SchoolPage
asked on
Help configuring ASA 5505 as a Gateway for remote MPLS sites
My client recently added MPLS lines connecting the main site to two remote sites. We want the main site to be a central gateway. I have the MPLS up and running, all computers have access across the MPLS. My problem is that the remote sites cannot get internt access through the internet connection at the main site.
I am sure it is something simple I am missing in the ASA config
Main site network 10.229.138.0 /24
Main Site gateway 10.229.138.250
Main site MPLS Router 10.229.138.242
Remote networks: 10.229.139.0 /24 and 10.229.147.0 /24
Thank you!
I am sure it is something simple I am missing in the ASA config
Main site network 10.229.138.0 /24
Main Site gateway 10.229.138.250
Main site MPLS Router 10.229.138.242
Remote networks: 10.229.139.0 /24 and 10.229.147.0 /24
Thank you!
ASA Version 7.2(3)
!
hostname ciscoasa
enable password Obqf4u/XvYBwjd2M encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.229.138.250 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 64.132.211.106 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
speed 10
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 64.132.211.105 1
route inside 10.229.139.0 255.255.255.0 10.229.138.242 1
route inside 10.229.147.0 255.255.255.0 10.229.138.242 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.229.138.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:66861b109d4d9fc0df11a4d801154aa3
: end
ciscoasa#
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That did not work, I was thinking along the same lines, some kind of access list entry.
I have another client, same exact setup with one site as the gateway for six locations, all connected via MPLS. The difference being that they are using a Netgear Firewall. All I needed to do for them was add the routes back to the remote site networks on the Netgear.
I have another client, same exact setup with one site as the gateway for six locations, all connected via MPLS. The difference being that they are using a Netgear Firewall. All I needed to do for them was add the routes back to the remote site networks on the Netgear.
ASKER
They should have it, but I opened a ticket with them to verify, I will post back when I hear.
Thank you.
Thank you.
I will double check my config, that is what I have on mine. Hmmm...
I forgot TSB:
access-list tsb extended permit ip 10.229.138.0 255.255.255.0 10.229.139.0 255.255.255.0
access-list tsb extended permit ip 10.229.139.0 255.255.255.0 10.229.138.0 255.255.255.0
access-list tsb extended permit ip 10.229.138.0 255.255.255.0 10.229.147.0 255.255.255.0
access-list tsb extended permit ip 10.229.147.0 255.255.255.0 10.229.138.0 255.255.255.0
class-map stateBypassMap
match access-list tsb
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
class stateBypassMap
set connection advanced-options tcp-state-bypass
!
service-policy global_policy global
access-list tsb extended permit ip 10.229.138.0 255.255.255.0 10.229.139.0 255.255.255.0
access-list tsb extended permit ip 10.229.139.0 255.255.255.0 10.229.138.0 255.255.255.0
access-list tsb extended permit ip 10.229.138.0 255.255.255.0 10.229.147.0 255.255.255.0
access-list tsb extended permit ip 10.229.147.0 255.255.255.0 10.229.138.0 255.255.255.0
class-map stateBypassMap
match access-list tsb
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
class stateBypassMap
set connection advanced-options tcp-state-bypass
!
service-policy global_policy global
ASKER
Still did not work, I will hear from the ISP Monday morning, this could all be a missing default route on their end.
Thanks again.
Thanks again.
Yes I'm sure it is the MPLS routing :) Let me know
ASKER
You were correct. This site is the first I have used BGP with, as it turns out I need to boadcast from my adtran 3430 router that it is the defualt route for the other two sites.
Thanks again!
Thanks again!
access-list no-nat extended permit ip 10.229.138.0 255.255.255.0 10.229.139.0 255.255.255.0
access-list no-nat extended permit ip 10.229.139.0 255.255.255.0 10.229.138.0 255.255.255.0
access-list no-nat extended permit ip 10.229.138.0 255.255.255.0 10.229.147.0 255.255.255.0
access-list no-nat extended permit ip 10.229.147.0 255.255.255.0 10.229.138.0 255.255.255.0
nat (inside) 0 access-list no-nat
same-security-traffic permit intra-interface