Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2314
Views
0
Helpful
4
Replies

AWS Transit VPC Internet solution

Go to solution
ahmad82pkn
Level 3
Level 3

‎04-10-2017 03:13 AM - edited ‎03-08-2019 10:08 AM

Hi,

I am using AWS Transit VPC CSR solution.

http://docs.aws.amazon.com/solutions/latest/cisco-based-transit-vpc/welcome.html

Now Idea is to use internet for all Spokes via Transit VPC.

How Can I achieve this?

I am able to advertise default route to each spoke site and each spoke site reach Hub CSR.

But how to do NAT on Hub CSR between VTI Tunnel interface that are in respective vpn VRF and Global G1 wan interface?

For example here is tunnel config

interface Tunnel1
 ip vrf forwarding vpn-5fba268
 ip address 169.254.59.166 255.255.255.252
 ip tcp adjust-mss 1387
 tunnel source GigabitEthernet1
 tunnel mode ipsec ipv4
 tunnel destination 52.14.x.75
 tunnel protection ipsec profile ipsec-vpn-aws
 ip virtual-reassembly

here is Giga1 config

interface GigabitEthernet1
 ip address dhcp
 negotiation auto
!

This is how I am able to advertise default route back to Spoke1

router bgp 64512
 bgp log-neighbor-changes

 address-family ipv4 vrf vpn-5fba7268

network 0.0.0.0

ip route vrf vpn-5fba268 0.0.0.0 0.0.0.0 GigabitEthernet 1 100.64.127.225

Now, i am trying to do NAT but not happening.

Did ip nat inside on tunnel

Did ip nat outside on Gi1

Made ip nat

ip nat inside source list xxx interface GigabitEthernet1 overload

But it doesnt work.

Any ideas ? :)

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
bbcom_dylan
Level 1
Level 1

‎05-11-2017 03:28 PM

Here's how I did it:

int Tunnel1

ip nat inside

int Gi1

ip nat outside

ip access-list 1 permit <ip block of spoke> <wildcard mask>

(defines the source/spoke traffic to NAT for)

ip nat inside source list 1 interface Gi1 vrf <vrf Tunnel1 is in> overload

ip route vrf <vrf Tunnel1 is in> 0.0.0.0 0.0.0.0 Gi1 <ip address of internal AWS router>

(creates a default route from the Spoke VRF to the global VRF where the Gi1 interface is)

To get the ip address of the AWS router for the subnet the Gi1 interface is in, 'show ip route' for the route table of the global VRF. There was already a static route pointing to the IP. It will be different for each CSR because they are in different subnets.

If you're using dynamic routes/route propagation, BGP to populate the route table(s) of the spoke, you might need to include the default-originate option for the spoke BGP peers on the CSRs.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
ahmad82pkn
Level 3
Level 3

‎04-15-2017 02:53 AM

No one ? :s

0 Helpful

Go to solution
ahmad82pkn
Level 3
Level 3
In response to ahmad82pkn

‎04-25-2017 08:51 PM

Hi,

does any one has idea how to achieve this?

0 Helpful

Go to solution
bbcom_dylan
Level 1
Level 1

‎05-11-2017 03:28 PM

Here's how I did it:

int Tunnel1

ip nat inside

int Gi1

ip nat outside

ip access-list 1 permit <ip block of spoke> <wildcard mask>

(defines the source/spoke traffic to NAT for)

ip nat inside source list 1 interface Gi1 vrf <vrf Tunnel1 is in> overload

ip route vrf <vrf Tunnel1 is in> 0.0.0.0 0.0.0.0 Gi1 <ip address of internal AWS router>

(creates a default route from the Spoke VRF to the global VRF where the Gi1 interface is)

To get the ip address of the AWS router for the subnet the Gi1 interface is in, 'show ip route' for the route table of the global VRF. There was already a static route pointing to the IP. It will be different for each CSR because they are in different subnets.

If you're using dynamic routes/route propagation, BGP to populate the route table(s) of the spoke, you might need to include the default-originate option for the spoke BGP peers on the CSRs.

0 Helpful

Go to solution
ahmad82pkn
Level 3
Level 3

‎05-12-2017 03:41 AM

You are correct, I did it same way. forgot to update here :) Got stuck in some other issues.

0 Helpful
Customers Also Viewed These Support Documents