Solved: CSR in AWS - Allow internet traffic to an instance

mthomaz · ‎05-26-2019

I've created 2x Cisco CSR 1000V in AWS, and have launched an instance in the private subnet (behind the CSR).

Now, I want that instance to have internet access.

I can ping/ssh the instance from the CSR, but I cannot connect to the instance via SSH using its public IP address. I assume I need to tell the CSR that I want to allow traffic to that instance.

How to do that?

ip-10-0-0-171#show ip int b
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 10.0.0.171 YES DHCP up up #outside
GigabitEthernet2 10.0.1.147 YES DHCP up up #internal IP address

The inside network is: 10.0.1.0/24 - It should allow outgoing traffic from 10.0.1.0/24 to the internet.

Also, if I need to create a NAT entry that redirects port 2222 from the outside interface to 10.0.1.154, how do I do that?

Thanks!

mthomaz · ‎05-30-2019

I managed to get this working with the following:

ap-southeast-2 private network: 10.1.2.0
ap-northeast-1 private network: 10.5.2.0

# AWS Sydney (ap-southeast-2):
crypto ikev2 profile default
match identity remote fqdn domain cisco.com
identity local fqdn CSR1.cisco.com
authentication remote pre-share key cisco123
authentication local pre-share key cisco123
exit
interface tunnel1
ip address 172.16.0.1 255.255.255.252
tunnel source GigabitEthernet 1
tunnel destination 52.x.x.206
tunnel protection ipsec profile default
crypto ikev2 dpd 10 2 on-demand
show crypto ipsec profile default
router eigrp 1
network 172.16.0.0 0.0.0.255
network 10.1.2.0 0.0.0.255
ip route 10.5.2.0 255.255.255.0 tunnel1
interface GigabitEthernet1
ip nat outside
interface GigabitEthernet2
ip nat inside
ip access-list extended NAT
permit ip 10.1.2.0 0.0.0.255 any
ip nat inside source list NAT interface GigabitEthernet1 overload
no ip nat inside source list GS_NAT_ACL interface GigabitEthernet1 vrf GS overload
wr

# AWS Tokyo (ap-northeast-1):
crypto ikev2 profile default
match identity remote fqdn domain cisco.com
identity local fqdn CSR2.cisco.com
authentication remote pre-share key cisco123
authentication local pre-share key cisco123
exit
interface tunnel1
ip address 172.16.0.2 255.255.255.252
tunnel source GigabitEthernet 1
tunnel destination 3.x.x.27
tunnel protection ipsec profile default
crypto ikev2 dpd 10 2 on-demand
show crypto ipsec profile default
router eigrp 1
network 172.16.0.0 0.0.0.255
network 10.5.2.0 0.0.0.255
ip route 10.1.2.0 255.255.255.0 tunnel1
interface GigabitEthernet1
ip nat outside
interface GigabitEthernet2
ip nat inside
ip access-list extended NAT
permit ip 10.5.2.0 0.0.0.255 any
ip nat inside source list NAT interface GigabitEthernet1 overload
no ip nat inside source list GS_NAT_ACL interface GigabitEthernet1 vrf GS overload
wr

View solution in original post

Georg Pauwen · ‎05-27-2019

Hello,

post the configs of the CSRs. As far as I can see, you need a split tunnel setup with NAT (SVTI or DMVPN, since you cannot use NAT and crypto maps on the same interface with AWS)...

mthomaz · ‎05-27-2019

Hope this helps. Let me know if you need anything else.

It is worth reminding that the Linux VM is connected to a Private Subnet, which points to the GigabitEthernet2 as its default gw.

I can reach the VM from the CSR, but I cannot connect to the VM using its elastic IP address, or don't have internet from the instance.

GigabitEthernet1 - The outside interface

GigabitEthernet2 - The internal interface, which connects to the VMs

Tunnel0 - is connected to the other CSR (CSR 2 for HA). I don't think I need to give you the CSR2's configuration as it is pretty much the same.

CSR1#show running-config 
Building configuration...

Current configuration : 4761 bytes
!
! Last configuration change at 03:54:57 UTC Mon May 27 2019
!
version 16.10
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform console virtual
hostname CSR1
boot-start-marker
boot-end-marker
vrf definition GS
 rd 100:100
 !
 address-family ipv4
 exit-address-family      
logging persistent size 1000000 filesize 8192 immediate     
no aaa new-model        
login on-success log        
subscriber templating       
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-2886621095
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2886621095
 revocation-check none
 rsakeypair TP-self-signed-2886621095     
crypto pki certificate chain TP-self-signed-2886621095
 certificate self-signed 01
  30820330 

[ ... hidden for security reasons... ]

 BAEBE008
        quit
!         
license udi pid CSR1000V sn 9Q [ ... hidden for security reasons... ] NO
no license smart enable
diagnostic bootup level minimal
!         
spanning-tree extend system-id
!                
username ec2-user privilege 15 secret 9 $9$VLn04MyBv [ ... hidden for security reasons... ] 8o/nr2A4Cgc
username 54.54.54.54
!         
redundancy
 cloud provider aws 1
  bfd peer 172.17.1.2
  route-table rtb-0f73fdbdcbccdfb9b
  cidr ip 0.0.0.0/0
  eni eni-0560a232631575425
  region ap-southeast-2
!    
interface Tunnel0
 ip address 172.17.1.1 255.255.255.252
 ip ospf 1 area 0
 bfd interval 500 min_rx 500 multiplier 3
 tunnel source GigabitEthernet1
 tunnel destination 3.3.3.3
!         
interface VirtualPortGroup0
 vrf forwarding GS
 ip address 192.168.35.101 255.255.255.0
 ip nat inside
 no mop enabled
 no mop sysid
!         
interface GigabitEthernet1
 ip address dhcp
 ip nat outside
 negotiation auto
 no mop enabled
 no mop sysid
!         
interface GigabitEthernet2
 ip address dhcp
 negotiation auto
 no mop enabled
 no mop sysid
!         
router ospf 1
 bfd all-interfaces
!         
iox       
ip forward-protocol nd
ip tcp window-size 8192
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list GS_NAT_ACL interface GigabitEthernet1 vrf GS overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet1 10.0.0.1
ip route vrf GS 0.0.0.0 0.0.0.0 GigabitEthernet1 10.0.0.1 global
!         
ip ssh rsa keypair-name ssh-key
ip ssh version 2
ip ssh pubkey-chain
  username ec2-user
   key-hash ssh-rsa 8F [ ... hidden for security reasons... ] 10 ec2-user
ip scp server enable
!         
!         
ip access-list standard GS_NAT_ACL
 permit 192.168.35.0 0.0.0.255       
control-plane       
line con 0
 stopbits 1
line vty 0 4
 login local
 transport input ssh       
app-hosting appid guestshell
 app-vnic gateway1 virtualportgroup 0 guest-interface 0
  guest-ipaddress 192.168.35.102 netmask 255.255.255.0
 app-default-gateway 192.168.35.101 guest-interface 0
 name-server0 8.8.8.8
end

mthomaz · ‎05-30-2019

I managed to get this working with the following:

ap-southeast-2 private network: 10.1.2.0
ap-northeast-1 private network: 10.5.2.0

# AWS Sydney (ap-southeast-2):
crypto ikev2 profile default
match identity remote fqdn domain cisco.com
identity local fqdn CSR1.cisco.com
authentication remote pre-share key cisco123
authentication local pre-share key cisco123
exit
interface tunnel1
ip address 172.16.0.1 255.255.255.252
tunnel source GigabitEthernet 1
tunnel destination 52.x.x.206
tunnel protection ipsec profile default
crypto ikev2 dpd 10 2 on-demand
show crypto ipsec profile default
router eigrp 1
network 172.16.0.0 0.0.0.255
network 10.1.2.0 0.0.0.255
ip route 10.5.2.0 255.255.255.0 tunnel1
interface GigabitEthernet1
ip nat outside
interface GigabitEthernet2
ip nat inside
ip access-list extended NAT
permit ip 10.1.2.0 0.0.0.255 any
ip nat inside source list NAT interface GigabitEthernet1 overload
no ip nat inside source list GS_NAT_ACL interface GigabitEthernet1 vrf GS overload
wr

# AWS Tokyo (ap-northeast-1):
crypto ikev2 profile default
match identity remote fqdn domain cisco.com
identity local fqdn CSR2.cisco.com
authentication remote pre-share key cisco123
authentication local pre-share key cisco123
exit
interface tunnel1
ip address 172.16.0.2 255.255.255.252
tunnel source GigabitEthernet 1
tunnel destination 3.x.x.27
tunnel protection ipsec profile default
crypto ikev2 dpd 10 2 on-demand
show crypto ipsec profile default
router eigrp 1
network 172.16.0.0 0.0.0.255
network 10.5.2.0 0.0.0.255
ip route 10.1.2.0 255.255.255.0 tunnel1
interface GigabitEthernet1
ip nat outside
interface GigabitEthernet2
ip nat inside
ip access-list extended NAT
permit ip 10.5.2.0 0.0.0.255 any
ip nat inside source list NAT interface GigabitEthernet1 overload
no ip nat inside source list GS_NAT_ACL interface GigabitEthernet1 vrf GS overload
wr