cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5033
Views
0
Helpful
27
Replies

AWS Site to Site VPN

gcarson73
Level 1
Level 1

I have an AWS site to site VPN set up but cannot access the instances in AWS.  The router used to connect the AWS Site to Site is a Cisco 2951, IOS 15.5. 

 

Private subnet on Cisco Router is 10.3.81.0/24

Private subnet for AWS is 10.2.10.0/24.

 

From Windows, tracert 10.2.10.19 fails at first hop.  

 

AWS support states the site to site is setup correctly and working, and they will provide no guidance on what I need to do on my router, any idea?

27 Replies 27

Here is the link on how to configure static route on AWS site.

https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html#vpn-create-vpn-connection

Here is config

Building configuration...


Current configuration : 12181 bytes
!
! Last configuration change at 18:43:32 UTC Mon Dec 16 2019 by gcarson
!
version 15.5
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname tssrouter
!
boot-start-marker
boot system flash:c2951-universalk9-mz.SPA.155-3.M5.bin
boot-end-marker
!
!
no logging rate-limit
enable secret 5 $1$IewY$MkgHJAwTKF7sLRw7K1AsJ1
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
ethernet lmi ce
!
!
!
!
!
!
!
!
ip icmp rate-limit unreachable 1200 log 1200 12000
ip icmp rate-limit unreachable DF 1200 log 1200 12000
!
!
!
!
!
!
no ip domain lookup
ip domain name tss.tssgis.com
ip name-server 66.96.80.43
ip name-server 66.96.80.194
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
voice-card 0
!
!
!
!
!
!
!
!
license udi pid CISCO2951/K9 sn FGL170811RR
!
!
username gcarson privilege 15 secret 5 $1$lmGj$6aw5hzb6505AIrcxqc.8t1
!
redundancy
!
!
!
!
no cdp run
!
track 100 ip sla 100 reachability
!
track 200 ip sla 200 reachability
!
!
crypto keyring keyring-vpn-04ca814ee4fe4c7a2-1
local-address 12.34.141.178
pre-shared-key address 12.34.2.64 key z5MDQK5twLl384G0Kgd3Zf58eSbwkwEj
crypto keyring keyring-vpn-04ca814ee4fe4c7a2-0
local-address 12.34.141.178
pre-shared-key address 12.34.181.185 key Fm6kdhwKHqhuEPln2dlxEb6VEbDlo._o
!
crypto isakmp policy 200
encr aes
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 201
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp keepalive 10 10
crypto isakmp profile isakmp-vpn-04ca814ee4fe4c7a2-0
keyring keyring-vpn-04ca814ee4fe4c7a2-0
match identity address 12.34.181.185 255.255.255.255
local-address 12.34.141.178
crypto isakmp profile isakmp-vpn-04ca814ee4fe4c7a2-1
keyring keyring-vpn-04ca814ee4fe4c7a2-1
match identity address 12.34.2.64 255.255.255.255
local-address 12.34.141.178
!
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set ipsec-prop-vpn-04ca814ee4fe4c7a2-0 esp-aes esp-sha-hm ac
mode tunnel
crypto ipsec transform-set ipsec-prop-vpn-04ca814ee4fe4c7a2-1 esp-aes esp-sha-hm ac
mode tunnel
crypto ipsec df-bit clear
!
!
crypto ipsec profile ipsec-vpn-04ca814ee4fe4c7a2-0
set transform-set ipsec-prop-vpn-04ca814ee4fe4c7a2-0
set pfs group2
!
crypto ipsec profile ipsec-vpn-04ca814ee4fe4c7a2-1
set transform-set ipsec-prop-vpn-04ca814ee4fe4c7a2-1
set pfs group2
!
!
!
!
!
!
interface Tunnel1
ip address 169.254.182.98 255.255.255.252
ip virtual-reassembly in
ip tcp adjust-mss 1379
tunnel source 12.34.141.178
tunnel mode ipsec ipv4
tunnel destination 12.34.181.185
tunnel protection ipsec profile ipsec-vpn-04ca814ee4fe4c7a2-0
!
interface Tunnel2
ip address 169.254.193.230 255.255.255.252
ip virtual-reassembly in
ip tcp adjust-mss 1379
tunnel source 12.34.141.178
tunnel mode ipsec ipv4
tunnel destination 12.34.2.64
tunnel protection ipsec profile ipsec-vpn-04ca814ee4fe4c7a2-1
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description internet
ip address 12.34.141.178 255.255.255.240
ip access-group inbound in
no ip redirects
no ip unreachables
ip nat outside
ip virtual-reassembly in drop-fragments max-reassemblies 1000
duplex auto
speed auto
!
interface GigabitEthernet0/1
description TSSLAN
ip address 10.3.81.1 255.255.255.0
no ip unreachables
