPNPoolCIDR2:
        default: VPN pool for ASAv2
      VPNPoolCIDR3:
        default: VPN pool for ASAv3
      VPNPoolCIDR4:
        default: VPN pool for ASAv4
      QSS3BucketName:
        default: Quick Start S3 bucket name
      QSS3BucketRegion:
        default: Quick Start S3 bucket region
      QSS3KeyPrefix:
        default: Quick Start S3 key prefix
      TGWSubnet1CIDR:
        default: TGW subnet 1 CIDR
      TGWSubnet2CIDR:
        default: TGW subnet 2 CIDR
      TGWSubnet3CIDR:
        default: TGW subnet 3 CIDR
      TGWSubnet4CIDR:
        default: TGW subnet 4 CIDR
      AmazonSideAsn: 
        default: ASN for TGW S2S VPN attachment
      OnPremFirewallPublicIP:
        default: Public IP for customer on-premises gateway
      OnPremFirewallASN:
        default: ASN for customer gateway
      PreSharedKeyForVPNAttachment:
        default: Pre shared key for VPN attachement
      VPNTunnelCIDRs:
        default: On-premises gateway to TGW S2S VPN tunnel CIDR blocks
      OnPremCIDR:
        default: On-premises network CIDR
Parameters:
  AvailabilityZones:
    Description: >-
      List of Availability Zones to use for the subnets in the VPC. Note: The
      logical order is preserved and up to 4 Availability Zoness are used for 
      this deployment.
    Type: 'List<AWS::EC2::AvailabilityZone::Name>'
  NumberOfAZs:
    AllowedValues:
      - '1'
      - '2'
      - '3'
      - '4'
    Default: '2'
    Description: >-
      Number of Availability Zones to use in the VPC. This must match the number
      of selections in the list of Availability Zones.
    Type: String
  VPCCIDR:
    AllowedPattern: >-
      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Default: 10.0.0.0/16
    Description: CIDR block for the VPC.
    Type: String
  PublicSubnet1CIDR:
    AllowedPattern: >-
      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Default: 10.0.0.0/21
    Description: CIDR block for public subnet 1 located in Availability Zone 1, for ASAv1.
    Type: String
  PublicSubnet2CIDR:
    AllowedPattern: >-
      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Default: 10.0.8.0/21
    Description: CIDR block for public subnet 2 located in Availability Zone 2, for ASAv2.
    Type: String
  PublicSubnet3CIDR:
    AllowedPattern: >-
      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Default: 10.0.16.0/21
    Description: CIDR block for public subnet 3 located in Availability Zone 3, for ASAv3.
    Type: String
  PublicSubnet4CIDR:
    AllowedPattern: >-
      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Default: 10.0.24.0/21
    Description: CIDR block for public subnet 4 located in Availability Zone 4, for ASAv4.
    Type: String
  PrivateSubnet1CIDR:
    AllowedPattern: >-
      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Default: 10.0.32.0/21
    Description: CIDR block for private subnet 1 located in Availability Zone 1, for ASAv1.
    Type: String
  PrivateSubnet2CIDR:
    AllowedPattern: >-
      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Default: 10.0.40.0/21
    Description: CIDR block for private subnet 2 located in Availability Zone 2, for ASAv2.
    Type: String
  PrivateSubnet3CIDR:
    AllowedPattern: >-
      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Default: 10.0.48.0/21
    Description: CIDR block for private subnet 3 located in Availability Zone 3, for ASAv3.
    Type: String
  PrivateSubnet4CIDR:
    AllowedPattern: >-
      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Default: 10.0.56.0/21
    Description: CIDR block for private subnet 4 located in Availability Zone 4, for ASAv4.
    Type: String
  NumberOfASAv:
    AllowedValues:
      - '1'
      - '2'
      - '3'
      - '4'
    Default: '2'
    Description: >-
      Number of ASAv instances to be initiated.
    Type: String  
  ASAv1HostName:
    Type: String
    Default: ASAv01RAVPN
    Description: Enter ASAv1 hostname.
  ASAv2HostName:
    Type: String
    Default: ASAv02RAVPN
    Description: Enter ASAv2 hostname.
  ASAv3HostName:
    Type: String
    Default: ASAv03RAVPN
    Description: Enter ASAv3 hostname.
  ASAv4HostName:
    Type: String
    Default: ASAv04RAVPN
    Description: Enter ASAv4 hostname.
  DnsName:
    Type: String
    Description: Domain name of PublicHostedZone registered in Route53. This is the domain name behind which the ASAv firewall instances will be load balanced.
    Default: example.com
  InstanceTypeParam:
    Type: String
    Default: c5.large
    AllowedValues:
      - m4.large
      - m4.xlarge
      - m4.2xlarge
      - c3.large
      - c3.xlarge
      - c3.2xlarge
      - c4.large
      - c4.xlarge
      - c4.2xlarge
      - c5.large
      - c5.xlarge
      - c5.2xlarge
    Description: Select an instance type for the ASAv instances.
  VPNUser:
    Type: String
    Description: Test VPN username.
  VPNPassword:
    NoEcho: true
    Type: String
    Description: Test VPN password.
  KeyPair:
    Type: AWS::EC2::KeyPair::KeyName
    Description: ASAv instances will launch with this key pair.
  SSHLockDownCIDR:
    AllowedPattern: >-
      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|1[6-9]|2[0-8]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/0-28
    Description: CIDR block for locking down SSH access on the outside interface.
    Type: String
  MgmtSubnet1CIDR:
    AllowedPattern: >-
      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Default: 10.0.64.0/21
    Description: CIDR block for management subnet 1 located in Availability Zone 1, for ASAv1.
    Type: String
  MgmtSubnet2CIDR:
    AllowedPattern: >-
      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Default: 10.0.72.0/21
    Description: CIDR block for management subnet 2 located in Availability Zone 2, for ASAv2.
    Type: String
  MgmtSubnet3CIDR:
    AllowedPattern: >-
      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Default: 10.0.80.0/21
    Description: CIDR block for management subnet 3 located in Availability Zone 3, for ASAv3.
    Type: String
  MgmtSubnet4CIDR:
    AllowedPattern: >-
      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Default: 10.0.88.0/21
    Description: CIDR block for management subnet 4 located in Availability Zone 4, for ASAv4.
    Type: String
  VPNPoolCIDR1:
    AllowedPattern: >-
      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(19))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/19
    Default: 172.16.0.0/19
    Description: This is a /19 CIDR block for a ghost VPN pool for ASAv1. VPN clients connecting in will be assigned an IP from this subnet. This subnet should not overlap with the on-premises CIDR or VPC CIDR blocks. You can use the default value.
    Type: String
  VPNPoolCIDR2:
    AllowedPattern: >-
      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(19))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/19
    Default: 172.16.32.0/19
    Description: This is a /19 CIDR block for a ghost VPN pool for ASAv2. VPN clients connecting in will be assigned an IP from this subnet. This subnet should not overlap with the on-premises CIDR or VPC CIDR blocks. You can use the default value.
    Type: String
  VPNPoolCIDR3:
    AllowedPattern: >-
      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(19))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/19
    Default: 172.16.64.0/19
    Description: This is a /19 CIDR block for a ghost VPN pool for ASAv3. VPN clients connecting in will be assigned an IP from this subnet. This subnet should not overlap with the on-premises CIDR or VPC CIDR blocks. You can use the default value.
    Type: String
  VPNPoolCIDR4:
    AllowedPattern: >-
      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(19))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/19
    Default: 172.16.96.0/19
    Description: This is a /19 CIDR block for a ghost VPN pool for ASAv4. VPN clients connecting in will be assigned an IP from this subnet. This subnet should not overlap with the on-premises CIDR or VPC CIDR blocks. You can use the default value.
    Type: String
  QSS3BucketName:
    AllowedPattern: '^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$'
    ConstraintDescription: >-
      Quick Start bucket name can include numbers, lowercase letters, uppercase
      letters, and hyphens (-). It cannot start or end with a hyphen (-).
    Default: aws-quickstart
    Description: >-
      S3 bucket name for the Quick Start assets. Quick Start bucket name can
      include numbers, lowercase letters, uppercase letters, and hyphens (-). It
      cannot start or end with a hyphen (-).
    Type: String
  QSS3BucketRegion:
    Default: us-east-1
    Description: >-
      The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted.
      When using your own bucket, you must specify this value.
    Type: String
  QSS3KeyPrefix:
    AllowedPattern: '^[0-9a-zA-Z-/]*$'
    ConstraintDescription: >-
      Quick Start key prefix can include numbers, lowercase letters, uppercase
      letters, hyphens (-), and forward slash (/).
    Default: quickstart-cisco-asav-ravpn/
    Description: >-
      S3 key prefix for the Quick Start assets. Quick Start key prefix can
      include numbers, lowercase letters, uppercase letters, hyphens (-), and
      forward slash (/).
    Type: String
  TGWSubnet1CIDR:
    AllowedPattern: >-
      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Default: 10.0.96.0/21
    Description: CIDR block for AWS Transit Gateway subnet 1 located in Availability Zone 1.
    Type: String
  TGWSubnet2CIDR:
    AllowedPattern: >-
      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Default: 10.0.104.0/21
    Description: CIDR block for AWS Transit Gateway subnet 2 located in Availability Zone 2.
    Type: String
  TGWSubnet3CIDR:
    AllowedPattern: >-
      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Default: 10.0.112.0/21
    Description: CIDR block for AWS Transit Gateway subnet 3 located in Availability Zone 3.
