Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
910
Views
0
Helpful
2
Replies

[SOLVED] VPN with CSR 1000V in AWS: packages not sent through VPN

lpy_fm
Level 1
Level 1

‎07-16-2018 05:52 AM - edited ‎03-12-2019 05:28 AM

Hi. I have a Cisco CSR 1000V running inside AWS which is used to establish a VPN between our AWS VPC and a remote data center. The VPN parameters have been configured by the network administrator of the remote data center and according to him, "the vpn tunnel works", but I have been unable so far to establish a connection to the remote data center.

What I'm trying to do is the following: A host (an EC2-instance running inside AWS) should connect through the VPN via SSH to a server on the remote data center. So I have configured the host to route its connections through the Cisco CSR. Furthermore, the host has the private ip 10.56.217.105, but the remote VPN only accepts connections from 10.56.216.0/24, so I have used NAT translation to change the source address:

 

 

# ip nat inside source static 10.56.217.105 10.56.216.158


I hope this actually does what I intent it to do: For each incoming connection coming from 10.56.217.105, the packets should appear as if coming from 10.56.216.158, so that the remote VPN accepts them.

Now, when I attempt to run ssh on the host with the IP 10.56.217.105, I can see that the NAT translation is applied:

 

 

 

# sh ip nat translations
Pro  Inside global         Inside local          Outside local         Outside global
---  10.56.216.158         10.56.217.105         ---                   ---
tcp  10.56.216.158:44078   10.56.217.105:44078   10.147.4.38:22        10.147.4.38:22
Total number of translations: 2

 

 

I also see that the security association (which has been configured by the network admin of the remote data center) is applied:

 

# sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
188.95.0.105    10.56.216.168   QM_IDLE           1001 ACTIVE


However, the SSH connection still fails (network timeout). According to the network admin of the remote data center, no packages arrive at their VPN.

Could someone give me any hints how to troubleshoot this problem further? As you can see, I have little experience with Cisco IOS and networking in general, so any advice to clear up misunderstandings are welcome.

Here are some parts of the CSR's config which I consider relevant:

 

 

 

crypto isakmp policy 1
 encr aes 256
 hash sha256
 authentication pre-share
 group 14
crypto isakmp key topsecretkey address 182.x.x.x   
crypto isakmp keepalive 10
!
crypto isakmp peer address 182.x.x.x
!
!
crypto ipsec transform-set TRANS-AES256-SHA256 esp-aes 256 esp-sha256-hmac 
 mode tunnel
!
crypto ipsec profile 1
 set transform-set TRANS-AES256-SHA256 
 set pfs group14
!
!
!
crypto map IPSECMAP 1 ipsec-isakmp 
 set peer 182.x.x.x
 set transform-set TRANS-AES256-SHA256 
 set pfs group14
 match address ENC-AWS
!
!
interface GigabitEthernet1
 ip address dhcp
 ip nat outside
 ip tcp adjust-mss 1310
 negotiation auto
 no mop enabled
 no mop sysid
 crypto map IPSECMAP
!
!
ip access-list extended ENC-AWS
 permit ip host 10.56.216.158 host 10.147.4.17
 permit ip host 10.56.216.158 host 10.147.4.38

 

 

Labels:
0 Helpful
2 Replies 2

a.alekseev
Level 7
Level 7

‎07-16-2018 06:45 AM

sh crypto ipsec sa
0 Helpful

lpy_fm
Level 1
Level 1
In response to a.alekseev

‎07-17-2018 05:48 AM

Okay, so now it does work, without me changing anything on the CSR's configuration or on AWS. I don't know what made it work, but I assume the network administrator of the remote data center has changed something without telling me.

Thank you for your help and sorry for the noise.

0 Helpful
Customers Also Viewed These Support Documents