ip nat inside
ip virtual-reassembly in max-reassemblies 1000
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
no ip unreachables
ip nat inside
ip virtual-reassembly in max-reassemblies 1000
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.3.81.5 443 12.34.141.179 443 extendable
ip nat inside source static udp 10.3.81.5 500 12.34.141.179 500 extendable
ip nat inside source static tcp 10.3.81.5 992 12.34.141.179 992 extendable
ip nat inside source static tcp 10.3.81.5 1194 12.34.141.179 1194 extendable
ip nat inside source static udp 10.3.81.5 1701 12.34.141.179 1701 extendable
ip nat inside source static udp 10.3.81.5 4500 12.34.141.179 4500 extendable
ip nat inside source static tcp 10.3.81.5 5555 12.34.141.179 5555 extendable
ip nat inside source static tcp 10.3.81.7 20 12.34.141.180 20 extendable
ip nat inside source static tcp 10.3.81.7 21 12.34.141.180 21 extendable
ip nat inside source static tcp 10.3.81.9 443 12.34.141.180 443 extendable
ip nat inside source static tcp 10.3.81.7 990 12.34.141.180 990 extendable
ip nat inside source static tcp 10.3.81.7 50000 12.34.141.180 50000 extendable
ip nat inside source static tcp 10.3.81.7 50001 12.34.141.180 50001 extendable
ip nat inside source static tcp 10.3.81.7 50002 12.34.141.180 50002 extendable
ip nat inside source static tcp 10.3.81.7 50003 12.34.141.180 50003 extendable
ip nat inside source static tcp 10.3.81.7 50004 12.34.141.180 50004 extendable
ip nat inside source static tcp 10.3.81.7 50005 12.34.141.180 50005 extendable
ip nat inside source static tcp 10.3.81.7 50006 12.34.141.180 50006 extendable
ip nat inside source static tcp 10.3.81.7 50007 12.34.141.180 50007 extendable
ip nat inside source static tcp 10.3.81.7 50008 12.34.141.180 50008 extendable
ip nat inside source static tcp 10.3.81.7 50009 12.34.141.180 50009 extendable
ip nat inside source static tcp 10.3.81.7 50010 12.34.141.180 50010 extendable
ip nat inside source static tcp 10.3.81.7 50011 12.34.141.180 50011 extendable
ip nat inside source static tcp 10.3.81.7 50012 12.34.141.180 50012 extendable
ip nat inside source static tcp 10.3.81.7 50013 12.34.141.180 50013 extendable
ip nat inside source static tcp 10.3.81.7 50014 12.34.141.180 50014 extendable
ip nat inside source static tcp 10.3.81.7 50015 12.34.141.180 50015 extendable
ip nat inside source static tcp 10.3.81.7 50016 12.34.141.180 50016 extendable
ip nat inside source static tcp 10.3.81.7 50017 12.34.141.180 50017 extendable
ip nat inside source static tcp 10.3.81.7 50018 12.34.141.180 50018 extendable
ip nat inside source static tcp 10.3.81.7 50019 12.34.141.180 50019 extendable
ip nat inside source static tcp 10.3.81.7 50020 12.34.141.180 50020 extendable
ip nat inside source static tcp 10.3.81.7 50021 12.34.141.180 50021 extendable
ip nat inside source static tcp 10.3.81.7 50022 12.34.141.180 50022 extendable
ip nat inside source static tcp 10.3.81.7 50023 12.34.141.180 50023 extendable
ip nat inside source static tcp 10.3.81.7 50024 12.34.141.180 50024 extendable
ip nat inside source static tcp 10.3.81.7 50025 12.34.141.180 50025 extendable
ip nat inside source static tcp 10.3.81.7 50026 12.34.141.180 50026 extendable
ip nat inside source static tcp 10.3.81.7 50027 12.34.141.180 50027 extendable
ip nat inside source static tcp 10.3.81.7 50028 12.34.141.180 50028 extendable
ip nat inside source static tcp 10.3.81.7 50029 12.34.141.180 50029 extendable
ip nat inside source static tcp 10.3.81.7 50030 12.34.141.180 50030 extendable
ip nat inside source static tcp 10.3.81.7 50031 12.34.141.180 50031 extendable
ip nat inside source static tcp 10.3.81.7 50032 12.34.141.180 50032 extendable
ip nat inside source static tcp 10.3.81.7 50033 12.34.141.180 50033 extendable
ip nat inside source static tcp 10.3.81.7 50034 12.34.141.180 50034 extendable
ip nat inside source static tcp 10.3.81.7 50035 12.34.141.180 50035 extendable
ip nat inside source static tcp 10.3.81.7 50036 12.34.141.180 50036 extendable
