Hello All,
I've recently started a new role, and I'm having some trouble figuring out a bit of AWS to "On-Prem" networking. Unfortunately, the last guy to hold my position did not leave much documentation, so I'm trying to wrap my head around what is currently in place while still dealing with a backlog of tickets.
About the situation:
We are in the process of moving a customer (CxCompany) to their own AWS account as we somehow got stuck hosting their infrastructure after spinning up a test environment for them.
MyCompany is slowly moving to be more 'Cloud' focused, and I anticipate creating a process for connecting to customer networks will become a priority once I can figure out the proper steps.
What I am trying to Accomplish:
Add a new AWS VPC (subnets 172.41.10.0/24 & 172.41.11.0/24) to an existing VPN connection to allow for direct communication with the resources..
Current Configuration:
To connect to our AWS resources, MyCompany uses a virtual PfSense firewall that is hosted in AWS.
NAT and AWS VPC peering has been configured such that MyCompany's AWS resources are capable of communicating with the resources in the new VPC.
CxCompany connects to their AWS resources that we manage via a third party VPN. The third party VPN is using an IPsec tunnel to connect the following:
The first entry is currently working as expected, while the bottom two entries that I added are not.
| Local Subnet (AWS Resources) | Remote Subnet (CxCompany VPN) |
|---|---|
| 10.21.107.0/24 | 10.101.100.0/24 |
| 172.41.10.0/24 | 10.101.100.0/24 |
| 172.41.11.0/24 | 10.101.100.0/24 |
What I have done:
To try to resolve this issue, I created the bottom two IPsec tunnels listed above and added outbound NAT rules to allow 10.101.100.0/24 to see the new subnets.
I also contacted their VPN provider who apparently added P2 entries to their configuration to allow for them to connect to the new VPC.
Where I am stuck:
Currently, CxCompany can connect to resources in the new VPC only if they 'jump' through one of the servers living in the 10.101.100.0/24 network.
Attempts to connect directly to resources in the 172.41.x.x subnets timeout.
The IPsec tunnel on MyCompany firewall indicate that a high amount of outbound traffic, but little-to-no inbound traffic.
My Question:
Other than adding NAT rules and additional P2 entries to our firewall, am I missing something that would prevent communication from their VPN to the new VPC?
No comments:
Post a Comment