By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Request for Assistance - VPN Setup and One-to-One NAT Mapping in AWS

0

Hi Team,

I am encountering an issue with our on-premises network firewall. We have a local network in the range of 10.10.0.0/16, along with additional ranges like 10.11.0.0/16, 192.168.1.0/24, and 192.168.2.0/24. Our client has servers in AWS that also use the 10.10.0.0/16 subnet.

I would like to establish a site-to-site VPN connection from our on-premises network (192.168.1.0/24) to the AWS servers (10.10.0.0/16) without any conflicts. Instead of using the 10.10.0.0/16 range, I prefer to utilize the 172.17.0.0/16 range for this connection.

Could you please guide me on how to implement one-to-one mapping using NAT in AWS? Specifically, I need assistance with the configuration required to connect to the 10.10.0.0/16 servers while using the 172.17.0.0/16 range. Any help would be greatly appreciated!

Thank you!

3 Answers
0

To establish a site-to-site VPN connection from your on-premises network to AWS servers while avoiding IP conflicts, you can implement a one-to-one NAT (Network Address Translation) mapping in AWS. Here's a step-by-step guide to achieve this:

  1. Set up the AWS Site-to-Site VPN:

    • Create a Customer Gateway in AWS, using the public IP address of your on-premises VPN device.
    • Create a Virtual Private Gateway and attach it to your VPC.
    • Create a VPN Connection, specifying the Customer Gateway and Virtual Private Gateway.
  2. Configure NAT in AWS:

    • Create a NAT Gateway or NAT instance in your VPC.
    • Configure route tables to direct traffic from your VPN connection through the NAT Gateway/instance.
  3. Set up one-to-one NAT mapping:

    • Use AWS Network Address Translation (NAT) to map the 10.10.0.0/16 range to 172.17.0.0/16.
    • Configure your on-premises firewall to translate addresses in the 172.17.0.0/16 range to the corresponding addresses in the 10.10.0.0/16 range when sending traffic to AWS.
  4. Update routing:

    • In your AWS VPC route table, add a route for 172.17.0.0/16 pointing to the Virtual Private Gateway.
    • On your on-premises network, add a route for 172.17.0.0/16 pointing to your VPN device.
  5. Configure security groups:

    • Update the security groups for your AWS resources to allow traffic from the 172.17.0.0/16 range.
  6. Test the connection:

    • Verify connectivity between your on-premises network (192.168.1.0/24) and the AWS servers using the 172.17.0.0/16 range.

Remember to adjust your firewall rules and NAT configurations on both ends to ensure proper translation and routing of traffic. Also, make sure to test thoroughly to confirm that the one-to-one mapping is working correctly and there are no conflicts with the existing IP ranges.
Sources
Configure an AWS site-to-site VPN | AWS re:Post
Get started with AWS Site-to-Site VPN - AWS Site-to-Site VPN
VPN Setup - AMS Advanced Onboarding Guide
VPN setup - AMS Advanced Onboarding Guide

profile picture
answered a month ago
  • I'm new to AWS and didn’t fully understand. Could you please explain with more details, similar to how it's configured in AWS?

    Thanks

0

Not answering the question but I would not do this (1:1 NAT). While it will work it the long run it is more expensive and it will most probably lead to "interesting" (and that's not good interesting) consequences with edge cases where protocols don't play nicely with NAT. Plus you'll have to deal with DNS as well - the NAT solution might do that for you but it might not too.

Although it's difficult, renumber the network at the AWS end. That's hard work but it is worth it in the end.

Ref: https://aws.amazon.com/blogs/networking-and-content-delivery/connecting-networks-with-overlapping-ip-ranges/

profile pictureAWS
EXPERT
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions