NAT on a stick with CSR 1000v on Amazon

alanchia2000 · ‎12-01-2015

Hi,

I would like to set up NAT on a stick. How can I do it on CSR 1000v? Any working examples would be good.

policy route-map command is what people have commonly use to NAT traffic based on destination.

However, the command is not available on CSR1000v, what can I do about it ?

 ip policy route-map Nat-loop

Philip D'Ath · ‎12-02-2015

Why would you want to do that, when everything leaving and entering via the Internet is already NATed for you by Amazon?

alanchia2000 · ‎12-06-2015

I am using CSR 1000v on Amazon to establish IPSEC VPN tunnels with remote VPN partners.

Some may require us to perform source NATing prior to sending it through the tunnel.

Any advice on how I can do that ?

Philip D'Ath · ‎12-10-2015

You may be able to use FlexVPN and VTI's. That would provide you with interfaces to do NAT. That would be my first choice.

Failing that, a nasty trick that may work (never tried it myself) - create two loop back interfaces. Build a GRE tunnel from one loopback to another loopback. Then you can statically route traffic into the GRE tunnel - which will come straight back to you, and use a route-map to do the final forward. That would let you use "ip nat inside" and "ip nat outside".

Another thought going through my mind is to create an extra vrf "outside", put one loopback into the outside vrf, and then build you GRE tunnel between the inside and outside vrfs. That will give you two completely seperate routing tables, and you wont need any policy routing.

You could also explore doing vrf NAT, which does not require an "ip nat inside" or "ip nat outside". You can also do vrf nat within a vrf. Check out the "ip nat enable" command and vrf NAT.

umesh_1211 · ‎04-27-2018

I have similar requirement and I want NAT traffic on AWS transit VPC CSR router so if anyone tested this NAT setup then please be inform working solution.

alanchia2000 · ‎12-10-2015

Anyone able to advise on this ?

vamikhai · ‎05-04-2016

Just putting a note here for anybody looking for the solution.

For reference: NAT with crypto map (and other restrictions) is not supported for CSR on AWS - http://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/aws/csraws/awsoverview.pdf

The workaround is to create vrf for NAT operation and run VASI between global and VRF. Traffic from inside local must be PBRs into VASI to reach VRF.

Diagram:

+---------------+ vasiright200
|   CSR1000v    +---------------+
|     vrf X     |               |
+------+--------+               | vasileft200
       | vasiright100           |
       |                +-------+-------+
       |                |   CSR1000v    |
       +----------------+  Global RIB   |
            vasileft100 +------+--------+
                               | physical interface
                        +------+--------+
                        |   AWS cloud   |
                        +---------------+

VRF part:
interface vasiright100
 vrf for X
 ip address 10.0.1.2 255.255.255.252
 no ip unreach
 no ip redi
 ip nat inside
!
interface vasiright200
 vrf for X
 ip address 10.0.2.2 255.255.255.252
 no ip unreach
 no ip redi
 ip nat outside
!
ip route vrf X <inside local> 255.255.255.255 vasiright100
ip route vrf X 0.0.0.0 0.0.0.0 vasiright200
ip nat inside source static <inside local> <inside global> vrf X match-in-vrf
ip route <inside global> 255.255.255.255 vasileft200

For complex designs you may run BGP between VRFs over VASI interfaces.

cbbristol · ‎05-29-2016

Does the "No NAT with crypto" limitation apply only in this "NAT on a Stick" situation? The document states "You cannot apply NAT PAT on the same interface that is configured with a crypto map", but in my case, I have a second interface which is my `nat inside`.

I have AWS VPC's X and Y connected to my VPC A's CSR 1000v via IPSEC/AWS VPN Gateway and I would like to have all traffic destined for the internet from VPC X and Y, go through the 1000V in VPC A. Is this possible?

kcdemag · ‎08-22-2018

I don't think the "No NAT with crypto" option applies if you're using two interfaces. Like you said, the crypto map is only attached to the outside interface.

We had a configuration need similar to yours cbbristol, except that our CSR and endpoints in AWS were in the same VPC and needing to connect through an ipsec tunnel to a remote ASA. We needed to NAT the two interfaces so they could communicate with our endpoints Elastic IP. Here's a basic config outline:

Fake Endpoint:

private IP: 10.2.1.10

Elastic IP: 373.424.545.617

CSR

interface GigabitEthernet1

ip address 10.1.1.1

ip nat outside

negotiation auto

crypto map your_map

interface GigabitEthernet2

ip address 10.2.1.1

negotiation auto

ip nat inside

access-list 100 permit ip host 10.2.1.10 10.1.1.0 0.0.0.255

route-map topartners permit 10

match ip address 100

ip nat inside source static 10.2.1.10 373.424.545.617 route-map topartners

This worked for us. Also apparently even though your outside interface is configured with its private IP, a remote router can still send traffic using your CSR's elastic IP and your Endpoints elastic IP. I guess AWS takes care of that translation.