When importing a brownfield infrastructure from cloud (AWS/Azure/GCP), it is not a given that the brownfield infrastructure has a unique IP subnet compared to what you already have in your existing CNC Fabric Tenants (onCloud/onPrem).
In this short writeup I will go through how to import a brownfield cloud infrastructure which has overlapping subnets with your existing infrastructure.
Dealing with overlapping Subnets
If you have guessed that the way to deal with this is to do some sort of address translation between the existing infrastructure and the brownfield infrastructure then you are correct. The Network Address Translation needs to be both ways, so that you can reach from Site A to Site B and also from Site B to Site A.
In the figure below I show an example where the onPrem ACI Tenant has a BD subnet of 10.10.10.0/24 which happens to overlap with the AWS brownfield VPC Subnet of 10.10.10.0/24.
Figure 1: Overall Brownfield Import Topology for overlapping subnets
We spin up an ASA from marketplace on a separate VPC
The ASA has an inside interface, a outside interface and a mgmt interface where there is a jumpbox which has security group configured to be able to ssh to the ASA.
📙 Note the configuration for the ASA:
Packets going from onPrem VM to brownfield ec2
- insideReal object group refers to the 10.10.10.0/24 onPrem subnet
- To reach brownfield ec2 from onPrem VM you have to send packets to destination of the corresponding IP of the outside ASA subnet. In our example browfield ec2 has an IP of 10.10.10.212 and outside asa subnet is 172.16.1.0/24. So from onPrem VM you have to ping 172.16.1.212 to reach brownfield ec2
- This is internally mapped on the ASA to the inside IP subnet of 172.16.0.0/24
- On the egress side the destination IP is changed to brownfield subnet of 10.10.10.0/24
- Brownfield ec2 receives packet from subnet of 172.16.0.0/24
Packets going from brownfield ec2 to onPrem VM
- outsideReal object group refers to the 10.10.10.0/24 brownfield subnet
- To reach onPrem VM from brownfield ec2 you have to send packets to destination of the corresponding IP of the inside ASA subnet. In our example onPrem has an IP of 10.10.10.90 and inside asa subnet is 172.16.0.0/24. So from brownfield ec2 you have to ping 172.16.0.90 to reach onPrem VM.
- This is internally mapped on the ASA to the outside IP subnet of 172.16.1.0/24
- On the egress side the destination IP is changed to onPrem subnet of 10.10.10.0/24
- onPrem VM receives packet from subnet of 172.16.1.0/24
The complete relevant configuration of the ASA is shown below.
📙 Note the Static routes of 10.10.10.0/24 on both inside and outside interfaces. The inside corresponds to the onPrem 10 subnet while the outside corresponds to the Brownfield 10 subnet
! interface Management0/0 no management-only nameif management security-level 100 ip address dhcp setroute ! interface TenGigabitEthernet0/0 nameif inside security-level 50 ip address 172.16.0.176 255.255.255.0 ! interface TenGigabitEthernet0/1 nameif outside security-level 0 ip address 172.16.1.143 255.255.255.0 ! object-group network outside-devices network-object object outsideReal ! object network insideReal subnet 10.10.0.0 255.255.255.0 object network insideMapped subnet 172.16.0.0 255.255.255.0 object network outsideReal subnet 10.10.10.0 255.255.255.0 object network outsideMapped subnet 172.16.1.0 255.255.255.0 nat (inside,outside) source static insideReal insideMapped destination static outsideMapped outsideReal route inside 10.10.10.0 255.255.255.0 172.16.0.1 1 route outside 10.10.10.0 255.255.255.0 172.16.1.1 2 access-list outside-in extended permit ip object-group outside-devices any4 access-list cap1 extended permit ip host 10.10.10.212 any4 access-list cap1 extended permit ip host 10.10.10.90 any4 ! access-group outside-in in interface outside
The other item to keep in mind is that you have to have specific routes for the inside and outside subnets to make sure that the packets are forced to go through to the correct destinations. This is illustrated in the diagram below.
Figure 2: Routing Configuration for inside and outside subnets
At this point you can import the ASA VPC you created into CNC.
⚠️ Make sure to do the brownfield import in unmanaged mode, because you don’t want the routing tables to be consolidated into one Global routing table for all subnets in the VPC.
For Verification you can ping from onPrem VM to brownfield ec2 and vice-versa.
📙 Note: in the example shown in the figure below when pinging from onPrem 10.0.10.90 to brownfield ec2 10.10.10.212, you have to ping 172.16.1.212
When pinging from brownfield ec2 10.10.10.212 to onPrem VM 10.10.10.90, you have to ping 172.16.0.90
Figure 3: Static Routes defined for Subnets
looking at NAT entries on ASA:
Figure 4: Nat Entries on ASA
Capturing packets on ASA while pinging from onPrem VM to brownfield EC2
capture test1 access-list cap1 interface inside real-time
Figure 5: Capturing packets on ASA
tcpdump on ec2 while pinging from onPrem VM
sudo tcpdump icmp
Figure 6: tcpdump on ec2 while pinging from onPrem VM
📙 Note that from oPrem VM we pinged 172.16.1.212 to reach brownfeild ec2, however the brownfield ec2 sees the packet with source IP of 172.16.0.90