Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1205
Views
0
Helpful
4
Replies

Using 1000v to connect multiple AWS VPCs

cbbristol
Level 1
Level 1

‎05-29-2016 09:12 AM - edited ‎03-12-2019 07:21 AM

Hello,

I have a number of customer VPCs with private subnets, which have no internet access that I need to connect to an AWS VPC that I own. By connecting them to my VPC, I need to provide them with:

  • Access to private resources inside of my VPC
  • Transitive access to private resources that are connected via IPSEC VPN to my VPC 
  • Provide internet access to them via NAT

Since I do not own the customer VPCs, I cannot always expect to be able to install a 1000v in that environment. So, I am connecting the customer VPCs to my 1000v via AWS's IPSEC VPN Gateway. I was able to successfully connect the customer VPCs to the 1000v via IPSEC tunnel and they are able to access private resources within my VPC. But, I am unable to figure how to provide Internet access to the customer VPCs.

The customer route tables look like the following:

Network  Destination
(local)  Local Route Table
0.0.0.0 VPN Gateway

As stated in this document: http://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/aws/csraws/awsoverview.pdf, "You cannot apply NAT PAT on the same interface that is configured with a crypto map." Does this mean that I am unable to provide internet access via NAT for the VPCs that are routing through my 1000v? How do I get traffic that is coming in from the tunnel and destined for the internet to use the NAT in my VPC? Below you'll find an architectural diagram:

Thanks!

Labels:
0 Helpful
4 Replies 4

Fan Yang
Level 1
Level 1

‎06-03-2016 02:25 AM

Hi,

According to the guide, yes, you can't use PAT/NAT for the IPSEC enabled interface. But it also has some workaround as following.

  • The workaround is to use a different IP Security feature such as SVTI or DMVPN, or you can configure a two-router solution with one router for NAT and another router for the IP Security crypto map

Since AWS VPN Gateway doesn't support GRE tunnel. You can't use SVTI or DMVPN between CSR and VPN Gateway. But you can try with the 2nd workaround by placing two-router in your VPC-A. One router for NAT and another for IPSEC.

Hope this answer your questions.

Thanks

Fan

0 Helpful

cbbristol
Level 1
Level 1
In response to Fan Yang

‎06-05-2016 01:56 PM

I've read about the two-router solution. How would that work? Would I make the default route of the crypto 1000V that of the NAT 1000v? Wouldn't that beak the tunnel?

0 Helpful

Fan Yang
Level 1
Level 1
In response to cbbristol

‎06-05-2016 08:17 PM

For example, you have two CSR in your VPC, CSR-A(LEFT) and CSR-B(RIGHT). CSR-B is building IPSEC tunnel with your customer's VPC. CSR-A is connecting the IGW in your VPC.

After CSR-B has decrypted the data, CSR-A will do the NAT.

Thanks

Fan

0 Helpful

cbbristol
Level 1
Level 1
In response to Fan Yang

‎08-02-2016 09:34 PM

Sorry, I'm a bit late to reply.

I don't see how this will work seeing as both CSR-A and CSR-B require a route to the Internet Gateway. CSR-B needs a public IP address in order to perform IPSEC and CSR-A needs a public IP to perform NAT. If traffic coming through the tunnel to my CSR-B is destined for the Internet, the IGW Route (0.0.0.0/0) attached to CSR-B will receive this traffic. How can I route traffic that is coming in through CSR-B to CSR-A when a route already exists that directs this traffic to 0.0.0.0/0? If I created a 0.0.0.0/0 route to CSR-A, wouldn't this break the IPSEC tunnel?

0 Helpful
Customers Also Viewed These Support Documents