cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2281
Views
0
Helpful
4
Replies

AWS Transit VPC Internet solution

ahmad82pkn
Level 3
Level 3

Hi,

I am using AWS Transit VPC CSR solution.

http://docs.aws.amazon.com/solutions/latest/cisco-based-transit-vpc/welcome.html

Now Idea is to use internet for all Spokes via Transit VPC.

How Can I achieve this?

I am able to advertise default route to each spoke site and each spoke site reach Hub CSR.

But how to do NAT on Hub CSR between VTI Tunnel interface that are in respective vpn VRF and Global G1 wan interface?

For example here is tunnel config

interface Tunnel1
 ip vrf forwarding vpn-5fba268
 ip address 169.254.59.166 255.255.255.252
 ip tcp adjust-mss 1387
 tunnel source GigabitEthernet1
 tunnel mode ipsec ipv4
 tunnel destination 52.14.x.75
 tunnel protection ipsec profile ipsec-vpn-aws
 ip virtual-reassembly

here is Giga1 config

interface GigabitEthernet1
 ip address dhcp
 negotiation auto
!

This is how I am able to advertise default route back to Spoke1

router bgp 64512
 bgp log-neighbor-changes

 address-family ipv4 vrf vpn-5fba7268

network 0.0.0.0

ip route vrf vpn-5fba268 0.0.0.0 0.0.0.0 GigabitEthernet 1 100.64.127.225

Now, i am trying to do NAT but not happening.

Did ip nat inside on tunnel

Did ip nat outside on Gi1

Made ip nat

ip nat inside source list xxx interface GigabitEthernet1 overload

But it doesnt work.

Any ideas ? :)

1 Accepted Solution

Accepted Solutions

bbcom_dylan
Level 1
Level 1

Here's how I did it:

int Tunnel1

ip nat inside

int Gi1

ip nat outside

ip access-list 1 permit <ip block of spoke> <wildcard mask>

(defines the source/spoke traffic to NAT for)

ip nat inside source list 1 interface Gi1 vrf <vrf Tunnel1 is in> overload

ip route vrf <vrf Tunnel1 is in> 0.0.0.0 0.0.0.0 Gi1 <ip address of internal AWS router>

(creates a default route from the Spoke VRF to the global VRF where the Gi1 interface is)

To get the ip address of the AWS router for the subnet the Gi1 interface is in, 'show ip route' for the route table of the global VRF. There was already a static route pointing to the IP. It will be different for each CSR because they are in different subnets.

If you're using dynamic routes/route propagation, BGP to populate the route table(s) of the spoke, you might need to include the default-originate option for the spoke BGP peers on the CSRs.

View solution in original post

4 Replies 4

ahmad82pkn
Level 3
Level 3

No one ? :s

Hi,

does any one has idea how to achieve this?

bbcom_dylan
Level 1
Level 1

Here's how I did it:

int Tunnel1

ip nat inside

int Gi1

ip nat outside

ip access-list 1 permit <ip block of spoke> <wildcard mask>

(defines the source/spoke traffic to NAT for)

ip nat inside source list 1 interface Gi1 vrf <vrf Tunnel1 is in> overload

ip route vrf <vrf Tunnel1 is in> 0.0.0.0 0.0.0.0 Gi1 <ip address of internal AWS router>

(creates a default route from the Spoke VRF to the global VRF where the Gi1 interface is)

To get the ip address of the AWS router for the subnet the Gi1 interface is in, 'show ip route' for the route table of the global VRF. There was already a static route pointing to the IP. It will be different for each CSR because they are in different subnets.

If you're using dynamic routes/route propagation, BGP to populate the route table(s) of the spoke, you might need to include the default-originate option for the spoke BGP peers on the CSRs.

ahmad82pkn
Level 3
Level 3

You are correct, I did it same way. forgot to update here :) Got stuck in some other issues.