cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
706
Views
0
Helpful
4
Replies
Highlighted

Multiple VPN tunnels from Cisco ASA to different AWS regions that have identical private IP class

Hello everybody,

I'm new to Cisco and I need some guidance on this. Thanks in advance.

The scenario is the following:

I'm looking to connect the office network to multiple AWS platforms that have the same private IP class.

We already have a VPN tunnel in place from the Cisco ASA in our network to one of the AWS platforms and that is working fine.

The issue that we have is that we want to add other VPN tunnels from the Cisco ASA to other AWS platforms that have the same internal IP as the already configured AWS platform.

The way I'm seeing things is:

From the office internal network, from my box 167.165.0.25 (or any other box) I want to connect to AWS USA platform on IP 10.0.0.5

So I have a VPN tunnel between the office Cisco ASA external IP 194.x.x.x to AWS USA VPN server external IP 52.x.x.x

(source 167.165.0.x destination 10.0.0.x)

So this works.

Now I want to access from the office internal network the AWS EUR platform on again 10.0.0.5 (same internal ip as AWS USA)

So, I would add a second VPN tunnel from the office Cisco ASA external IP 194.x.x.x to AWS EUR VPN server external ip 52.y.y.y

(source 167.165.0.x destination 10.0.0.x)

But than I have a big problem if let's say I want to reach from my computer(167.165.0.x) the server 10.0.0.5 the Cisco ASA wouldn't know which 10.0.0.5 to get me to.

In fact I don't think it would let me add the rule for the second tunnel.

   

So what I was thinking in order to overcome this problem is:

If I want to connect to the AWS USA platform I would access instead of 10.0.0.5 the ip 10.10.0.5 (chosen by convetion)

If I want to connect to the AWS EUR platform I would access instead of 10.0.0.5 the ip 10.20.0.5 (again chosen by convention)

Than the tunnels I would have in place would look like:

office Cisco ASA external IP 194.x.x.x to AWS USA VPN server external IP 52.x.x.x  (source 167.165.0.x destination 10.10.0.x)

office Cisco ASA external IP 194.x.x.x to AWS EUR VPN server external ip 52.y.y.y  (source 167.165.0.x destination 10.20.0.x)

On the AWS VPN servers i would implement a NAT with netmap saying that everything that is coming in with destination 10.10.0.x should be NAT-ed to destination 10.0.0.x (one to one NAT)  and also back afterwards.

I've found some info that all the NAT part can be implemented on the office Cisco ASA so that I don't over complicate things on the AWS VPN servers. It seems that what I might be looking for is Twice NAT destination to destination but I'm not sure how would that look like for my scenario.

Could you please help me on this?

PS: I hope I've added all the info and that what I'm trying to acheive makes sense.

Kind regards,

Alex

4 REPLIES 4
Highlighted
Beginner

Hello,

Hello,

The best way to implement this is configuring the nat in the AWS side because the ASA has the same source and the same destination in 2 different tunnels if you implement nat on the ASA the nat will be:

translate 167.165.0.x to 10.10.0.x when the destination is 10.0.0.x

There is no way to say translate when you go over this peer or the other, since you have this nat in place every time that you want to go to the destination 10.0.0.x either to USA or EUR ASA will perform the translation so configuring the nat in the ASA is not an option.

If your ASA allow you to have a second outside interface with a public IP you can terminate one of the tunnels there and this can be accomplished with nat on the ASA otherwise the best again will be do it in one of the AWS sides.

Regards, please rate!

Highlighted

Thanks Diego,

Thanks Diego,

I was able to find on some other sites people that are trying to acheive the same thing and people replying that this can be done on the ASA side but not providing much details on how this should be acomplished.

Here is what I was able to find:

"

Ah, I think I see what you're saying.

So, you match the subnets as small as possible, and then make a NAT entry for each destination network address? For example:

My network is 10.10.1.x, 255.255.255.0.
Client A's network is 192.168.1.x, 255.255.255.0.
Client B's network is 192.168.1.x, 255.255.255.0.

So, I NAT-map, you'll have to forgive some technical misgivings here, 10.10.1.x to Client A, and perhaps, 10.10.2.x to Client B. No, that's not right. Just a moment...

Aha, is this right?:

So, I create two more subnets on my local network. Smaller the better.

So I now have 10.10.2.x and 10.10.3.x. I NAT map each of them to Client A and Client B, respectively. The VPN can now address each subnet uniquely, and NAT translation of some kind handles translating the addresses between the client and our VPN network.

Using a smaller subnet would be advisable, but for simplicity sake, this is the basic idea, yes?

The thing I don't understand is how the routing works... how am I going to be able to route information from our network, over the VPN, and be able to uniquely route traffic to two IP's with the same IP address?

I had WAY too much coffee, it's hard to concentrate!
I remember the 12.4 bug thing.

quote:
The thing I don't understand is how the routing works... how am I going to be able to route information from our network, over the VPN, and be able to uniquely route traffic to two IP's with the same IP address?


You don't. I'll use 1.0.0.0/8 (even though it is now public and potentially used) as my public network and 192.168.1.0 as the overlapping networks for customer A and customer B seperately.

I do a VPN between A's public and my public interface (1.1.1.1/24) and B's public interface- and I nat 192.168.1.0 coming from anything behind A to 1.2.1.0/24 and then same thing for B except I use 1.3.1.0/24 (or whatever).

Then to access anything on customer A from my net I instruct my support people to use 1.2.1.0/24 and for customer B use 1.3.1.0/24.

You have to build the NAT (and sometimes double NAT) so that your users never see 192.168.1.0/24 and the customer just has your net block as interesting traffic.
quote:
The thing I don't understand is how the routing works... how am I going to be able to route information from our network, over the VPN, and be able to uniquely route traffic to two IP's with the same IP address?


As erratick says, you don't. You send your traffic towards an address that sits in your routing space. That traffic handed off to your VPN router, where it is NAT'd.

So let's say I have two customers

192.168.1.0/24
and
192.168.1.0/24

I create 10.1.1.0/24 as an encryption domain (via ACL) and add individual NAT entries (in that subnet) to the first customer's addresses that I'm interested in.

I create 10.1.2.0/24 as an encryption domain (via ACL) and individual NAT entires (in that subnet) to the second customer's address that I'm interested in.

You may also end up in a situation where inbound traffic may need to be sourced from a loopback, within *your* routing block, that sits on customer equipment, so you can differentiate inbound traffic. This may or may not apply to you, depending on how you are creating these tunnels.

I support a wide variety of architectures, and this happens fairly often.

"

Is there anyone else that ran into the same issue like me ? How did you fixed this.

PS: I know I can do this on the AWS end but is not really what I'm looking for as I would like to have everything centralized.

Kind regards,

Alex

Beginner

Hello,

Hello,

In this example as you can see the person how implemented this created 2 different subnets so you will have 2 source networks

"So, I create two more subnets on my local network. Smaller the better"

"So I now have 10.10.2.x and 10.10.3.x"

2 different IPs in the local LAN not a single source like in your case....

if you can implement that, this can be accomplished one network goes to AWS US and the other to AWS EUR Nat can also be implemented in this case on the ASA.

Highlighted

Thanks a lot for your help

Thanks a lot for your help Diego.

We went for implementing this on the AWS side.