04-10-2017 03:13 AM - edited 03-08-2019 10:08 AM
Hi,
I am using AWS Transit VPC CSR solution.
http://docs.aws.amazon.com/solutions/latest/cisco-based-transit-vpc/welcome.html
Now Idea is to use internet for all Spokes via Transit VPC.
How Can I achieve this?
I am able to advertise default route to each spoke site and each spoke site reach Hub CSR.
But how to do NAT on Hub CSR between VTI Tunnel interface that are in respective vpn VRF and Global G1 wan interface?
For example here is tunnel config
interface Tunnel1
ip vrf forwarding vpn-5fba268
ip address 169.254.59.166 255.255.255.252
ip tcp adjust-mss 1387
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination 52.14.x.75
tunnel protection ipsec profile ipsec-vpn-aws
ip virtual-reassembly
here is Giga1 config
interface GigabitEthernet1
ip address dhcp
negotiation auto
!
This is how I am able to advertise default route back to Spoke1
router bgp 64512
bgp log-neighbor-changes
address-family ipv4 vrf vpn-5fba7268
network 0.0.0.0
ip route vrf vpn-5fba268 0.0.0.0 0.0.0.0 GigabitEthernet 1 100.64.127.225
Now, i am trying to do NAT but not happening.
Did ip nat inside on tunnel
Did ip nat outside on Gi1
Made ip nat
ip nat inside source list xxx interface GigabitEthernet1 overload
But it doesnt work.
Any ideas ? :)
Solved! Go to Solution.
05-11-2017 03:28 PM
Here's how I did it:
int Tunnel1
ip nat inside
int Gi1
ip nat outside
ip access-list 1 permit <ip block of spoke> <wildcard mask>
(defines the source/spoke traffic to NAT for)
ip nat inside source list 1 interface Gi1 vrf <vrf Tunnel1 is in> overload
ip route vrf <vrf Tunnel1 is in> 0.0.0.0 0.0.0.0 Gi1 <ip address of internal AWS router>
(creates a default route from the Spoke VRF to the global VRF where the Gi1 interface is)
To get the ip address of the AWS router for the subnet the Gi1 interface is in, 'show ip route' for the route table of the global VRF. There was already a static route pointing to the IP. It will be different for each CSR because they are in different subnets.
If you're using dynamic routes/route propagation, BGP to populate the route table(s) of the spoke, you might need to include the default-originate option for the spoke BGP peers on the CSRs.
04-15-2017 02:53 AM
No one ? :s
04-25-2017 08:51 PM
Hi,
does any one has idea how to achieve this?
05-11-2017 03:28 PM
Here's how I did it:
int Tunnel1
ip nat inside
int Gi1
ip nat outside
ip access-list 1 permit <ip block of spoke> <wildcard mask>
(defines the source/spoke traffic to NAT for)
ip nat inside source list 1 interface Gi1 vrf <vrf Tunnel1 is in> overload
ip route vrf <vrf Tunnel1 is in> 0.0.0.0 0.0.0.0 Gi1 <ip address of internal AWS router>
(creates a default route from the Spoke VRF to the global VRF where the Gi1 interface is)
To get the ip address of the AWS router for the subnet the Gi1 interface is in, 'show ip route' for the route table of the global VRF. There was already a static route pointing to the IP. It will be different for each CSR because they are in different subnets.
If you're using dynamic routes/route propagation, BGP to populate the route table(s) of the spoke, you might need to include the default-originate option for the spoke BGP peers on the CSRs.
05-12-2017 03:41 AM
You are correct, I did it same way. forgot to update here :) Got stuck in some other issues.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide