Cisco CSR1000v Router as NAT Instance on AWS

We’ll use the below scanrio in this tutorial in which we’ll configure Cisco CSR1000v Router as custom NAT Instance within our vpc on AWS.

NAT

First We’ll create the custom vpc on AWS:

Login to your AWS account and go to the VPC section:

Screen Shot 2014-09-15 at 10.46.51 am

Here we’ll create the custom vpc instead of using the AWS VPC Wizard, for this select the “You VPCs” from the left side bar and then click on the “Create VPC“, fill the desired information here:

VPC-1

Now go to the “Subnets” section and create the two subnets, one is for public and other for Local(in my case, 172.25.10.0.24 is public and 172.25.20.0/24 for local):

VPC-2

VPC-3

From the “Internet Gateways” section, create new internet gateway:

VPC-4

Attach the newly created Internet Gateway to the vpc:

VPC-5

From the “Route Tables” section, select the already created route, from the “Subnet Associations” tab, select the public subnet and click on “Save” button:

VPC-6

While selecting the same default route, move to the “Routes” tab and there create routing entry for Internet traffic, by point all the internet traffic to the Internet Gateway, that we have created above:

VPC-7

Next, Create the custom routing table by clicking on the “Create Route Table“:

VPC-8

Select the newly created route, from the “Subnet Associations” tab, select the private subnet and click on “Save” button:

VPC-9Note: We’ll come back later, to configure this Routing Table.

Launch Cisco CSR1000v Router inside the Public/Internet Subnet using Marketplace:

VPC-10

On Step 3: Configure Instance Details, please note some points:

1) Create another interface (eth1)

2) Auto-assign ip on eth0 from Public Subnet

3) But on the eth1 configure static ip from the Private Subnet

VPC-11

Allocate new Elastic IP inside the VPC:

VPC-12

Associate the Elastic IP to the Public Interface of the CSR100v Router:

VPC-13

Create New Security Group, that we need to attach with private/local interface of CSR1000v Router:

VPC-14

Go to the “Network Interfaces” from the EC2 Dashboard and from their select the interface that connect to the Private Subnet, right-click on it and select the “Change Security Groups“:

VPC-15

Select the security group that we have created above for this interface:

VPC-16

While on the Network Interface section, again right-click on same interface and select the “Change Source/Dest. Check“:

VPC-17

And select the “Disabled“:

VPC-18

Also right-click on the CSR1000v interface that is connected to the Public Subnet and select the “Change Source/Dest. Check“:

VPC-19

And select the “Disabled“:

VPC-20

Go to the Instances section and right-click on the CSR1000v Router and select the “Change Source/Dest. Check“:

VPC-21

Select the “Yes Disable“:

VPC-22

Now go back to the Route Table section inside the VPC and select the Custom Route Table, and there create routing entry for Internet traffic, by point all the internet traffic to the CSR1000v Router:

VPC-23

When we’ll press the Save button, it will generate the error like this:

VPC-24

To resolve this error, go to the Network Interfaces section on the EC2 Dashboard and copy the network id of the interface that is connected to the Private Subnet:

VPC-25

Now paste the network id there instead of the instance id and click “Save” button:

VPC-26

Please create this inbound rule on the security group that is connected to the Private Subnet Interface:

VPC-27

Also create this inbound rule on the security group that is connected to the Public Subnet Interface:

VPC-28

Cisco CSR1000v Router Configuration:

Connect to the CSR1000v and configure the ip address on it’s Private Subnet Interface with the same that you have entered during the creation setup:

conf t
interface gigabitEthernet 2
ip address 172.25.20.10 255.255.255.0
no shutdown

cisco-1

Check the interface status:

show ip interface brief

cisco-2

Ping to the CSR1000v Router from the host inside the Private Subnet:

cisco-3

Ping to the googleDNS(8.8.8.8) it will be fail because NAT is not configure on CSR1000v:

cisco-4

Set the gigabitEthernet 1 as the outside interface and gigabitEthernet 2 as the inside interface:

int gigabitEthernet 1
ip nat outside
int gigabitEthernet 2
ip nat inside

cisco-5

Create an Access Control List (ACL) that will include Private Subnet:

ip access-list extended NATList
permit ip 172.25.20.0 0.0.0.255 any

cisco-6

Finally, enable the NAT overload and bind it with the outside interface that we have configured above:

ip nat inside source list NATList interface gigabitEthernet 1 overload

cisco-7

Now again ping to the googleDNS(8.8.8.8), this time it will be successful (in shaa ALLAH):

cisco-8

Check with the traceroute command that the server is using CSR1000v as default gateway:

cisco-9

Verify the NAT overload operation on CSR1000v Router:

show ip nat translations

cisco-10

Hope this will help you!

Please Remember me in your prayers!

Enjoy 🙂

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: