• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 680
  • Last Modified:

MPLS Network Connection

I have two offices. Each has a Cisco 837 that is managed by the ISP. At each office the Cisco 837 is connected to a PIX 506E that is used as a firewall and port translater.

The ISP says MPLS is working between the two Cisco 837.

Unfortunately, I do not know how to get the PIX506E to get the inter-office traffic to go via the MPLS links.

I'm happy to offer 2000-4000 points for someone who can help me get the inter-office traffic working using MPLS.

regards, Mark
0
uanmi
Asked:
uanmi
  • 8
  • 4
  • 3
  • +2
3 Solutions
 
lanboyoCommented:
Okay, what is the provider offering you in terms of routing protocols? Are you supposed to put in static routes or BGP?

Most likely you don't have to worry much about the MPLS, as the telco is probably acting as the Provider Edge and the Customer Edge with the cisco 837.

What are your requirements for trafficon this network. Do you need to encrypt the data before it hits the provider networks? Do you have a hub site or hub sites? There are a lot of details that you would need to provide in order to answer this question.
0
 
uanmiAuthor Commented:
In office A the subnet is 192.168.1.xxx
In office B the subnet is 192.168.2.xxx

I got this message from the ISP
I have checked your site routers, and the MPLS-VPN between the two sites is definitely operational.

This is from your home site to the office router:

gthm_rt837_0101#ping 10.64.100.1 source 10.64.101.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.64.100.1, timeout is 2 seconds:
Packet sent with a source address of 10.64.101.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/71/80 ms

This is from your office router to the home site:

gtof_rt837_0101#ping 10.64.101.1 source 10.64.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.64.101.1, timeout is 2 seconds:
Packet sent with a source address of 10.64.100.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/54/100 ms
As you can see, if you use the 10.64.100.x and 10.64.101.x addresses, traffic will run natively (i.e. not across the internet) between your two offices.

I have the setup files of the 837s and the 506Es
regards, Mark
0
 
uanmiAuthor Commented:
I should add that the external Ip on the 506E at each location is
10.64.101.10 and 10.64.100.10
the internal IP are
192.168.2.1 and 192.168.1.1
respectively
regards, Mark
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
602650528Commented:
Yeah from the mail sent by Mark, the MPLS link between the two cisco 837 is working well. What you need do now is send traffic to the two cisco 837 at each end. You can do this by making the IP address of the cisco 837 the default gateway on the PIX at each end as shown below

At the home site
route outside 0.0.0.0 0.0.0.0 10.64.100.1 1

At the office end
route outside 0.0.0.0 0.0.0.0 10.64.101.1 1

The above config assumes
1. Other configs as IP address configs and NAT configs are correct on the PIX
2. that you have named the external interface of the PIX506E as outside; if not please change the name in the config appropriately.

Hope this helps.
0
 
602650528Commented:
If the default gateway config above configs, you can change it to the config below to route just the inter-office traffic through the MPLS links ;

At the home site
route outside 192.168.2.0 255.255.255.0 10.64.100.1 1

At the office end
route outside 192.168.1.0 255.255.255.0 10.64.101.1 1
0
 
uanmiAuthor Commented:
On the home 506E which has outside NIC10.64.101.10  I have the static route
route outside 0.0.0.0 0.0.0.0 10.64.101.1 1
On the office 506E which has outside NIC 10.64.100.10 I have the static route
route outside 0.0.0.0 0.0.0.0 10.64.100.1 1

Because I could not get the MPLS to work, I put in a VPN between the two 506E. I can take the VPN out but only for short times as I need mail to flow between the two sites.

Would it help if I put up the config for the two 506E? I also have the config for the two 837s from the ISP.

I'm not sure if your suggestion is for me to route traffice from 10.64.100.10 to 10.64.101.1 for traffic going to the 192.168.2.0 subnet from the 192.168.1.0 subnet Is this correct?



regards, Mark
0
 
uanmiAuthor Commented:
how do I sent the rest of the traffic to the Internet?

regards, Mark
0
 
kamsujCommented:
It would be good if you put here the configs of the two 506E and the two 837 as in my opinion it should already work.
0
 
172pilotSteveCommented:
First of all, in addition to the ROUTE, you also need to set the address so it can talk to the MPLS router, which I presume is ISP provided...

For example, on the "home" site,

ip address outside 10.64.100.2 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
route outside 192.168.2.0 255.255.255.0 10.64.100.1 1
access-list inside_no_nat permit ip any 10.64.0.0 255.255.0.0
access-list inside_no_nat permit ip any 192.168.0.0 255.255.0.0
nat (inside) 0 access-list inside_no_nat

and at the other site:   (This one with comments)
#IP address of the OUTSIDE interface, so that it can talk to the ISPs router
ip address outside 10.64.101.2 255.255.255.0  
#IP Address of the INSIDE interface, so it can talk to the rest of your internal hosts
ip address inside 192.168.2.1 255.255.255.0
#A Route, through the OUTSIDE interface, to get to the OTHER network (192.168.1.x),
#sending it to  the MPLS address of the LOCAL ISP router (10.64.101.1)
route outside 192.168.1.0 255.255.255.0 10.64.101.1 1
#Define that we will NOT NAT traffic destined to the 10.64.x.x or 192.168.x.x networks, because
#they're on the MPLS and not on the Internet
access-list inside_no_nat permit ip any 10.64.0.0 255.255.0.0
access-list inside_no_nat permit ip any 192.168.0.0 255.255.0.0
#Turn off NAT for traffic originating on the INSIDE, which matches the access list we just defined
nat (inside) 0 access-list inside_no_nat

With MPLS, the provider is providing you with a VIRTUAL routed network between your two offices, so for your purposes, you may as well assume they're connected directly between the ISPs 2 routers.  In the commands above, I'm showing a route from each PIX to the NEXT HOP, which is the local 10.x port of the ISPs MPLS router....  You will also need a route like this:
ROUTE OUTSIDE 0.0.0.0 0.0.0.0 a.b.c.d
where a.b.c.d is the INTERNET next hop gateway for your configuration.  You will need to get this from the ISP, or maybe you already know it, but it didnt get into any of these posts.  Without the ROUTE OUTSIDE 0.0.0.0 statement, you should be able to get the MPLS to route between sites, but you wont have Internet access...

-Steve
0
 
602650528Commented:
Unami, lets have the configs that u said u hav.
0
 
uanmiAuthor Commented:
I have attached the four configs in separate files.
Please note that I have left the current IPSEC VPN between the two 506e. If I take this out, I cannot connect to the office anymore uless I use a temporary PPTP VPN. Will need to do this to test any config changes.
regards,
Mark

gtof-rt837-0101-confg.txt
gthm-rt837-0101-confg.txt
PIX506E-GTOffice-091225.txt.txt
PIX506E-GTHome-091225.txt.txt
0
 
lanboyoCommented:
If you want traffic going to the other site to take the VPN, and everything else to go to the internet...

It looks like nothing is being NATTED, and 192.168.2.0 and 192.168.1.0 are not going to work on the internet...

To send traffic not going to the other site to the internet, I think you need to assign one of the real internet addresses to the global outside nats...

Like this, I am taking the IP from your config...

global (outside) 1 203.153.196.146 255.255.255.255

Then you need to put the nat in use...

Te existing

nat (inside) 0 access-list inside_outbound_nat0_acl
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 GTSOHO 255.255.255.0

will make sure that the VPN bound traffic is not natted... But you need to make this statement use NAT 1 .

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Plesase back up before making changes....
0
 
uanmiAuthor Commented:
I'm going to try this solution this week to see if it works.
It is hard to know if you are talking about changes on the 837 devices or the 506E devices.

regards, Mark
0
 
lanboyoCommented:
The changes I am talking about are on the 506E devices.

Do you have working incoming internet traffic to the NATs currently in place?
0
 
lanboyoCommented:
Oh and make sure you back the configs up and dont write the new ones until you know everything is working...
0
 
uanmiAuthor Commented:
I currently have everything working as I want it, it was just the ISP said that I need to get rid of the IPSEC VPN between office and home and use the MPLS. They told me that I pay for traffic that is not using MPLS between the office and home.

I will give the setup a try Wednesday. It is madness here.
regards, Mark
0
 
uanmiAuthor Commented:
The situation changed and the mpls routing was no longer needed.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 8
  • 4
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now