Solved

Help configuring ASA 5505 as a Gateway for remote MPLS sites

Posted on 2010-11-13
9
1,215 Views
Last Modified: 2012-05-10
My client recently added MPLS lines connecting the main site to two remote sites.  We want the main site to be a central gateway.  I have the MPLS up and running, all computers have access across the MPLS.  My problem is that the remote sites cannot get internt access through the internet connection at the main site.

I am sure it is something simple I am missing in the ASA config

Main site network 10.229.138.0 /24
Main Site gateway 10.229.138.250
Main site MPLS Router 10.229.138.242

Remote networks: 10.229.139.0 /24 and 10.229.147.0 /24

Thank you!
ASA Version 7.2(3)

!

hostname ciscoasa

enable password Obqf4u/XvYBwjd2M encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 10.229.138.250 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 64.132.211.106 255.255.255.248

!

interface Ethernet0/0

 switchport access vlan 2

 speed 10

 duplex full

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 64.132.211.105 1

route inside 10.229.139.0 255.255.255.0 10.229.138.242 1

route inside 10.229.147.0 255.255.255.0 10.229.138.242 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 10.229.138.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0



!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:66861b109d4d9fc0df11a4d801154aa3

: end

ciscoasa#

Open in new window

0
Comment
Question by:SchoolPage
  • 5
  • 4
9 Comments
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 34127758
Try this:

access-list no-nat extended permit ip 10.229.138.0 255.255.255.0 10.229.139.0 255.255.255.0
access-list no-nat extended permit ip 10.229.139.0 255.255.255.0 10.229.138.0 255.255.255.0
access-list no-nat extended permit ip 10.229.138.0 255.255.255.0 10.229.147.0 255.255.255.0
access-list no-nat extended permit ip 10.229.147.0 255.255.255.0 10.229.138.0 255.255.255.0
nat (inside) 0 access-list no-nat
same-security-traffic permit intra-interface
0
 
LVL 8

Accepted Solution

by:
ShareefHuddle earned 500 total points
ID: 34127807
That should work but if it doesn't you will want to make sure that your MPLS provider has your ASA as your internet gateway in the MPLS network.
0
 

Author Comment

by:SchoolPage
ID: 34127821
That did not work, I was thinking along the same lines, some kind of access list entry.

I have another client, same exact setup with one site as the gateway for six locations, all connected via MPLS. The difference being that they are using a Netgear Firewall. All I needed to do for them was add the routes back to the remote site networks on the Netgear.
0
 

Author Comment

by:SchoolPage
ID: 34127881
They should have it, but I opened a ticket with them to verify, I will post back when I hear.

Thank you.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 34127947
I will double check my config, that is what I have on mine. Hmmm...
0
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 34127969
I forgot TSB:

access-list tsb extended permit ip 10.229.138.0 255.255.255.0 10.229.139.0 255.255.255.0
access-list tsb extended permit ip 10.229.139.0 255.255.255.0 10.229.138.0 255.255.255.0
access-list tsb extended permit ip 10.229.138.0 255.255.255.0 10.229.147.0 255.255.255.0
access-list tsb extended permit ip 10.229.147.0 255.255.255.0 10.229.138.0 255.255.255.0

class-map stateBypassMap
 match access-list tsb
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
 class stateBypassMap
  set connection advanced-options tcp-state-bypass
!
service-policy global_policy global
0
 

Author Comment

by:SchoolPage
ID: 34133320
Still did not work, I will hear from the ISP Monday morning, this could all be a missing default route on their end.

Thanks again.
0
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 34133588
Yes I'm sure it is the MPLS routing :) Let me know
0
 

Author Comment

by:SchoolPage
ID: 34135442
You were correct.  This site is the first I have used BGP with, as it turns out I need to boadcast from my adtran 3430 router that it is the defualt route for the other two sites.

Thanks again!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now