ip nat inside source static tcp 10.3.81.7 50037 12.34.141.180 50037 extendable
ip nat inside source static tcp 10.3.81.7 50038 12.34.141.180 50038 extendable
ip nat inside source static tcp 10.3.81.7 50039 12.34.141.180 50039 extendable
ip nat inside source static tcp 10.3.81.7 50040 12.34.141.180 50040 extendable
ip nat inside source static tcp 10.3.81.7 50041 12.34.141.180 50041 extendable
ip nat inside source static tcp 10.3.81.7 50042 12.34.141.180 50042 extendable
ip nat inside source static tcp 10.3.81.7 50043 12.34.141.180 50043 extendable
ip nat inside source static tcp 10.3.81.7 50044 12.34.141.180 50044 extendable
ip nat inside source static tcp 10.3.81.7 50045 12.34.141.180 50045 extendable
ip nat inside source static tcp 10.3.81.7 50046 12.34.141.180 50046 extendable
ip nat inside source static tcp 10.3.81.7 50047 12.34.141.180 50047 extendable
ip nat inside source static tcp 10.3.81.7 50048 12.34.141.180 50048 extendable
ip nat inside source static tcp 10.3.81.7 50049 12.34.141.180 50049 extendable
ip nat inside source static tcp 10.3.81.7 50050 12.34.141.180 50050 extendable
ip nat inside source static tcp 10.3.81.6 443 12.34.141.181 443 extendable
ip nat inside source static tcp 10.3.81.61 80 12.34.141.182 80 extendable
ip nat inside source static tcp 10.3.81.61 443 12.34.141.182 443 extendable
ip nat inside source static tcp 10.3.81.104 80 12.34.141.183 80 extendable
ip nat inside source static tcp 10.3.81.104 443 12.34.141.183 443 extendable
ip nat inside source static tcp 10.3.81.16 443 12.34.141.184 443 extendable
ip nat inside source static tcp 10.3.81.98 3389 12.34.141.184 3389 extendable
ip nat inside source static tcp 10.3.81.73 80 12.34.141.185 80 extendable
ip nat inside source static tcp 10.3.81.73 443 12.34.141.185 443 extendable
ip nat inside source static tcp 10.3.81.59 443 12.34.141.186 443 extendable
ip nat inside source static tcp 10.3.81.110 80 12.34.141.187 80 extendable
ip nat inside source static tcp 10.3.81.110 443 12.34.141.187 443 extendable
ip nat inside source static tcp 10.3.81.76 3389 12.34.141.187 3389 extendable
ip nat inside source static tcp 10.3.81.76 8080 12.34.141.187 8080 extendable
ip nat inside source static tcp 10.3.81.92 80 12.34.141.188 80 extendable
ip nat inside source static tcp 10.3.81.92 443 12.34.141.188 443 extendable
ip nat inside source static tcp 10.3.81.38 443 12.34.141.189 443 extendable
ip nat inside source static tcp 10.3.81.79 443 12.34.141.190 443 extendable
ip route 10.2.0.0 255.255.0.0 Tunnel1 track 100
ip route 10.2.0.0 255.255.0.0 Tunnel2 track 200
ip route 0.0.0.0 0.0.0.0 12.34.141.177
!
ip access-list extended blockvty
permit ip host 12.34.12.83 any
permit ip 10.3.81.0 0.0.0.255 any
deny ip any any
ip access-list extended inbound
deny tcp any any fragments
deny udp any any fragments
deny icmp any any fragments
permit icmp 12.34.12.82 0.0.0.1 any
deny ip any any fragments
deny icmp any any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip host 0.0.0.0 any
permit ip any any
!
ip sla 100
icmp-echo 169.254.182.97 source-interface Tunnel1
frequency 5
ip sla schedule 100 life forever start-time now
ip sla 200
icmp-echo 169.254.193.229 source-interface Tunnel2
frequency 5
ip sla schedule 200 life forever start-time now
logging trap debugging
logging host 10.3.81.77
arp 10.3.81.43 03bf.0a03.512b ARPA
arp 10.3.81.42 03bf.0a03.512a ARPA
!
nls resp-timeout 1
cpd cr-id 1
!
access-list 1 permit 10.3.81.0 0.0.0.255
!
!
!
control-plane
!
!
!
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
gatekeeper
shutdown
!
!
banner exec ^C
*** Ensure that you update the system configuration ***
*** documentation after making system changes. ***
^C
banner login ^C
*** Login Required. Unauthorized use is prohibited ***
^C
banner motd ^C
If you have not been provided with permission to
access this device - disconnect at once.
^C
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class blockvty in
transport input ssh
!
scheduler allocate 20000 1000
ntp server 64.90.182.55
!
end

