This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

NAT Gateway for External IP with Cloud VPN Connection to On-Premises Cisco Flex VPN

Posted on 07-18-2024 11:30 PM
Aidap
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hello 

We are struggling with this case scenario. We want to connect our GCP VM through Cloud VPN to customer Cisco Flex VPN on-premise. We followed Google Docs to create a classic VPN with the VPN tunnel and VPN Gateway up. The customer only accepts the external IP address from us, so we needed to add the external IP address; we tried to Nated inside the VM by using the following command : 

 

$ sudo iptables -t nat -A POSTROUTING --destination REMOTE_PEER_SUBNET -j SNAT --to-source EXTERNAL_IP_ADDRESS

 

But we had no luck because the traffic was still routed through the primary internal IP address, so I did the following : 

  • VM Configuration:
    • The VM  with no external IP.
  • Cloud Router with NAT Gateway:
    • A Cloud Router is set up within the same Network as the VM and accepts all the internal IP ranges 
    • A NAT Gateway is configured to provide an external IP. ( status is ok ) 
  • Static Route:
    • A static route is established to ensure Destination traffic is routed through the VPN. ( the route is up) 

 

{
  "creationTimestamp": "2024-07-18T21:49:01.780-07:00",
  "description": "",
  "destRange": "Destination EXternal IP /32",
  "id": "XXXXXX",
  "kind": "compute#route",
  "name": "route-to-on-premise",
  "network": "Dedicated network for this ",
  "nextHopVpnTunnel": "vpnTunnels", ( please note you can't add the VPN gateway as google only support IGW) 
  "priority": 1000,
  "selfLink": "XXX"
}​

 

  • VPN Gateway:
    • Created the VPN Gateway is configured with the destination gateway. ( running ) 
  • Tunnel Configuration:
    • The tunnel is set up with the destination IP range. ( tunnel has been established ) 
    • The source IP address for the tunnel is the external IP provided by the NAT Gateway.

 

Status
Tunnel is up and running.

 

But when we run the network connectivity test, we get the following error :

 

Configuration analysis aborted
Aborted because no endpoint with the packet's destination IP address (EXTERNAL-IP): is found

 

Also, we can't make curl requests to the customer endpoints, but we also get the time out. 

 

 

Solved Solved
1 5 1,393
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
Aidap
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

To avoid any confusion, I want to share the solution I discovered since Google Docs didn't clarify these points for me. First, Google Public NAT can't be used with a VPN. Second, at the moment in GCP, connecting one NAT to multiple NATs is not supported. To resolve this, I created a classic VPN to connect to a remote site and then set up an INGRESS static route, which I had overlooked before. To do this, you need to create the INGRESS route and add your external IP address (the one you want to add to the VM) as the destination IP address range. Then, choose your VM as the next hop with the highest priority (priority 0). I hope this helps someone who has been searching for an answer to this issue as I did for several days.

View solution in original post

Jump to Solution
5 REPLIES 5
Top Labels in this Space
Top Solution Authors
View all