MPLS Network Connection
I have two offices. Each has a Cisco 837 that is managed by the ISP. At each office the Cisco 837 is connected to a PIX 506E that is used as a firewall and port translater.
The ISP says MPLS is working between the two Cisco 837.
Unfortunately, I do not know how to get the PIX506E to get the inter-office traffic to go via the MPLS links.
I'm happy to offer 2000-4000 points for someone who can help me get the inter-office traffic working using MPLS.
regards, Mark
The ISP says MPLS is working between the two Cisco 837.
Unfortunately, I do not know how to get the PIX506E to get the inter-office traffic to go via the MPLS links.
I'm happy to offer 2000-4000 points for someone who can help me get the inter-office traffic working using MPLS.
regards, Mark
ASKER
In office A the subnet is 192.168.1.xxx
In office B the subnet is 192.168.2.xxx
I got this message from the ISP
I have checked your site routers, and the MPLS-VPN between the two sites is definitely operational.
This is from your home site to the office router:
gthm_rt837_0101#ping 10.64.100.1 source 10.64.101.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.64.100.1, timeout is 2 seconds:
Packet sent with a source address of 10.64.101.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/71/80 ms
This is from your office router to the home site:
gtof_rt837_0101#ping 10.64.101.1 source 10.64.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.64.101.1, timeout is 2 seconds:
Packet sent with a source address of 10.64.100.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/54/100 ms
As you can see, if you use the 10.64.100.x and 10.64.101.x addresses, traffic will run natively (i.e. not across the internet) between your two offices.
I have the setup files of the 837s and the 506Es
regards, Mark
In office B the subnet is 192.168.2.xxx
I got this message from the ISP
I have checked your site routers, and the MPLS-VPN between the two sites is definitely operational.
This is from your home site to the office router:
gthm_rt837_0101#ping 10.64.100.1 source 10.64.101.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.64.100.1, timeout is 2 seconds:
Packet sent with a source address of 10.64.101.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/71/80 ms
This is from your office router to the home site:
gtof_rt837_0101#ping 10.64.101.1 source 10.64.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.64.101.1, timeout is 2 seconds:
Packet sent with a source address of 10.64.100.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/54/100 ms
As you can see, if you use the 10.64.100.x and 10.64.101.x addresses, traffic will run natively (i.e. not across the internet) between your two offices.
I have the setup files of the 837s and the 506Es
regards, Mark
ASKER
I should add that the external Ip on the 506E at each location is
10.64.101.10 and 10.64.100.10
the internal IP are
192.168.2.1 and 192.168.1.1
respectively
regards, Mark
10.64.101.10 and 10.64.100.10
the internal IP are
192.168.2.1 and 192.168.1.1
respectively
regards, Mark
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If the default gateway config above configs, you can change it to the config below to route just the inter-office traffic through the MPLS links ;
At the home site
route outside 192.168.2.0 255.255.255.0 10.64.100.1 1
At the office end
route outside 192.168.1.0 255.255.255.0 10.64.101.1 1
At the home site
route outside 192.168.2.0 255.255.255.0 10.64.100.1 1
At the office end
route outside 192.168.1.0 255.255.255.0 10.64.101.1 1
ASKER
On the home 506E which has outside NIC10.64.101.10 I have the static route
route outside 0.0.0.0 0.0.0.0 10.64.101.1 1
On the office 506E which has outside NIC 10.64.100.10 I have the static route
route outside 0.0.0.0 0.0.0.0 10.64.100.1 1
Because I could not get the MPLS to work, I put in a VPN between the two 506E. I can take the VPN out but only for short times as I need mail to flow between the two sites.
Would it help if I put up the config for the two 506E? I also have the config for the two 837s from the ISP.
I'm not sure if your suggestion is for me to route traffice from 10.64.100.10 to 10.64.101.1 for traffic going to the 192.168.2.0 subnet from the 192.168.1.0 subnet Is this correct?
regards, Mark
route outside 0.0.0.0 0.0.0.0 10.64.101.1 1
On the office 506E which has outside NIC 10.64.100.10 I have the static route
route outside 0.0.0.0 0.0.0.0 10.64.100.1 1
Because I could not get the MPLS to work, I put in a VPN between the two 506E. I can take the VPN out but only for short times as I need mail to flow between the two sites.
Would it help if I put up the config for the two 506E? I also have the config for the two 837s from the ISP.
I'm not sure if your suggestion is for me to route traffice from 10.64.100.10 to 10.64.101.1 for traffic going to the 192.168.2.0 subnet from the 192.168.1.0 subnet Is this correct?
regards, Mark
ASKER
how do I sent the rest of the traffic to the Internet?
regards, Mark
regards, Mark
It would be good if you put here the configs of the two 506E and the two 837 as in my opinion it should already work.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Unami, lets have the configs that u said u hav.
ASKER
I have attached the four configs in separate files.
Please note that I have left the current IPSEC VPN between the two 506e. If I take this out, I cannot connect to the office anymore uless I use a temporary PPTP VPN. Will need to do this to test any config changes.
regards,
Mark
gtof-rt837-0101-confg.txt
gthm-rt837-0101-confg.txt
PIX506E-GTOffice-091225.txt.txt
PIX506E-GTHome-091225.txt.txt
Please note that I have left the current IPSEC VPN between the two 506e. If I take this out, I cannot connect to the office anymore uless I use a temporary PPTP VPN. Will need to do this to test any config changes.
regards,
Mark
gtof-rt837-0101-confg.txt
gthm-rt837-0101-confg.txt
PIX506E-GTOffice-091225.txt.txt
PIX506E-GTHome-091225.txt.txt
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm going to try this solution this week to see if it works.
It is hard to know if you are talking about changes on the 837 devices or the 506E devices.
regards, Mark
It is hard to know if you are talking about changes on the 837 devices or the 506E devices.
regards, Mark
The changes I am talking about are on the 506E devices.
Do you have working incoming internet traffic to the NATs currently in place?
Do you have working incoming internet traffic to the NATs currently in place?
Oh and make sure you back the configs up and dont write the new ones until you know everything is working...
ASKER
I currently have everything working as I want it, it was just the ISP said that I need to get rid of the IPSEC VPN between office and home and use the MPLS. They told me that I pay for traffic that is not using MPLS between the office and home.
I will give the setup a try Wednesday. It is madness here.
regards, Mark
I will give the setup a try Wednesday. It is madness here.
regards, Mark
ASKER
The situation changed and the mpls routing was no longer needed.
Most likely you don't have to worry much about the MPLS, as the telco is probably acting as the Provider Edge and the Customer Edge with the cisco 837.
What are your requirements for trafficon this network. Do you need to encrypt the data before it hits the provider networks? Do you have a hub site or hub sites? There are a lot of details that you would need to provide in order to answer this question.