tssrouter#

aws.JPG

My issue, is that no traffic will come out of Tunnel1, on my CISCO router.  As when I try and do a tracert from Windows, in AWS, it stops after reaching Tunenel1.  This is NOT an AWS issue.

Hello,

 

post the output of 'show ip route' from your router...

tssrouter#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 12.123.141.177 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 12.123.141.177
10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
S 10.2.0.0/16 is directly connected, Tunnel2
is directly connected, Tunnel1
C 10.3.81.0/24 is directly connected, GigabitEthernet0/1
L 10.3.81.1/32 is directly connected, GigabitEthernet0/1
23.0.0.0/8 is variably subnetted, 14 subnets, 2 masks
C 12.123.141.176/28 is directly connected, GigabitEthernet0/0
L 12.123.141.178/32 is directly connected, GigabitEthernet0/0
L 12.123.141.179/32 is directly connected, GigabitEthernet0/0
L 12.123.141.180/32 is directly connected, GigabitEthernet0/0
L 12.123.141.181/32 is directly connected, GigabitEthernet0/0
L 12.123.141.182/32 is directly connected, GigabitEthernet0/0
L 12.123.141.183/32 is directly connected, GigabitEthernet0/0
L 12.123.141.184/32 is directly connected, GigabitEthernet0/0
L 12.123.141.185/32 is directly connected, GigabitEthernet0/0
L 12.123.141.186/32 is directly connected, GigabitEthernet0/0
L 12.123.141.187/32 is directly connected, GigabitEthernet0/0
L 12.123.141.188/32 is directly connected, GigabitEthernet0/0
L 12.123.141.189/32 is directly connected, GigabitEthernet0/0
L 12.123.141.190/32 is directly connected, GigabitEthernet0/0
169.254.0.0/16 is variably subnetted, 4 subnets, 2 masks
C 169.254.182.96/30 is directly connected, Tunnel1
L 169.254.182.98/32 is directly connected, Tunnel1
C 169.254.193.228/30 is directly connected, Tunnel2
L 169.254.193.230/32 is directly connected, Tunnel2

