cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
197
Views
10
Helpful
5
Replies
Highlighted
Beginner

AWS csr NAT over VPN

Hello community :)! 

I'm working on the setup of a VPN between environment A and F, the environment A is deployed on AWS, the F environment in on-premise, the VPN is working with this configuration:

crypto keyring F_ARG
local-address GigabitEthernet1
pre-shared-key address 100.20.71.3 key PRESHARED_KEY
!
crypto isakmp policy 5
encryption aes 256
hash sha256
authentication pre-share
group 14
!
crypto isakmp profile F_ARG
keyring F_ARG
match identity address 100.20.71.3 255.255.255.255
local-address GigabitEthernet1
!
crypto ipsec transform-set AES256-SHA-TUNNEL esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile F_ARG
set transform-set AES256-SHA-TUNNEL
set pfs group2
!
interface Tunnel129
description GRE to F_ARG
ip address 10.9.32.114 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
keepalive 30 3
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination 100.20.71.3
tunnel protection ipsec profile F_ARG
ip virtual-reassembly
!
ip route 10.30.64.99 255.255.255.255 Tunnel129 name F_ROUTE

Now I need to add a NAT to this arrangement, I tried adding this:

ip nat inside source static 172.17.10.15 10.9.64.249
interface GigabitEthernet2
 ip nat inside
interface GigabitEthernet1
 ip nat outside

But when I go to 172.17.10.15 and ping 10.30.64.99 I don't get any response

ip-172-17-11-90#show ip nat translations verbose
Pro  Inside global         Inside local          Outside local         Outside global
---  10.9.64.248           172.17.10.15          ---                   ---
  create: 04/29/20 14:34:14, use: 04/29/20 14:34:14, timeout: 00:00:00
  Map-Id(In): 3
  Flags: static
  Appl type: none
  WLAN-Flags: unknown
  Mac-Address: 0000.0000.0000    Input-IDB:
  entry-id: 0x0, use_count:0
  In_pkts: 0 In_bytes: 0, Out_pkts: 0 Out_bytes: 0
  Output-IDB:

Doing a traceroute from 172.17.10.15 shows...

ubuntu@ip-172-17-10-15:~$ traceroute 10.30.64.99
traceroute to 10.30.64.99 (10.30.64.99), 30 hops max, 60 byte packets
 1  ip-172-17-10-129.ec2.internal (172.17.10.129)  0.877 ms  0.875 ms  0.878 ms (the "inside" interface of the CSR)
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

I'm a little lost of where to go from here, any help is appreciated

Thanks :)! 

Everyone's tags (2)
5 REPLIES 5
Highlighted
VIP Engager

Re: AWS csr NAT over VPN

your nat statement look fine. could you run command show ip nat statistics/debug ip nat/show log/show ip route and share the output

please do not forget to rate.
Highlighted
Beginner

Re: AWS csr NAT over VPN

HI Sheraz, thanks for the help

show ip nat statistics

Total active translations: 1 (1 static, 0 dynamic; 0 extended)
Outside interfaces:
  GigabitEthernet1
Inside interfaces:
  GigabitEthernet2, VirtualPortGroup0
Hits: 0  Misses: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list GS_NAT_ACL interface GigabitEthernet1 refcount 0
nat-limit statistics:
 max entry: max allowed 0, used 0, missed 0
In-to-out drops: 0  Out-to-in drops: 1711
Pool stats drop: 0  Mapping stats drop: 0
Port block alloc fail: 0
IP alias add fail: 0
Limit entry add fail: 0
Outside global interfaces count: 1

show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
       n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       H - NHRP, G - NHRP registered, g - NHRP registration summary
       o - ODR, P - periodic downloaded static route, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 172.17.11.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 172.17.11.1, GigabitEthernet1
      10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C        10.9.32.112/30 is directly connected, Tunnel129
L        10.9.32.114/32 is directly connected, Tunnel129
S        10.30.64.99/32 is directly connected, Tunnel129
      172.17.0.0/16 is variably subnetted, 4 subnets, 2 masks
C        172.17.10.0/24 is directly connected, GigabitEthernet2
L        172.17.10.129/32 is directly connected, GigabitEthernet2
C        172.17.11.0/24 is directly connected, GigabitEthernet1
L        172.17.11.90/32 is directly connected, GigabitEthernet1

show log

*Apr 29 14:31:39.197: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ec2-user] [Source: 187.189.248.194] [localport: 22] at 14:31:39 UTC Wed Apr 29 2020
*Apr 29 14:34:12.324: NAT: Static entry id 0 add via config options 0x0 intra_vpn_support TRUE
*Apr 29 14:34:12.324: INITIAL lookup with IPNAT_LOCAL
*Apr 29 14:34:12.324: SECOND lookup attempt after INITIAL failure
*Apr 29 14:34:12.324: NO NAT entry found for this mapping - creating an entry
*Apr 29 14:34:12.324: NAT: Entry assigned id 3
*Apr 29 14:34:12.324: add_static_cfg - nat from ipnat_create_entry 0x7F3E257D4898
*Apr 29 14:34:12.324: ipnat_add_static_cfg: id 3, table_id 0, flag 0x6, inside local
*Apr 29 14:34:12.324: id 3, flags 0, domain 0, lookup 0, from_addr AC110A0F,
        from_mask FFFFFFFF, from_port 0, to_addr A0940F8, to_port 0 to_mask FFFFFFFF,
        router_id 0, vrf_table_id 0, ipredundancy_name , router_proto 0
*Apr 29 14:34:15.321: %SYS-5-CONFIG_I: Configured from console by ec2-user on vty0 (187.189.248.194)
*Apr 29 14:46:36.283: %SYS-6-TTY_EXPIRE_TIMER: (exec timer expired, tty 1 (187.189.248.194)), user ec2-user
*Apr 29 14:46:36.283: %SYS-6-LOGOUT: User ec2-user has exited tty session 1(187.189.248.194)
*Apr 29 14:54:17.945: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ec2-user] [Source: 187.189.248.194] [localport: 22] at 14:54:17 UTC Wed Apr 29 2020
*Apr 29 15:00:31.459: %SYS-6-LOGOUT: User ec2-user has exited tty session 1(187.189.248.194)
*Apr 29 18:19:52.059: %SSH-3-NO_MATCH: No matching cipher found: client aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,aes128-cbc,arcfour128,arcfour,3des-cbc,none server aes128-ctr,aes192-ctr,aes256-ctr
*Apr 29 19:52:19.971: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ec2-user] [Source: 187.189.248.194] [localport: 22] at 19:52:19 UTC Wed Apr 29 2020

I couldn't run debug ip nat, it requires an access-list number or name but I don't have any setup, should I deploy one ?

ip-172-17-11-90#debug ip nat ?
  <1-99>  Access list forced
  WORD    Access list name
  ha      High Availability debugging
Highlighted
VIP Engager

Re: AWS csr NAT over VPN

you have configured a static default route on your router

Gateway of last resort is 172.17.11.1 to network 0.0.0.0
S*    0.0.0.0/0 [1/0] via 172.17.11.1, GigabitEthernet1

mean you next hop is 172.17.11.1.where as you have static 1 to 1 configured as

ip nat inside source static 172.17.10.15 10.9.64.249

does you next hop router have route install in its routing table?

 

have a look into this document it will help you to figured out where you having issue here 

 

 

could you also confirmed in your nat statement you configured 10.9.64.249 where as show ip nat transaltions showing your inside global 10.9.64.248.

ip-172-17-11-90#show ip nat translations verbose
Pro  Inside global         Inside local          Outside local         Outside global
---  10.9.64.248           172.17.10.15          ---                   ---
  create: 04/29/20 14:34:14, use: 04/29/20 14:34:14, timeout: 00:00:00
 
please do not forget to rate.
Highlighted
Beginner

Re: AWS csr NAT over VPN

So...

As the hit counter in the command show ip nat statistics remains in 0 even after I try to ping from 172.17.10.15, that means the NAT is not being used at all, right ? from the default route I get that all the traffic is being send it to the GigabitEthernet 1 but without the NAT ?

I don't have another hop router, after the petition is received by GigabitEthernet 2 it should be NATed to GigabitEthernet 1 and from there go through the tunnel

The ip change of 10.9.64.249 for 10.9.64.248 it was a configuration I tested (I also updated the route), I messed the copy/paste the one used is 10.9.64.249

My knowledge in networking with CSR is really basic so I don't fully understand the problem, thanks a lot for all the help on this

Highlighted
VIP Engager

Re: AWS csr NAT over VPN

As the hit counter in the command show ip nat statistics remains in 0 even after I try to ping from 172.17.10.15, that means the NAT is not being used at all, right ?

Correct.

 

from the default route I get that all the traffic is being send it to the GigabitEthernet 1 but without the NAT ?

Correct.

 

could you please share the configuration of this csrv. Am i right to understand that your natted static 1 to1 need to go out toward the gig1. (or in simple words you want natted traffic to go out from to your next hope.)

please do not forget to rate.