Cisco CSR and AWS

dvlewis · ‎11-17-2015

I am trying to set a simple GRE tunnel from a local router to a CISCO CSR at Amazon.

The CSR at Amazon is configured with two interfaces: outside and inside.

The outside interface gets a private IP, 10.6.0.226, via DHCP. There is a public IP associated with this IP.

I have SSH access into the CSR via the public IP.

My questions:

1) Does Amazon support GRE?

2) When configuring the tunnel on the CSR is the tunnel source the private IP or the public IP?

Thanks.

Don

dbrossart1 · ‎02-24-2016

I have a similar situation that I'm curious about. We have a Cisco CSR 1000 as an AWS EC2 instance with two interfaces. Our setup is the same as the poster. We have a tunnel setup with a customer. We have an AWS server that can communicate with the local (inside) interface. There is a device that is connected to the customer network that we need that device to communicate to the server and vice versa.

CSR:

GigabitEthernet1 172.31.61.118/24 DHCP

GigabitEthernet2 172.31.43.254/20 Static

Tunnel0 192.168.0.2/30

Tunnel0 Source 172.31.61.118

IP Route

Gateway of last resort is 172.31.61.1 to network 0.0.0.0

S* 0.0.0.0/0 [254/0] via 172.31.61.1

100.0.0.0/23 is subnetted, 1 subnets

B 100.126.16.0 [20/0] via 192.168.0.1, 01:00:47

172.31.0.0/16 is variably subnetted, 4 subnets, 3 masks

C 172.31.32.0/20 is directly connected, GigabitEthernet2

L 172.31.43.254/32 is directly connected, GigabitEthernet2

C 172.31.61.0/24 is directly connected, GigabitEthernet1

L 172.31.61.118/32 is directly connected, GigabitEthernet1

192.168.0.0/24 is variably subnetted, 4 subnets, 2 masks

C 192.168.0.0/30 is directly connected, Tunnel0

L 192.168.0.2/32 is directly connected, Tunnel0

Server:

Ethernet 1 172.31.33.203/20 gw 172.31.32.1

Device:

Ethernet 1 100.126.16.1/23

Currently, this is what's happening:

I can ping the 172.31.33.203 via 172.31.43.254 on the CSR and vice versa.

I can't ping the 172.31.33.203 via 172.31.61.118 on the CSR and vice versa.

I can ping the 192.168.0.0/30 IPs via 172.31.43.254 on the CSR

I can’t ping the 192.168.0.0/30 IPs via 172.31.61.118 on the CSR

I can’t ping the 192.168.0.0/30 IPs via 172.31.33.203

I can’t ping 100.126.16.1 from anywhere in AWS

The device 100.126.16.1 can ping 172.31.43.254, but nothing else.

Is there some static routes that I’m needing to implement in AWS to get this to work?

I’m not very familiar with Cisco and less familiar with AWS networking.

Any help would be greatly appreciated!

Richard Burts · ‎02-12-2016

Don

In my experience with AWS they want the tunnel to be VTI, which does encrypt the data, rather than GRE that does not encrypt the data. Are you sure that you want to configure a GRE tunnel for AWS?

To answer your question about which address to use as tunnel source let us start by remembering this simple fact: a basic requirement for configuring a tunnel (applies to both GRE and VTI) is that the tunnel source must be reachable from the tunnel source of the peer router. So you should specify as the tunnel source which ever address is reachable from your router.

HTH

Rick

HTH

Rick

Alexey Prilutskiy · ‎02-15-2016

Hi. 1 - yes, it should. But why are you going to use GRE? Why not IPSec? Also you will need to allow the traffic in your csr security group rules.

2 - All traffic from csr to outside will be NATed by AWS gateway. So, if you are going to use outside's IP address you should use its private IP. It will be NATed to public IP on AWS gateway.