Hello,

 

the way you have your IP SLAs and the tracking configured, both routes are being installed. What you want is Tunnel 2 to be the backup of Tunnel 1. So you need just one SLA. Make the changes/adjustments marked in bold:

 

Current configuration : 12181 bytes
!
! Last configuration change at 18:43:32 UTC Mon Dec 16 2019 by gcarson
!
version 15.5
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname tssrouter
!
boot-start-marker
boot system flash:c2951-universalk9-mz.SPA.155-3.M5.bin
boot-end-marker
!
no logging rate-limit
enable secret 5 $1$IewY$MkgHJAwTKF7sLRw7K1AsJ1
!
aaa new-model
!
aaa session-id common
ethernet lmi ce
!
ip icmp rate-limit unreachable 1200 log 1200 12000
ip icmp rate-limit unreachable DF 1200 log 1200 12000
!
no ip domain lookup
ip domain name tss.tssgis.com
ip name-server 66.96.80.43
ip name-server 66.96.80.194
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
voice-card 0
!
license udi pid CISCO2951/K9 sn FGL170811RR
!
username gcarson privilege 15 secret 5 $1$lmGj$6aw5hzb6505AIrcxqc.8t1
!
redundancy
!
no cdp run
!
track 100 ip sla 100 reachability
!
crypto keyring keyring-vpn-04ca814ee4fe4c7a2-1
local-address 12.34.141.178
pre-shared-key address 12.34.2.64 key z5MDQK5twLl384G0Kgd3Zf58eSbwkwEj
crypto keyring keyring-vpn-04ca814ee4fe4c7a2-0
local-address 12.34.141.178
pre-shared-key address 12.34.181.185 key Fm6kdhwKHqhuEPln2dlxEb6VEbDlo._o
!
crypto isakmp policy 200
encr aes
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 201
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp keepalive 10 10
crypto isakmp profile isakmp-vpn-04ca814ee4fe4c7a2-0
keyring keyring-vpn-04ca814ee4fe4c7a2-0
match identity address 12.34.181.185 255.255.255.255
local-address 12.34.141.178
crypto isakmp profile isakmp-vpn-04ca814ee4fe4c7a2-1
keyring keyring-vpn-04ca814ee4fe4c7a2-1
match identity address 12.34.2.64 255.255.255.255
local-address 12.34.141.178
!
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set ipsec-prop-vpn-04ca814ee4fe4c7a2-0 esp-aes esp-sha-hm ac
mode tunnel
crypto ipsec transform-set ipsec-prop-vpn-04ca814ee4fe4c7a2-1 esp-aes esp-sha-hm ac
mode tunnel
crypto ipsec df-bit clear
!
crypto ipsec profile ipsec-vpn-04ca814ee4fe4c7a2-0
set transform-set ipsec-prop-vpn-04ca814ee4fe4c7a2-0
set pfs group2
!
crypto ipsec profile ipsec-vpn-04ca814ee4fe4c7a2-1
set transform-set ipsec-prop-vpn-04ca814ee4fe4c7a2-1
set pfs group2
!
interface Tunnel1
ip address 169.254.182.98 255.255.255.252
ip virtual-reassembly in
ip tcp adjust-mss 1379
tunnel source 12.34.141.178
tunnel mode ipsec ipv4
tunnel destination 12.34.181.185
tunnel protection ipsec profile ipsec-vpn-04ca814ee4fe4c7a2-0
!
interface Tunnel2
ip address 169.254.193.230 255.255.255.252
ip virtual-reassembly in
ip tcp adjust-mss 1379
tunnel source 12.34.141.178
tunnel mode ipsec ipv4
tunnel destination 12.34.2.64
tunnel protection ipsec profile ipsec-vpn-04ca814ee4fe4c7a2-1
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description internet
ip address 12.34.141.178 255.255.255.240
ip access-group inbound in
no ip redirects
no ip unreachables
ip nat outside
ip virtual-reassembly in drop-fragments max-reassemblies 1000
duplex auto
speed auto
!
interface GigabitEthernet0/1
description TSSLAN
ip address 10.3.81.1 255.255.255.0
no ip unreachables
ip nat inside
ip virtual-reassembly in max-reassemblies 1000
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
no ip unreachables
ip nat inside
ip virtual-reassembly in max-reassemblies 1000
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.3.81.5 443 12.34.141.179 443 extendable
ip nat inside source static udp 10.3.81.5 500 12.34.141.179 500 extendable
ip nat inside source static tcp 10.3.81.5 992 12.34.141.179 992 extendable
ip nat inside source static tcp 10.3.81.5 1194 12.34.141.179 1194 extendable
ip nat inside source static udp 10.3.81.5 1701 12.34.141.179 1701 extendable
ip nat inside source static udp 10.3.81.5 4500 12.34.141.179 4500 extendable
ip nat inside source static tcp 10.3.81.5 5555 12.34.141.179 5555 extendable
ip nat inside source static tcp 10.3.81.7 20 12.34.141.180 20 extendable
ip nat inside source static tcp 10.3.81.7 21 12.34.141.180 21 extendable
ip nat inside source static tcp 10.3.81.9 443 12.34.141.180 443 extendable
ip nat inside source static tcp 10.3.81.7 990 12.34.141.180 990 extendable
ip nat inside source static tcp 10.3.81.7 50000 12.34.141.180 50000 extendable
ip nat inside source static tcp 10.3.81.7 50001 12.34.141.180 50001 extendable
ip nat inside source static tcp 10.3.81.7 50002 12.34.141.180 50002 extendable
ip nat inside source static tcp 10.3.81.7 50003 12.34.141.180 50003 extendable
ip nat inside source static tcp 10.3.81.7 50004 12.34.141.180 50004 extendable
ip nat inside source static tcp 10.3.81.7 50005 12.34.141.180 50005 extendable
ip nat inside source static tcp 10.3.81.7 50006 12.34.141.180 50006 extendable
ip nat inside source static tcp 10.3.81.7 50007 12.34.141.180 50007 extendable
ip nat inside source static tcp 10.3.81.7 50008 12.34.141.180 50008 extendable
ip nat inside source static tcp 10.3.81.7 50009 12.34.141.180 50009 extendable
ip nat inside source static tcp 10.3.81.7 50010 12.34.141.180 50010 extendable
ip nat inside source static tcp 10.3.81.7 50011 12.34.141.180 50011 extendable
ip nat inside source static tcp 10.3.81.7 50012 12.34.141.180 50012 extendable
ip nat inside source static tcp 10.3.81.7 50013 12.34.141.180 50013 extendable
ip nat inside source static tcp 10.3.81.7 50014 12.34.141.180 50014 extendable
ip nat inside source static tcp 10.3.81.7 50015 12.34.141.180 50015 extendable
ip nat inside source static tcp 10.3.81.7 50016 12.34.141.180 50016 extendable
ip nat inside source static tcp 10.3.81.7 50017 12.34.141.180 50017 extendable
ip nat inside source static tcp 10.3.81.7 50018 12.34.141.180 50018 extendable
ip nat inside source static tcp 10.3.81.7 50019 12.34.141.180 50019 extendable
ip nat inside source static tcp 10.3.81.7 50020 12.34.141.180 50020 extendable
ip nat inside source static tcp 10.3.81.7 50021 12.34.141.180 50021 extendable
ip nat inside source static tcp 10.3.81.7 50022 12.34.141.180 50022 extendable
ip nat inside source static tcp 10.3.81.7 50023 12.34.141.180 50023 extendable
ip nat inside source static tcp 10.3.81.7 50024 12.34.141.180 50024 extendable
ip nat inside source static tcp 10.3.81.7 50025 12.34.141.180 50025 extendable
ip nat inside source static tcp 10.3.81.7 50026 12.34.141.180 50026 extendable
ip nat inside source static tcp 10.3.81.7 50027 12.34.141.180 50027 extendable
ip nat inside source static tcp 10.3.81.7 50028 12.34.141.180 50028 extendable
ip nat inside source static tcp 10.3.81.7 50029 12.34.141.180 50029 extendable
ip nat inside source static tcp 10.3.81.7 50030 12.34.141.180 50030 extendable
ip nat inside source static tcp 10.3.81.7 50031 12.34.141.180 50031 extendable
ip nat inside source static tcp 10.3.81.7 50032 12.34.141.180 50032 extendable
ip nat inside source static tcp 10.3.81.7 50033 12.34.141.180 50033 extendable
ip nat inside source static tcp 10.3.81.7 50034 12.34.141.180 50034 extendable
ip nat inside source static tcp 10.3.81.7 50035 12.34.141.180 50035 extendable
ip nat inside source static tcp 10.3.81.7 50036 12.34.141.180 50036 extendable
ip nat inside source static tcp 10.3.81.7 50037 12.34.141.180 50037 extendable
ip nat inside source static tcp 10.3.81.7 50038 12.34.141.180 50038 extendable