    Type: String
  TGWSubnet4CIDR:
    AllowedPattern: >-
      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Default: 10.0.120.0/21
    Description: CIDR block for AWS Transit Gateway subnet 4 located in Availability Zone 4.
    Type: String
  AmazonSideAsn:
    Description: A private Autonomous System Number (ASN) for the Amazon side of a BGP session. The range is 64512 to 65534 for 16-bit ASNs and 4200000000 to 4294967294 for 32-bit ASNs.
    Type: String
    Default: 64513
  OnPremFirewallPublicIP:
    Description: Specify the public IP address of the on-premises gateway.
    Type: String
  OnPremFirewallASN:
    Description: Specify the BGP ASN of the on-premises gateway.
    Type: String
    Default: 65001
  PreSharedKeyForVPNAttachment:
    Description: Specify the pre shared key of the customer gateway. Must be 15 characters in length and cannot start with zero (0).
    NoEcho: true
    Type: String
    Default: casav1234567891
    MinLength: 15
    MaxLength: 15
  OnPremCIDR:
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Description: CIDR block for the on-premises network.
    Type: String
  VPNTunnelCIDRs:
    Description: Specify the tunnel inside CIDR blocks for the on-premises firewall. You can use the default pre-filled CIDR blocks as well.
    Type: CommaDelimitedList
    Default: "169.254.6.0/30, 169.254.7.0/30"
Conditions:
  UsingDefaultBucket: !Equals 
    - !Ref QSS3BucketName
    - aws-quickstart
  3SubnetCondition: !Or
    - !Equals
      - !Ref 'NumberOfAZs'
      - '3'
    - !Condition 4SubnetCondition
  4SubnetCondition: !Equals
    - !Ref 'NumberOfAZs'
    - '4'
  1ASAvCondition: !Or
    - !Equals
      - !Ref 'NumberOfASAv'
      - '1'
    - !Condition '2ASAvCondition'
  2ASAvCondition: !Or
    - !Equals
      - !Ref 'NumberOfASAv'
      - '2'
    - !Condition '3ASAvCondition'
  3ASAvCondition: !Or
    - !Equals
      - !Ref 'NumberOfASAv'
      - '3'
    - !Condition '4ASAvCondition'
  4ASAvCondition: !Equals
    - !Ref 'NumberOfASAv'
    - '4'
Resources:
  VPCStack:
    Type: 'AWS::CloudFormation::Stack'
    Properties:
      TemplateURL: !Sub 
        - >-
          https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template.yaml
        - S3Region: !If 
            - UsingDefaultBucket
            - !Ref 'AWS::Region'
            - !Ref QSS3BucketRegion
          S3Bucket: !If 
            - UsingDefaultBucket
            - !Sub '${QSS3BucketName}-${AWS::Region}'
            - !Ref QSS3BucketName
      Parameters:
        AvailabilityZones: !Join 
          - ','
          - !Ref AvailabilityZones
        NumberOfAZs: !Ref NumberOfAZs
        VPCCIDR: !Ref VPCCIDR
        PrivateSubnet1ACIDR: !Ref PrivateSubnet1CIDR
        PrivateSubnet2ACIDR: !Ref PrivateSubnet2CIDR
        PrivateSubnet3ACIDR: !Ref PrivateSubnet3CIDR
        PrivateSubnet4ACIDR: !Ref PrivateSubnet4CIDR
        PublicSubnet1CIDR: !Ref PublicSubnet1CIDR
        PublicSubnet2CIDR: !Ref PublicSubnet2CIDR
        PublicSubnet3CIDR: !Ref PublicSubnet3CIDR
        PublicSubnet4CIDR: !Ref PublicSubnet4CIDR
  TGWStack:
    Type: 'AWS::CloudFormation::Stack'
    Properties:
      TemplateURL: !Sub
        - >-
          https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/quickstart-cisco-asav-ravpn-tgw.yaml
        - S3Region: !If 
            - UsingDefaultBucket
            - !Ref 'AWS::Region'
            - !Ref QSS3BucketRegion
          S3Bucket: !If 
            - UsingDefaultBucket
            - !Sub '${QSS3BucketName}-${AWS::Region}'
            - !Ref QSS3BucketName
      Parameters:
        AvailabilityZones: !Join 
          - ','
          - !Ref AvailabilityZones
        NumberOfAZs: !Ref NumberOfAZs
        NumberOfASAv: !Ref NumberOfASAv
        VPCID: !GetAtt 'VPCStack.Outputs.VPCID'
        NetworkInterfaceId1ASAv1: !If [1ASAvCondition, !GetAtt 'ASAvStack1.Outputs.InsideENI', !Ref "AWS::NoValue"]
        NetworkInterfaceId1ASAv2: !If [2ASAvCondition, !GetAtt 'ASAvStack1.Outputs.InsideENI', !Ref "AWS::NoValue"]
        NetworkInterfaceId2ASAv2: !If [2ASAvCondition, !GetAtt 'ASAvStack2.Outputs.InsideENI', !Ref "AWS::NoValue"]
        NetworkInterfaceId1ASAv3: !If [3ASAvCondition, !GetAtt 'ASAvStack1.Outputs.InsideENI', !Ref "AWS::NoValue"]
        NetworkInterfaceId2ASAv3: !If [3ASAvCondition, !GetAtt 'ASAvStack2.Outputs.InsideENI', !Ref "AWS::NoValue"]
        NetworkInterfaceId3ASAv3: !If [3ASAvCondition, !GetAtt 'ASAvStack3.Outputs.InsideENI', !Ref "AWS::NoValue"]
        NetworkInterfaceId1ASAv4: !If [4ASAvCondition, !GetAtt 'ASAvStack1.Outputs.InsideENI', !Ref "AWS::NoValue"]
        NetworkInterfaceId2ASAv4: !If [4ASAvCondition, !GetAtt 'ASAvStack2.Outputs.InsideENI', !Ref "AWS::NoValue"]
        NetworkInterfaceId3ASAv4: !If [4ASAvCondition, !GetAtt 'ASAvStack3.Outputs.InsideENI', !Ref "AWS::NoValue"]
        NetworkInterfaceId4ASAv4: !If [4ASAvCondition, !GetAtt 'ASAvStack4.Outputs.InsideENI', !Ref "AWS::NoValue"]
        PrivateSubnet1ARouteTable: !GetAtt 'VPCStack.Outputs.PrivateSubnet1ARouteTable'
        PrivateSubnet2ARouteTable: !GetAtt 'VPCStack.Outputs.PrivateSubnet2ARouteTable'
        PrivateSubnet3ARouteTable: !If [3SubnetCondition, !GetAtt 'VPCStack.Outputs.PrivateSubnet3ARouteTable', !Ref "AWS::NoValue"]
        PrivateSubnet4ARouteTable: !If [4SubnetCondition, !GetAtt 'VPCStack.Outputs.PrivateSubnet4ARouteTable', !Ref "AWS::NoValue"]
        VPNPoolCIDR1: !Ref VPNPoolCIDR1
        VPNPoolCIDR2: !Ref VPNPoolCIDR2
        VPNPoolCIDR3: !Ref VPNPoolCIDR3
        VPNPoolCIDR4: !Ref VPNPoolCIDR4
        TGWSubnet1CIDR: !Ref TGWSubnet1CIDR
        TGWSubnet2CIDR: !Ref TGWSubnet2CIDR
        TGWSubnet3CIDR: !Ref TGWSubnet3CIDR
        TGWSubnet4CIDR: !Ref TGWSubnet4CIDR
        OnPremFirewallPublicIP: !Ref OnPremFirewallPublicIP
        OnPremFirewallASN: !Ref OnPremFirewallASN
        PreSharedKeyForVPNAttachment: !Ref PreSharedKeyForVPNAttachment
        VPNTunnelCIDRs: !Join
        - ","
        - !Ref VPNTunnelCIDRs
        AmazonSideAsn: !Ref AmazonSideAsn
        OnPremCIDR: !Ref OnPremCIDR
        QSS3BucketName: !Ref QSS3BucketName
        QSS3KeyPrefix: !Ref QSS3KeyPrefix
        QSS3BucketRegion: !Ref QSS3BucketRegion
  CommonResourcesStack:
    Type: 'AWS::CloudFormation::Stack'
    Properties:
      TemplateURL: !Sub 
        - >-
          https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/quickstart-cisco-asav-ravpn-common.yaml
        - S3Region: !If 
            - UsingDefaultBucket
            - !Ref 'AWS::Region'
            - !Ref QSS3BucketRegion
          S3Bucket: !If 
            - UsingDefaultBucket
            - !Sub '${QSS3BucketName}-${AWS::Region}'
            - !Ref QSS3BucketName
      Parameters:
        DnsName: !Ref DnsName
        VPCID: !GetAtt 'VPCStack.Outputs.VPCID'
        SSHLockDownCIDR: !Ref SSHLockDownCIDR
  ASAvStack1:
    Condition: 1ASAvCondition
    Type: 'AWS::CloudFormation::Stack'
    Properties:
      TemplateURL: !Sub 
        - >-
          https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/quickstart-cisco-asav-ravpn-instance.yaml
        - S3Region: !If 
            - UsingDefaultBucket
            - !Ref 'AWS::Region'
            - !Ref QSS3BucketRegion
          S3Bucket: !If 
            - UsingDefaultBucket
            - !Sub '${QSS3BucketName}-${AWS::Region}'
            - !Ref QSS3BucketName
      Parameters:
        InstanceTypeParam: !Ref InstanceTypeParam
        KeyPair: !Ref KeyPair
        VPCID: !GetAtt 'VPCStack.Outputs.VPCID'
        VPNUser: !Ref VPNUser
        VPNPassword: !Ref VPNPassword
        PrivateSubnet1ID: !GetAtt 'VPCStack.Outputs.PrivateSubnet1AID'
        PublicSubnet1ID:  !GetAtt 'VPCStack.Outputs.PublicSubnet1ID'
        MgmtSubnet1CIDR: !Ref MgmtSubnet1CIDR
        ASAv1HostName: !Ref ASAv1HostName
        DnsName: !Ref DnsName
        VPNPoolFrom1: !Sub
        - ${a}.${b}.0.1
        - a: !Select [0, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR1 ]]]]
          b: !Select [1, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR1 ]]]]
        VPNPoolTo1: !Sub
        - ${a}.${b}.31.254
        - a: !Select [0, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR1 ]]]]
          b: !Select [1, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR1 ]]]]
        VPNPoolCIDRMask1: !Select [1, !Split [ "/" , !Ref VPNPoolCIDR1 ]] 
        VPCCIDRMASK: !Select [1, !Split [ "/" , !Ref VPCCIDR ]] 
        VPCPOOL: !Select [0, !Split ["/", !Ref VPCCIDR]]
        OnPremCIDRMask: !Select [1, !Split [ "/" , !Ref OnPremCIDR ]] 
        OnPremPool: !Select [0, !Split ["/", !Ref OnPremCIDR]]
        PrivateSubnet1GW: !Sub
        - ${a}.${b}.${c}.1
        - a: !Select [0, !Split ['.', !Select [0, !Split [ "/" , !Ref PrivateSubnet1CIDR ]]]]
          b: !Select [1, !Split ['.', !Select [0, !Split [ "/" , !Ref PrivateSubnet1CIDR ]]]]
          c: !Select [2, !Split ['.', !Select [0, !Split [ "/" , !Ref PrivateSubnet1CIDR ]]]]
        PrivateSubnet1CIDR: !Ref PrivateSubnet1CIDR
        PrivateSubnet1Pool: !Select [0, !Split ["/", !Ref PrivateSubnet1CIDR]]
        PrivateSubnet1CIDRMask: !Select [1, !Split [ "/" , !Ref PrivateSubnet1CIDR ]]
        PublicHostedZone: !GetAtt 'CommonResourcesStack.Outputs.PublicHostedZone'
        MgmtRouteTable: !GetAtt 'CommonResourcesStack.Outputs.MgmtRouteTable'
        ASAvInstanceSGMGMT: !GetAtt 'CommonResourcesStack.Outputs.ASAvInstanceSGMGMT'
        ASAvInstanceSGOUTSIDE: !GetAtt 'CommonResourcesStack.Outputs.ASAvInstanceSGOUTSIDE'
        ASAvInstanceSGINSIDE: !GetAtt 'CommonResourcesStack.Outputs.ASAvInstanceSGINSIDE'
        InstanceIdentifier: 0

  ASAvStack2:
    Condition: 2ASAvCondition
    Type: 'AWS::CloudFormation::Stack'
    Properties:
      TemplateURL: !Sub 
        - >-
          https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/quickstart-cisco-asav-ravpn-instance.yaml
        - S3Region: !If 
            - UsingDefaultBucket
            - !Ref 'AWS::Region'
            - !Ref QSS3BucketRegion
          S3Bucket: !If 
            - UsingDefaultBucket
            - !Sub '${QSS3BucketName}-${AWS::Region}'
            - !Ref QSS3BucketName
      Parameters:
        InstanceTypeParam: !Ref InstanceTypeParam
        KeyPair: !Ref KeyPair
        VPCID: !GetAtt 'VPCStack.Outputs.VPCID'
        VPNUser: !Ref VPNUser
        VPNPassword: !Ref VPNPassword
        PrivateSubnet1ID: !GetAtt 'VPCStack.Outputs.PrivateSubnet2AID'
        PublicSubnet1ID:  !GetAtt 'VPCStack.Outputs.PublicSubnet2ID'
        MgmtSubnet1CIDR: !Ref MgmtSubnet2CIDR
        ASAv1HostName: !Ref ASAv2HostName
        DnsName: !Ref DnsName
        VPNPoolFrom1: !Sub
        - ${a}.${b}.32.1
        - a: !Select [0, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR2 ]]]]
