Method of Procedure Version: 1.4
Prepared by: Eholo Castro Salcedo
Reviewed by: ECSysLabs Network Team
Published date: February 8th, 2024
–----Note: More components can be added to this VPC, but as it is, it serves as a starting point.
*Creating the VPC:
→ Log into the AWS Console and choose the closest region to your location
→ From services, search and select VPC
→ Click on create VPC and type a custom name for the new VPC.
→ For the IPv4 CIDR block type: 8.8.0.0/16
→ Leave the rest as is and click on create and close
*Creating the Public Subnet for the Cisco Router (CSR) -
→ From the menu select Subnets
→ click on create subnet
→ type a custom name for the Cisco router subnet
→ From the VPC drop down list menu, choose the recently created VPC
→ ++Note: The availability zone of router’s subnet should be the same as the ones of the connecting
interfaces. So choose any of the following:
us-east-2a (E2AZ1)
us-east-2b (E2AZ2)
us-east-2c (E2AZ3)
→ By default in this example, I will choose us-east-2a (E2AZ1)
→ For the IPv4 CIDR block type: 8.8.10.0/24
→ Click on create
*Creating the Private Subnet for the LAN:
→ From the menu select Subnets
→ click on create subnet
→ type a custom name for the Cisco router subnet
→ In the VPC drop down list menu, choose the recently created VPC.
→ For the availability zone, choose: No preference
→ For the IPv4 CIDR block type: 8.8.20.0/24
→ Click on Create
*Creating the Internet Gateway:
→ From the menu select Internet Gateways
→ Click on Create internet gateway
→ In the name tag blank space, type a custom name for the internet gateway
→ Click on Create
→ In the list of all existing gateways, select our recently created internet gateway
→ From the Actions drop down list menu, choose: Attach to VPC
→ Select our recently created VPC
→ Click on attach
→ ++Note: Verify that in the list of all existing gateways, our recently created internet gateway’s state
appears as: attached
*Creating a Route table 1:
→ From the menu select Route tables
→ Click on Create route table
→ In the name tag blank space, type a custom name for the route table
→ From the VPC drop down list menu, choose the recently created VPC
→ Click on Create
→ On the route table list select this route table only and on below menu, select: Subnet associations
→ Click on Edit subnet associations
→ Select the Subnet ID belonging to the Private Subnet for the LAN, with the IPv4 CIDR:
8.8.20.0/24
→ Click on Save
++We will come back to edit this route table once we have created and configured our CSR and its
Network interface.
*Creating a Route table 2 after creating VPC
++Note: By default after creating VPC, this route table is automatically created and needs to be edited
→Click on Edit routes
→ Click on Add route
→ The first destination should be 8.8.0.0/16 and Target should be local
→ In this second Destination field, type: 0.0.0.0/0 ;and Target should be the recently created
Internet Gateway.
→ Click on save routes
++Note: Delete the default automatically created route table after creating VPC, if using a new created
route table 2
→ Click on close
→ Select the newly created route table 2 or the edited default automatically created route table after
creating VPC, and on the below menu, select: Subnet associations
→ Click on Edit subnet associations
→ Select the Subnet ID belonging to the Public Subnet for the Cisco Router, with the IPv4 CIDR:
8.8.10.0/24
→ Click on Save
++Note: We will come back to edit this route table once we have created and configured our CSR and its
Network interface.
*Creating a Security Group for the Cisco Router:
→Create and name a new Security Group with the following Inbound rules:
Rule 2 = Type: All traffic ; Protocol: All ; Port Range: N/A ; Source: 0.0.0.0/0
Rule 3 = Type: All traffic ; Protocol: All ; Port Range: N/A ; Source: ::/0
Rule 1 = Type: SSH ; Protocol: TCP ; Port Range: 22 ; Source: 0.0.0.0/0
Rule 4 = Type: All UDP ; Protocol: UDP ; Port Range: 0 - 65535 ; Source: 0.0.0.0/0
Rule 3 = Type: All UDP ; Protocol: UDP ; Port Range: 0 - 65535 ; Source: ::/0
*Create / Assign existing EC2 Instance that will interact with router (CSR) in the Public Subnet:
→ From Services, select EC2, click on launch instance, and choose the type of regular ec2 instance. Free Tier is recommended.
++For this example, we will name this instance: JumpServer
→ If creating new or using an existing EC2 instance, in the configure instance section (step 3), in the
Network subsection, choose our recently created VPC→ for the subnet subsection, choose the
Public Subnet for the Cisco Router (CSR) → in the Auto-assign Public IP subsection, choose:
Enable
→ In the Configure Security Group section (step 6), select the Security Group for the Cisco Router
→ Create or select an existing Key pair in.ppk format.
→ Create a copy of the key in .pem format for later use (not for right now. We will use the one in
.ppk)
→ Launch and view instance
*Create / Assign existing EC2 Instance that will be in the Private Subnet for the LAN:
→ From Services, select EC2, click on launch instance, and choose the type of regular ec2 instance.
Free Tier is recommended.
→ If creating new or using an existing EC2 instance, in the configure instance section (step 3), in the
Network subsection, choose our recently created VPC→ for the subnet subsection, choose the
Private Subnet for the LAN → in the Auto-aasign Public IP subsection, choose: Disable
→ In the Configure Security Group section (step 6), select the Security Group for the Cisco Router
→ Select the Key pair in .ppk format used previously
→ Launch and view instance
++ Note: All regular ec2 instances in the Private subnet should be on the same region and
availability zone of the CSR. Also, all of them should have the VPC ID of the CSR and the Subnet ID
of the Private Subnet for the LAN.
*Creating the Cisco Cloud Services Router (CSR):
→ From Services, select EC2, click on launch instance, and from the Quick Start menu choose:
AWS Marketplace
→ In the search bar of the Choose an Amazon Machine Image (AMI) section (step 1), type: CSR
→ Choose the Free Trial CSR AMI: 1000V - AX Pkg. Max Performance, or the 1000V - Security Pkg.
Max Performance
→ Click Continue and choose instance type
→ In the configure instance section (step 3), in the Network subsection, choose our recently created
VPC→ for the subnet subsection, choose the Public Subnet for the Cisco Router (CSR) → in the
Auto-assign Public IP subsection, choose: Enable
→ In the Network interfaces section, choose a Primary IP if desired. It can be for example:
8.8.10.100
++Note: Make sure to annotate this Primary private IPv4 IP and use it in the Creating Network
Interfaces phase.
→ In Add Tags section (step 5), in the Key blank space type: Name ; and in the Value blank space
for example, type: CSR1000
→ In the Configure Security Group section (step 6), select the previous Security Group for the Cisco
Router
→ Select the Key pair used previously
→ Launch and view instance
→ Wait for the CSR instance to be in a 2/2 running state
*Viewing current CSR’s Network Interface and creating a new one for the Private Subnet for the LAN:
→ From the main menu select Network Interfaces
→ By default, select and identify the Network interface ID with CSR’s Primary private IPv4 IP. In this
example would be 8.8.10.100
→ Keep this Network Interface selected, click in Actions, and click on Change Source/Dest. Check
→ Click on Create Network Interface
→ For the Source/Dest. Check choose Disable, and click Save.
→ In the Subnet drop down list, select the Private Subnet for the LAN
→ Since the IPv4 CIDR block of the Private Subnet for the LAN: 8.8.20.0/24 ;you can type a custom
IPv4 Private IP such as: 8.8.20.100
→ For the Security groups, select the one we created for the CSR
→ Click on Create
++ Note: Our created Network Interface will be the one with the status of: available
→ On the list of Network Interfaces, select it and edit Name. It can be for example: For LAN subnet
8.8.20.100
→ Keep this Network Interface selected, click in Actions, and click on Change Source/Dest. Check
→ For the Source/Dest. Check choose Disable, and click Save.
→ Keep this Network Interface selected and click on Attach
→ In the Instance ID drop down list, select the one of the CSR
→ Click on Attach and wait until its status changes from available to in use
*Connecting to the CSR
→ Go to Instances
→ Select the CSR instance and on the below Details section, copy the IPv4 Public IP
→ Open Putty or any other SSH Client. In the Hostname blank space, paste the CSR’s IPv4 Public
IP and have port set as 22
→ Click on the SSH section, click on the Auth subsection, un-check the box pertaining to the:
Display pre-authentication banner SSH-2 only
→ Click on Browse and select the Key in .ppk format.
→ Click on Open
→ Click on Yes to trust the host connection
→ By default the credentials are: login as: ec2-user
→ Once inside CSR, review and configure as needed. For example, see CSR’s version, interfaces
description and/or change its hostname
→ To see the recently created Network Interface for the Private Subnet for the LAN, type: sh ip int bri
→ GigabitEthernet2 is the interface pertaining to the Private Subnet for the LAN. It should show
below GigabitEthernet1 with an unassigned IP address, unset method, and administratively down
status and protocol down
→ In the CSR enter configuration mode by typing: config t
→ Enter (config-if)# mode, by typing: int gigabitEthernet2
→ Assign the previously created custom private IPv4 address to the gigabitEthernet2, by typing: ip
address 8.8.20.100 255.255.255.0
→ to leave port opened, type: no shutdown
→ To go back to privilege mode, type twice: exit
*Verifying connectivity of all ec2 instances to the CSR
→ Go to instances and select a regular recently created or existing ec2 instance
→ In the Description details below, copy the Private IP
→ Go back to the CSR session in Putty and in the # mode, type: ping <IP of ec2 instance in private
subnet of the LAN
→ Get into the ec2 instance that we just pinged and ping the CSR back
→ Check NAT configuration.
*Editing the Route table 2 (the one of the Private Subnet of the LAN) & Route table 1 (the one belonging to the CSR Public Subnet)
++Note: The Editing for the Route table 2 is to configure path from the CSR to the private subnet of the LAN
→ Go to Route Tables
→ Select the routing table of the private subnet for the LAN
→ Down in the menu, select the Routes tab and Click on Edit routes
++Only the two following routes should be there:
Destination: 8.8.0.0/16 ; Target: local
Destination: 0.0.0.0/0 ; Target: Network Interface eni of the LAN’s Private Subnet (Target should
not be the Internet Gateway, remove this route if present)
→ Click on Add route
→ In the Destination blank space, type: 0.0.0.0/0
→ From the Target drop down list, select: Network Interface
→ Choose the eni for the Private Subnet of the LAN (For this example, the one for:
8.8.20.100)
→ Click on Save routes
++Note: The Editing for the Route table 1 is to configure path from the CSR to the Internet Gateway
→ Go to Route Tables
→ Select the routing table of the public subnet of the CSR
→ Down in the menu, select the Routes tab and Click on Edit routes
→ Click on Add route
→ In the Destination blank space, type: 0.0.0.0/0
→ From the Target drop down list, select: Internet Gateway (choose the one that was created
previously for this VPC)
→ Click on Save routes
*Basic configurations of the CSR for external connections:
→ Go back into the CSR CLI
→ Enter global configuration mode from # privilege mode, by typing: config t
→ Create access list, by typing: ip access-list extended LAN-subnet-access-list
→ Inside the access list (config-ext-nacl), type: permit ip 10.10.20.0 0.0.0.255 any
→ Return to # mode by typing: exit
→ Go back to configuration mode by typing: config t
→ Configure interface one, by typing: int gigabitEthernet1
→ Set up nat outside by typing: ip nat outside
→ Configure interface two, by typing: int gigabitEthernet2
→ Set up nat inside by typing: ip nat inside
→ To go back to config mode, type: exit
→ Overload recently created access list, by typing: ip nat inside source list
LAN-subnet-access-list interface gigabitEthernet1 overload
→ Go back to # mode by typing: exit
→ Ping from Google DNS server IP to Private Subnet of the LAN IP, by typing: ping 8.8.8.8
source 8.8.20.100
*Connecting to an ec2 instance in private subnet from an ec2 instance in public subnet
(For this example, we will use the JumpServer)
→ ssh into the JumpServer (the ec2 instance created at the beginning in the public subnet)
→ In the home directory create a file by typing: touch <filename (use the name of the Key
created initially) >
→ Open Key in .pem format, and copy the entire .pem Key
→ Open any note editor. For this example, use Notepad++ and paste the .pem Key in it.
→ Open recently created file in JumpServer by typing: nano <filename>
→ Copy .pem Key from Notepad++ or your text editor of preference, and paste it in the nano
JumpServer file. Press Control X and save it by assigning the same Key name.
→ Change the permissions to that .pem Key nano file by typing: chmod 600 <nano filename>
→ SSH from JumpServer to private ec2 instance, by typing: ssh -i <nano filename> <username
of ec2 instance in private subnet>@<IP of ec2 instance in private subnet>
→ Once inside do: ping 8.8.8.8
→ To analyze routing path to the Google DNS type: traceroute 8.8.8.8
→ Top disconnect, type: exit