ip nat inside source static tcp 10.3.81.7 50039 12.34.141.180 50039 extendable
ip nat inside source static tcp 10.3.81.7 50040 12.34.141.180 50040 extendable
ip nat inside source static tcp 10.3.81.7 50041 12.34.141.180 50041 extendable
ip nat inside source static tcp 10.3.81.7 50042 12.34.141.180 50042 extendable
ip nat inside source static tcp 10.3.81.7 50043 12.34.141.180 50043 extendable
ip nat inside source static tcp 10.3.81.7 50044 12.34.141.180 50044 extendable
ip nat inside source static tcp 10.3.81.7 50045 12.34.141.180 50045 extendable
ip nat inside source static tcp 10.3.81.7 50046 12.34.141.180 50046 extendable
ip nat inside source static tcp 10.3.81.7 50047 12.34.141.180 50047 extendable
ip nat inside source static tcp 10.3.81.7 50048 12.34.141.180 50048 extendable
ip nat inside source static tcp 10.3.81.7 50049 12.34.141.180 50049 extendable
ip nat inside source static tcp 10.3.81.7 50050 12.34.141.180 50050 extendable
ip nat inside source static tcp 10.3.81.6 443 12.34.141.181 443 extendable
ip nat inside source static tcp 10.3.81.61 80 12.34.141.182 80 extendable
ip nat inside source static tcp 10.3.81.61 443 12.34.141.182 443 extendable
ip nat inside source static tcp 10.3.81.104 80 12.34.141.183 80 extendable
ip nat inside source static tcp 10.3.81.104 443 12.34.141.183 443 extendable
ip nat inside source static tcp 10.3.81.16 443 12.34.141.184 443 extendable
ip nat inside source static tcp 10.3.81.98 3389 12.34.141.184 3389 extendable
ip nat inside source static tcp 10.3.81.73 80 12.34.141.185 80 extendable
ip nat inside source static tcp 10.3.81.73 443 12.34.141.185 443 extendable
ip nat inside source static tcp 10.3.81.59 443 12.34.141.186 443 extendable
ip nat inside source static tcp 10.3.81.110 80 12.34.141.187 80 extendable
ip nat inside source static tcp 10.3.81.110 443 12.34.141.187 443 extendable
ip nat inside source static tcp 10.3.81.76 3389 12.34.141.187 3389 extendable
ip nat inside source static tcp 10.3.81.76 8080 12.34.141.187 8080 extendable
ip nat inside source static tcp 10.3.81.92 80 12.34.141.188 80 extendable
ip nat inside source static tcp 10.3.81.92 443 12.34.141.188 443 extendable
ip nat inside source static tcp 10.3.81.38 443 12.34.141.189 443 extendable
ip nat inside source static tcp 10.3.81.79 443 12.34.141.190 443 extendable
ip route 10.2.0.0 255.255.0.0 Tunnel1 track 100
ip route 10.2.0.0 255.255.0.0 Tunnel2 200
ip route 0.0.0.0 0.0.0.0 12.34.141.177
!
ip access-list extended blockvty
permit ip host 12.34.12.83 any
permit ip 10.3.81.0 0.0.0.255 any
deny ip any any
ip access-list extended inbound
deny tcp any any fragments
deny udp any any fragments
deny icmp any any fragments
permit icmp 12.34.12.82 0.0.0.1 any
deny ip any any fragments
deny icmp any any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip host 0.0.0.0 any
permit ip any any
!
ip sla 100
icmp-echo 169.254.182.97 source-interface Tunnel1
frequency 5
ip sla schedule 100 life forever start-time now
!
logging trap debugging
logging host 10.3.81.77
arp 10.3.81.43 03bf.0a03.512b ARPA
arp 10.3.81.42 03bf.0a03.512a ARPA
!
nls resp-timeout 1
cpd cr-id 1
!
access-list 1 permit 10.3.81.0 0.0.0.255
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
gatekeeper
shutdown
!
banner exec ^C
*** Ensure that you update the system configuration ***
*** documentation after making system changes. ***
^C
banner login ^C
*** Login Required. Unauthorized use is prohibited ***
^C
banner motd ^C
If you have not been provided with permission to
access this device - disconnect at once.
^C
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class blockvty in
transport input ssh
!
scheduler allocate 20000 1000
ntp server 64.90.182.55
!
end

