Wednesday, November 4, 2020

Cisco ASA VTI tunnel into a Google Cloud eve-ng instance: anyone pull off getting eve-ng topology to talk outside without ugly NAT or custom routes?

Spent quite a bit of time last month revamping my homelab at https://kd9cpb.com/initial_setup to use a Cisco ASA VTI tunnel with BGP into an even-ng instance running on GCP. Overall I'm happy with how it turned out, and help from posts like https://www.reddit.com/r/networking/comments/iyveoc/eveng_google_cloud/ really came in handy when troubleshooting! The only problem is I feel that I'm being sloppy when it comes to getting traffic in/out of the eve-ng topology and onto the VTI tunnel. I'm really curious if anyone has pulled off something cleaner than the following:

  1. Setup eve-ng instance in GCP (enabling ip forwarding both within GCP and on eve-ng), get simple VTI tunnel going into my on-site ASA

  2. Create a route to the RFC1918 address space I'll use within the eve-ng topology towards the eve-ng instance in VPC Routes

  3. Advertise custom BGP route on the VTI tunnel to this RFC1918 address space

  4. Pray that I didn't mistype anything in the manual labor involved during steps 2 and 3 so that I can pass traffic through the VTI tunnel

In my perfect world, I'd like to do something more dynamic than the manual custom route in step 3, or somehow trick GCP into letting me use the Cloud0 management interface bridge, eliminating the need for step 2's separate RFC1918 address space within eve-ng topology. I don't want to do ugly stuff with NAT, and after attempting some stupidity with static ARP entries & alias IP ranges, I'm just about ready to throw in the towel.

Maybe the custom VPC route and advertising a custom BGP route is actually the cleanest way to do this, even with hand-jamming this config into GCP console. Currently I'm too cheap to buy a static IP with my ISP, so I have to manually re-enter the custom BGP route every time my WAN IP changes, which is quite often as I turn off my noisy ASA 5512-x every night. Not the end of the world, someday I'd like to automate this manual labor away with cloud shell, but curious if any other eve-ng and/or GCP gurus out here have other thoughts on cleaner ways to do this GCP eve-ng topology outside world communication.

-



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)