Solved

Help configuring ASA 5505 as a Gateway for remote MPLS sites

Posted on 2010-11-13
9
1,223 Views
Last Modified: 2012-05-10
My client recently added MPLS lines connecting the main site to two remote sites.  We want the main site to be a central gateway.  I have the MPLS up and running, all computers have access across the MPLS.  My problem is that the remote sites cannot get internt access through the internet connection at the main site.

I am sure it is something simple I am missing in the ASA config

Main site network 10.229.138.0 /24
Main Site gateway 10.229.138.250
Main site MPLS Router 10.229.138.242

Remote networks: 10.229.139.0 /24 and 10.229.147.0 /24

Thank you!
ASA Version 7.2(3)
!
hostname ciscoasa
enable password Obqf4u/XvYBwjd2M encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.229.138.250 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 64.132.211.106 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
 speed 10
 duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 64.132.211.105 1
route inside 10.229.139.0 255.255.255.0 10.229.138.242 1
route inside 10.229.147.0 255.255.255.0 10.229.138.242 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.229.138.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:66861b109d4d9fc0df11a4d801154aa3
: end
ciscoasa#

Open in new window

0
Comment
Question by:SchoolPage
  • 5
  • 4
9 Comments
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 34127758
Try this:

access-list no-nat extended permit ip 10.229.138.0 255.255.255.0 10.229.139.0 255.255.255.0
access-list no-nat extended permit ip 10.229.139.0 255.255.255.0 10.229.138.0 255.255.255.0
access-list no-nat extended permit ip 10.229.138.0 255.255.255.0 10.229.147.0 255.255.255.0
access-list no-nat extended permit ip 10.229.147.0 255.255.255.0 10.229.138.0 255.255.255.0
nat (inside) 0 access-list no-nat
same-security-traffic permit intra-interface
0
 
LVL 8

Accepted Solution

by:
ShareefHuddle earned 500 total points
ID: 34127807
That should work but if it doesn't you will want to make sure that your MPLS provider has your ASA as your internet gateway in the MPLS network.
0
 

Author Comment

by:SchoolPage
ID: 34127821
That did not work, I was thinking along the same lines, some kind of access list entry.

I have another client, same exact setup with one site as the gateway for six locations, all connected via MPLS. The difference being that they are using a Netgear Firewall. All I needed to do for them was add the routes back to the remote site networks on the Netgear.
0
Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

 

Author Comment

by:SchoolPage
ID: 34127881
They should have it, but I opened a ticket with them to verify, I will post back when I hear.

Thank you.
0
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 34127947
I will double check my config, that is what I have on mine. Hmmm...
0
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 34127969
I forgot TSB:

access-list tsb extended permit ip 10.229.138.0 255.255.255.0 10.229.139.0 255.255.255.0
access-list tsb extended permit ip 10.229.139.0 255.255.255.0 10.229.138.0 255.255.255.0
access-list tsb extended permit ip 10.229.138.0 255.255.255.0 10.229.147.0 255.255.255.0
access-list tsb extended permit ip 10.229.147.0 255.255.255.0 10.229.138.0 255.255.255.0

class-map stateBypassMap
 match access-list tsb
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
 class stateBypassMap
  set connection advanced-options tcp-state-bypass
!
service-policy global_policy global
0
 

Author Comment

by:SchoolPage
ID: 34133320
Still did not work, I will hear from the ISP Monday morning, this could all be a missing default route on their end.

Thanks again.
0
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 34133588
Yes I'm sure it is the MPLS routing :) Let me know
0
 

Author Comment

by:SchoolPage
ID: 34135442
You were correct.  This site is the first I have used BGP with, as it turns out I need to boadcast from my adtran 3430 router that it is the defualt route for the other two sites.

Thanks again!
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question