          b: !Select [1, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR2 ]]]]
        VPNPoolTo1: !Sub
        - ${a}.${b}.63.254
        - a: !Select [0, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR2 ]]]]
          b: !Select [1, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR2 ]]]]
        VPNPoolCIDRMask1: !Select [1, !Split [ "/" , !Ref VPNPoolCIDR2 ]] 
        VPCCIDRMASK: !Select [1, !Split [ "/" , !Ref VPCCIDR ]] 
        VPCPOOL: !Select [0, !Split ["/", !Ref VPCCIDR]]
        OnPremCIDRMask: !Select [1, !Split [ "/" , !Ref OnPremCIDR ]] 
        OnPremPool: !Select [0, !Split ["/", !Ref OnPremCIDR]]
        PrivateSubnet1GW: !Sub
        - ${a}.${b}.${c}.1
        - a: !Select [0, !Split ['.', !Select [0, !Split [ "/" , !Ref PrivateSubnet2CIDR ]]]]
          b: !Select [1, !Split ['.', !Select [0, !Split [ "/" , !Ref PrivateSubnet2CIDR ]]]]
          c: !Select [2, !Split ['.', !Select [0, !Split [ "/" , !Ref PrivateSubnet2CIDR ]]]]
        PrivateSubnet1CIDR: !Ref PrivateSubnet2CIDR
        PrivateSubnet1Pool: !Select [0, !Split ["/", !Ref PrivateSubnet2CIDR]]
        PrivateSubnet1CIDRMask: !Select [1, !Split [ "/" , !Ref PrivateSubnet2CIDR ]]
        PublicHostedZone: !GetAtt 'CommonResourcesStack.Outputs.PublicHostedZone'
        MgmtRouteTable: !GetAtt 'CommonResourcesStack.Outputs.MgmtRouteTable'
        ASAvInstanceSGMGMT: !GetAtt 'CommonResourcesStack.Outputs.ASAvInstanceSGMGMT'
        ASAvInstanceSGOUTSIDE: !GetAtt 'CommonResourcesStack.Outputs.ASAvInstanceSGOUTSIDE'
        ASAvInstanceSGINSIDE: !GetAtt 'CommonResourcesStack.Outputs.ASAvInstanceSGINSIDE'
        InstanceIdentifier: 1

  ASAvStack3:
    Condition: 3ASAvCondition
    Type: 'AWS::CloudFormation::Stack'
    Properties:
      TemplateURL: !Sub 
        - >-
          https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/quickstart-cisco-asav-ravpn-instance.yaml
        - S3Region: !If 
            - UsingDefaultBucket
            - !Ref 'AWS::Region'
            - !Ref QSS3BucketRegion
          S3Bucket: !If 
            - UsingDefaultBucket
            - !Sub '${QSS3BucketName}-${AWS::Region}'
            - !Ref QSS3BucketName
      Parameters:
        InstanceTypeParam: !Ref InstanceTypeParam
        KeyPair: !Ref KeyPair
        VPCID: !GetAtt 'VPCStack.Outputs.VPCID'
        VPNUser: !Ref VPNUser
        VPNPassword: !Ref VPNPassword
        PrivateSubnet1ID: !GetAtt 'VPCStack.Outputs.PrivateSubnet3AID'
        PublicSubnet1ID:  !GetAtt 'VPCStack.Outputs.PublicSubnet3ID'
        MgmtSubnet1CIDR: !Ref MgmtSubnet3CIDR
        ASAv1HostName: !Ref ASAv3HostName
        DnsName: !Ref DnsName
        VPNPoolFrom1: !Sub
        - ${a}.${b}.64.1
        - a: !Select [0, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR3 ]]]]
          b: !Select [1, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR3 ]]]]
        VPNPoolTo1: !Sub
        - ${a}.${b}.95.254
        - a: !Select [0, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR3 ]]]]
          b: !Select [1, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR3 ]]]]
        VPNPoolCIDRMask1: !Select [1, !Split [ "/" , !Ref VPNPoolCIDR3 ]] 
        VPCCIDRMASK: !Select [1, !Split [ "/" , !Ref VPCCIDR ]] 
        VPCPOOL: !Select [0, !Split ["/", !Ref VPCCIDR]]
        OnPremCIDRMask: !Select [1, !Split [ "/" , !Ref OnPremCIDR ]] 
        OnPremPool: !Select [0, !Split ["/", !Ref OnPremCIDR]]
        PrivateSubnet1GW: !Sub
        - ${a}.${b}.${c}.1
        - a: !Select [0, !Split ['.', !Select [0, !Split [ "/" , !Ref PrivateSubnet3CIDR ]]]]
          b: !Select [1, !Split ['.', !Select [0, !Split [ "/" , !Ref PrivateSubnet3CIDR ]]]]
          c: !Select [2, !Split ['.', !Select [0, !Split [ "/" , !Ref PrivateSubnet3CIDR ]]]]
        PrivateSubnet1CIDR: !Ref PrivateSubnet3CIDR
        PrivateSubnet1Pool: !Select [0, !Split ["/", !Ref PrivateSubnet3CIDR]]
        PrivateSubnet1CIDRMask: !Select [1, !Split [ "/" , !Ref PrivateSubnet3CIDR ]]
        PublicHostedZone: !GetAtt 'CommonResourcesStack.Outputs.PublicHostedZone'
        MgmtRouteTable: !GetAtt 'CommonResourcesStack.Outputs.MgmtRouteTable'
        ASAvInstanceSGMGMT: !GetAtt 'CommonResourcesStack.Outputs.ASAvInstanceSGMGMT'
        ASAvInstanceSGOUTSIDE: !GetAtt 'CommonResourcesStack.Outputs.ASAvInstanceSGOUTSIDE'
        ASAvInstanceSGINSIDE: !GetAtt 'CommonResourcesStack.Outputs.ASAvInstanceSGINSIDE'
        InstanceIdentifier: 2

  ASAvStack4:
    Condition: 4ASAvCondition
    Type: 'AWS::CloudFormation::Stack'
    Properties:
      TemplateURL: !Sub 
        - >-
          https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/quickstart-cisco-asav-ravpn-instance.yaml
        - S3Region: !If 
            - UsingDefaultBucket
            - !Ref 'AWS::Region'
            - !Ref QSS3BucketRegion
          S3Bucket: !If 
            - UsingDefaultBucket
            - !Sub '${QSS3BucketName}-${AWS::Region}'
            - !Ref QSS3BucketName
      Parameters:
        InstanceTypeParam: !Ref InstanceTypeParam
        KeyPair: !Ref KeyPair
        VPCID: !GetAtt 'VPCStack.Outputs.VPCID'
        VPNUser: !Ref VPNUser
        VPNPassword: !Ref VPNPassword
        PrivateSubnet1ID: !GetAtt 'VPCStack.Outputs.PrivateSubnet4AID'
        PublicSubnet1ID:  !GetAtt 'VPCStack.Outputs.PublicSubnet4ID'
        MgmtSubnet1CIDR: !Ref MgmtSubnet4CIDR
        ASAv1HostName: !Ref ASAv4HostName
        DnsName: !Ref DnsName
        VPNPoolFrom1: !Sub
        - ${a}.${b}.96.1
        - a: !Select [0, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR4 ]]]]
          b: !Select [1, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR4 ]]]]
        VPNPoolTo1: !Sub
        - ${a}.${b}.127.254
        - a: !Select [0, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR4 ]]]]
          b: !Select [1, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR4 ]]]]
        VPNPoolCIDRMask1: !Select [1, !Split [ "/" , !Ref VPNPoolCIDR4 ]] 
        VPCCIDRMASK: !Select [1, !Split [ "/" , !Ref VPCCIDR ]] 
        VPCPOOL: !Select [0, !Split ["/", !Ref VPCCIDR]]
        OnPremCIDRMask: !Select [1, !Split [ "/" , !Ref OnPremCIDR ]] 
        OnPremPool: !Select [0, !Split ["/", !Ref OnPremCIDR]]
        PrivateSubnet1GW: !Sub
        - ${a}.${b}.${c}.1
        - a: !Select [0, !Split ['.', !Select [0, !Split [ "/" , !Ref PrivateSubnet4CIDR ]]]]
          b: !Select [1, !Split ['.', !Select [0, !Split [ "/" , !Ref PrivateSubnet4CIDR ]]]]
          c: !Select [2, !Split ['.', !Select [0, !Split [ "/" , !Ref PrivateSubnet4CIDR ]]]]
        PrivateSubnet1CIDR: !Ref PrivateSubnet4CIDR
        PrivateSubnet1Pool: !Select [0, !Split ["/", !Ref PrivateSubnet4CIDR]]
        PrivateSubnet1CIDRMask: !Select [1, !Split [ "/" , !Ref PrivateSubnet4CIDR ]]
        PublicHostedZone: !GetAtt 'CommonResourcesStack.Outputs.PublicHostedZone'
        MgmtRouteTable: !GetAtt 'CommonResourcesStack.Outputs.MgmtRouteTable'
        ASAvInstanceSGMGMT: !GetAtt 'CommonResourcesStack.Outputs.ASAvInstanceSGMGMT'
        ASAvInstanceSGOUTSIDE: !GetAtt 'CommonResourcesStack.Outputs.ASAvInstanceSGOUTSIDE'
        ASAvInstanceSGINSIDE: !GetAtt 'CommonResourcesStack.Outputs.ASAvInstanceSGINSIDE'
        InstanceIdentifier: 3

Outputs:
  AccountId:
    Description: Amazon Account ID
    Value: !Ref 'AWS::AccountId'
#------------------------------- ASAvStack1-----------------  
  ASAv1MGMTIPStack1:
    Condition: 1ASAvCondition
    Description: ASAv Instance 1 Management IP
    Value: !GetAtt ASAvStack1.Outputs.ASAv1MGMTIP
  ASAv1PublicIPStack1:
    Condition: 1ASAvCondition  
    Description: ASAv Instance 1 Public IP
    Value: !GetAtt ASAvStack1.Outputs.ASAv1PublicIP
  VPNPoolFrom1Stack1:
    Condition: 1ASAvCondition  
    Description: ASAv Instance 1 VPN Pool From
    Value: !GetAtt ASAvStack1.Outputs.VPNPoolFrom1
  VPNPoolTo1Stack1:
    Condition: 1ASAvCondition  
    Description: ASAv Instance 1 VPN Pool To
    Value: !GetAtt ASAvStack1.Outputs.VPNPoolTo1
  VPNPoolMask1Stack1:
    Condition: 1ASAvCondition  
    Description: ASAv Instance 1 VPN Pool Mask
    Value: !GetAtt ASAvStack1.Outputs.VPNPoolCIDRMask1
#------------------------------- ASAvStack2-----------------
  ASAv2MGMTIPStack2:
    Condition: 2ASAvCondition
    Description: ASAv Instance 2 Management IP
    Value: !GetAtt ASAvStack2.Outputs.ASAv1MGMTIP
  ASAv2PublicIPStack2:
    Condition: 2ASAvCondition  
    Description: ASAv Instance 2 Public IP
    Value: !GetAtt ASAvStack2.Outputs.ASAv1PublicIP
  VPNPoolFrom2Stack2:
    Condition: 2ASAvCondition  
    Description: ASAv Instance 2 VPN Pool From
    Value: !GetAtt ASAvStack2.Outputs.VPNPoolFrom1
  VPNPoolTo2Stack2:
    Condition: 2ASAvCondition  
    Description: ASAv Instance 2 VPN Pool To
    Value: !GetAtt ASAvStack2.Outputs.VPNPoolTo1
  VPNPoolMask2Stack2:
    Condition: 2ASAvCondition  
    Description: ASAv Instance 2 VPN Pool Mask
    Value: !GetAtt ASAvStack2.Outputs.VPNPoolCIDRMask1
#------------------------------- ASAvStack3-----------------
  ASAv3MGMTIPStack3:
    Condition: 3ASAvCondition
    Description: ASAv Instance 3 Management IP
    Value: !GetAtt ASAvStack3.Outputs.ASAv1MGMTIP
  ASAv3PublicIPStack3:
    Condition: 3ASAvCondition  
    Description: ASAv Instance 3 Public IP
    Value: !GetAtt ASAvStack3.Outputs.ASAv1PublicIP
  VPNPoolFrom3Stack3:
    Condition: 3ASAvCondition  
    Description: ASAv Instance 3 VPN Pool From
    Value: !GetAtt ASAvStack3.Outputs.VPNPoolFrom1
  VPNPoolTo3Stack3:
    Condition: 3ASAvCondition  
    Description: ASAv Instance 3 VPN Pool To
    Value: !GetAtt ASAvStack3.Outputs.VPNPoolTo1
  VPNPoolMask3Stack3:
    Condition: 3ASAvCondition  
    Description: ASAv Instance 3 VPN Pool Mask
    Value: !GetAtt ASAvStack3.Outputs.VPNPoolCIDRMask1
#------------------------------- ASAvStack4-----------------
  ASAv4MGMTIPStack4:
    Condition: 4ASAvCondition
    Description: ASAv Instance 4 Management IP
    Value: !GetAtt ASAvStack4.Outputs.ASAv1MGMTIP
  ASAv4PublicIPStack4:
    Condition: 4ASAvCondition  
    Description: ASAv Instance 4 Public IP
    Value: !GetAtt ASAvStack4.Outputs.ASAv1PublicIP
  VPNPoolFrom4Stack4:
    Condition: 4ASAvCondition  
    Description: ASAv Instance 4 VPN Pool From
    Value: !GetAtt ASAvStack4.Outputs.VPNPoolFrom1
  VPNPoolTo4Stack4:
    Condition: 4ASAvCondition  
    Description: ASAv Instance 4 VPN Pool To
    Value: !GetAtt ASAvStack4.Outputs.VPNPoolTo1
  VPNPoolMask4Stack4:
    Condition: 4ASAvCondition  
    Description: ASAv Instance 4 VPN Pool Mask
    Value: !GetAtt ASAvStack4.Outputs.VPNPoolCIDRMask1
#--------------------------------------------------------------
  VPNTunnelOutsideIPs:
    Description: VPN Tunnel Outside IP
    Value: !GetAtt TGWStack.Outputs.VPNTunnelOutsideIPs