I will make the changes and let you know

 

I applied those changes, but same results.  I can access AWS from On-Prem, but not the reverse.

Hello,

 

when you do a 'show ip route' it should show just the route through Tunnel 1, is that the case ? Otherwise, shut the Tunnel 2 interface...

 

interface Tunnel 2

shutdown

Also, try and disable the access list on interface GigabitEthernet0/0

 

interface GigabitEthernet0/0
description internet
ip address 12.34.141.178 255.255.255.240
--> no ip access-group inbound in
no ip redirects
no ip unreachables
ip nat outside
ip virtual-reassembly in drop-fragments max-reassemblies 1000
duplex auto
speed auto

I have removed no ip access-group inbound in with every test.  

 

I do have a Firewall that is between Router and Servers turned off.  I also have Windows Firewall (on both computer)Turned off.

 

I disabled Tunnel2, same results.  I can ping and RDP to 10.2.10.19 (AWS), from On Prem 10.3.81.2.  I cannot ping or RDP to 10.3.81.2 (On Prem), from AWS 10.2.10.19.  Request times out after 169.254.182.98 (Tunell1 on Cisco Router)

 

 

 

 

 

 

 

The issue was with my SonicWall, being used as a Firewall between my Cisco Router and ESXi servers.  (Even though I allowed all access on the Firewall rules, other Security settings were blocking the Traffic from AWS (10.2.0.0 traffic).

 

Firewall back in play and traffic routing both ways.  Thank you all for your assistance.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: