After setting up an Amazon VPN connection and configuring my gateway using the downloaded configuration, I am able to directly ssh to the private IP of an EC2 instance in my VPC. However, both the EC2 instance and an AppStream instance are unable to access local network resources on my side of the connection. The gateway I am using is a Cisco 1941 that runs IOS 12.4+.
Access to the customer gateway (10.0.0.2) works for the EC2 instance in the VPC (192.168.170.72):
traceroute to 10.0.0.2 (10.0.0.2), 64 hops max
1 169.254.45.190 40.357ms * 21.617ms
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=254 time=21.2 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=254 time=24.9 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=254 time=21.3 ms
64 bytes from 10.0.0.2: icmp_seq=4 ttl=254 time=46.9 ms
But not access to a local machine that allows internal network access:
traceroute to 10.0.0.80 (10.0.0.80), 64 hops max
1 169.254.45.190 21.508ms 23.094ms 21.671ms
2 * * *
3 * * *
...
PING 10.0.0.80 (10.0.0.80) 56(84) bytes of data.
10.0.0.80 ping statistics ---
19 packets transmitted, 0 received, 100% packet loss, time 17999ms
A packet capture run on 10.0.0.80 shows that the ping request is received and replied to: 
And packet captures from the Tunnel interfaces show that the packets are routed to the tunnel: Tunnel1 
Tunnel2 
Here is the configuration for the Cisco 1941w gateway:
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.0.0.0 10.0.0.10
ip dhcp excluded-address 10.0.0.66
ip dhcp excluded-address 10.0.0.93
ip dhcp excluded-address 10.0.0.97
ip dhcp excluded-address 10.0.0.231
!
ip dhcp pool embedded-router-pool
network 10.0.0.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
!
!
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
redundancy
!
track 100 ip sla 100 reachability
!
track 200 ip sla 200 reachability
!
crypto keyring keyring-vpn-39bea158-1
local-address PUBLIC_IP
pre-shared-key address PUBLIC_VPN_IP_1 key KEY1
crypto keyring keyring-vpn-39bea158-0
local-address PUBLIC_IP
pre-shared-key address PUBLIC_VPN_IP_2 key KEY2
!
crypto isakmp policy 1
!
crypto isakmp policy 200
encr aes
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 201
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp keepalive 10 10
crypto isakmp profile isakmp-vpn-39bea158-0
keyring keyring-vpn-39bea158-0
match identity address PUBLIC_VPN_IP_2 255.255.255.255
local-address PUBLIC_IP
crypto isakmp profile isakmp-vpn-39bea158-1
keyring keyring-vpn-39bea158-1
match identity address PUBLIC_VPN_IP_1 255.255.255.255
local-address PUBLIC_IP
!
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set ipsec-prop-vpn-39bea158-0 esp-aes esp-sha-hmac
crypto ipsec transform-set ipsec-prop-vpn-39bea158-1 esp-aes esp-sha-hmac
crypto ipsec df-bit clear
!
crypto ipsec profile ipsec-vpn-39bea158-0
set transform-set ipsec-prop-vpn-39bea158-0
set pfs group2
!
crypto ipsec profile ipsec-vpn-39bea158-1
set transform-set ipsec-prop-vpn-39bea158-1
set pfs group2
!
!
bridge irb
!
!
!
!
interface Tunnel1
ip address 169.254.46.162 255.255.255.252
ip virtual-reassembly in
ip tcp adjust-mss 1379
tunnel source PUBLIC_IP
tunnel mode ipsec ipv4
tunnel destination PUBLIC_VPN_IP_2
tunnel protection ipsec profile ipsec-vpn-39bea158-0
!
interface Tunnel2
ip address 169.254.45.190 255.255.255.252
ip virtual-reassembly in
ip tcp adjust-mss 1379
tunnel source PUBLIC_IP
tunnel mode ipsec ipv4
tunnel destination PUBLIC_VPN_IP_1
tunnel protection ipsec profile ipsec-vpn-39bea158-1
!
interface Embedded-Service-Engine0/0
no ip address
!
interface GigabitEthernet0/0
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
bridge-group 1
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered BVI1
arp timeout 0
no mop enabled
no mop sysid
!
interface GigabitEthernet0/1
ip address PUBLIC_IP 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Wlan-GigabitEthernet0/0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
!
interface FastEthernet0/0/0
ip address PUBLIC_T1_IP 255.255.255.248
duplex auto
speed auto
!
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly in
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan10
no ip address
!
interface BVI1
ip address 10.0.0.2 255.0.0.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip route 192.168.0.0 255.255.0.0 Tunnel1 track 100
ip route 192.168.0.0 255.255.0.0 Tunnel2 track 200
ip route 0.0.0.0 0.0.0.0 PUBLIC_IP_2
!
ip sla 100
icmp-echo 169.254.46.161 source-interface Tunnel1
frequency 5
ip sla schedule 100 life forever start-time now
ip sla 200
icmp-echo 169.254.45.189 source-interface Tunnel2
frequency 5
ip sla schedule 200 life forever start-time now
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 192.168.0.0 0.0.255.255
There is one thing that stands out to me:
ip route 0.0.0.0 0.0.0.0 PUBLIC_IP_2
That PUBLIC_IP_2 is not the same as PUBLIC_IP. PUBLIC_IP_2 ends in 250 whereas PUBLIC_IP ends in 248.
I've attempted to change the NAT rules by changing the configuration to:
ip nat inside source route-map nonat interface GigabitEthernet0/1 overload
and
access-list 110 deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.255.255 access-list 110 permit ip 10.0.0.0 0.0.0.255 any access-list 115 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.255.255
route-map nonat permit 10 match ip address 110
The result is the same however I'm not certain I am configuring the rules correctly.
