This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

NAT Gateway for External IP with Cloud VPN Connection to On-Premises Cisco Flex VPN

Posted on 07-18-2024 11:30 PM
Aidap
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hello 

We are struggling with this case scenario. We want to connect our GCP VM through Cloud VPN to customer Cisco Flex VPN on-premise. We followed Google Docs to create a classic VPN with the VPN tunnel and VPN Gateway up. The customer only accepts the external IP address from us, so we needed to add the external IP address; we tried to Nated inside the VM by using the following command : 

 

$ sudo iptables -t nat -A POSTROUTING --destination REMOTE_PEER_SUBNET -j SNAT --to-source EXTERNAL_IP_ADDRESS

 

But we had no luck because the traffic was still routed through the primary internal IP address, so I did the following : 

  • VM Configuration:
    • The VM  with no external IP.
  • Cloud Router with NAT Gateway:
    • A Cloud Router is set up within the same Network as the VM and accepts all the internal IP ranges 
    • A NAT Gateway is configured to provide an external IP. ( status is ok ) 
  • Static Route:
    • A static route is established to ensure Destination traffic is routed through the VPN. ( the route is up) 

 

{
  "creationTimestamp": "2024-07-18T21:49:01.780-07:00",
  "description": "",
  "destRange": "Destination EXternal IP /32",
  "id": "XXXXXX",
  "kind": "compute#route",
  "name": "route-to-on-premise",
  "network": "Dedicated network for this ",
  "nextHopVpnTunnel": "vpnTunnels", ( please note you can't add the VPN gateway as google only support IGW) 
  "priority": 1000,
  "selfLink": "XXX"
}​

 

  • VPN Gateway:
    • Created the VPN Gateway is configured with the destination gateway. ( running ) 
  • Tunnel Configuration:
    • The tunnel is set up with the destination IP range. ( tunnel has been established ) 
    • The source IP address for the tunnel is the external IP provided by the NAT Gateway.

 

Status
Tunnel is up and running.

 

But when we run the network connectivity test, we get the following error :

 

Configuration analysis aborted
Aborted because no endpoint with the packet's destination IP address (EXTERNAL-IP): is found

 

Also, we can't make curl requests to the customer endpoints, but we also get the time out. 

 

 

Solved Solved
1 5 1,350
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
Aidap
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

To avoid any confusion, I want to share the solution I discovered since Google Docs didn't clarify these points for me. First, Google Public NAT can't be used with a VPN. Second, at the moment in GCP, connecting one NAT to multiple NATs is not supported. To resolve this, I created a classic VPN to connect to a remote site and then set up an INGRESS static route, which I had overlooked before. To do this, you need to create the INGRESS route and add your external IP address (the one you want to add to the VM) as the destination IP address range. Then, choose your VM as the next hop with the highest priority (priority 0). I hope this helps someone who has been searching for an answer to this issue as I did for several days.

View solution in original post

Jump to Solution
5 REPLIES 5

Posted on --/--/---- --:-- AM
Aidap
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

@alexmoore 

The problem is how we should define the static route to route the Nated traffic to the VPN tunnel I created this because this one NAT to another NAT but still, traffic gets aborted 

Jump to Solution

Posted on --/--/---- --:-- AM
Aidap
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

To avoid any confusion, I want to share the solution I discovered since Google Docs didn't clarify these points for me. First, Google Public NAT can't be used with a VPN. Second, at the moment in GCP, connecting one NAT to multiple NATs is not supported. To resolve this, I created a classic VPN to connect to a remote site and then set up an INGRESS static route, which I had overlooked before. To do this, you need to create the INGRESS route and add your external IP address (the one you want to add to the VM) as the destination IP address range. Then, choose your VM as the next hop with the highest priority (priority 0). I hope this helps someone who has been searching for an answer to this issue as I did for several days.

Jump to Solution

Posted on --/--/---- --:-- AM
venkatareddy9
Bronze 1
Bronze 1
In response to Aidap
Reply posted on --/--/---- --:-- AM

@Aidap   I have still confusion here so can we use NAT gateway or not

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Aidap
Bronze 3
Bronze 3
In response to venkatareddy9
Reply posted on --/--/---- --:-- AM

venkatareddy9 No you don't need to use a NAT gateway, creating the ingress route to the instance would solve your issue

 
Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Bouya11
Bronze 2
Bronze 2
In response to Aidap
Reply posted on --/--/---- --:-- AM

so, you need to assign an "external public ip" on the vm instance in GCP as NAT in VPNis not yet supported in  GCP?

1.create classic static vpn
2. define external ip on your vm instance 
   a. private ip = 10.10.10.1
   b. public ip = 100.1.1.1
3. create static route and select the vpn gateway as your next hop?

Jump to Solution
0 Likes
Top Labels in this Space
Top Solution Authors
View all