[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Connect 2 locations over MPLS that are currently connected via VPN with PIX-515E and ASA5510

Posted on 2011-04-28
19
Medium Priority
?
1,002 Views
Last Modified: 2012-05-11
I have a few offices over the US connected via MPLS and VPN.  Location 1 is just connected via VPN and I need it to work on the MPLS. I am using an ASA5510 at location 1 and a PIX-515E at location 2. Currently these two locations are connected via VPN. I need to understand what I need to do and how to configure the PIX and ASA.
0
Comment
Question by:almostfamous
  • 13
  • 6
19 Comments
 
LVL 4

Expert Comment

by:JorisFRST
ID: 35489630
Hi,
What are the routing protocols you use in the other locations to failover to decide to route through VPN / MPLS ?
Your MPLS provider normally provides you with BGP.
0
 
LVL 1

Author Comment

by:almostfamous
ID: 35492141
Here is the link to the BGP Policy provided from my MPLS providor: http://www.xo.com/SiteCollectionDocuments/customer-care/Allegiance/BGPpolicy.pdf
I also attached the PDF version of it. BGPpolicy.pdf
0
 
LVL 1

Author Comment

by:almostfamous
ID: 35492165
I would like to set it so MPLS is first then VPN as second. I assume that is what you mean by failover. Example if MPLS was to go down then VPN should kick in.
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
LVL 1

Author Comment

by:almostfamous
ID: 35492457
Location 1: My Router IP: 10.1.5.253 Providers Router IP: 10.1.5.254
Location 2: My Router IP: 10.1.4.253 Providers Router IP: 10.1.4.254
Location 3: My Router IP: 10.1.2.253 Providers Router IP: 10.1.2.254
Location 4: My Router IP: 10.1.1.253 Providers Router IP: 10.1.1.254
0
 
LVL 1

Author Comment

by:almostfamous
ID: 35492461
I need Location 1 to connect to the rest of the MPLS (Location 2-4)
0
 
LVL 4

Expert Comment

by:JorisFRST
ID: 35492484
Do you also use bgp for your VPN links ?

Then you just run a routing instance in each site who redistributes into the 2 bgp as and you have the vpn as a lower priority.
0
 
LVL 1

Author Comment

by:almostfamous
ID: 35493424
We use the same provider but the VPN is not using bgp.
0
 
LVL 4

Expert Comment

by:JorisFRST
ID: 35494099
You should just ask your mpls provider for a bgp template for your devices.
I assume there are also other locations on your mpls ?
Or is this the first implementation ?
0
 
LVL 1

Author Comment

by:almostfamous
ID: 35494596
Well a company called XO Communications manages our MPLS. We have XO routers at all our locations. The PIX and ASA are not managed by XO. They are managed by me. However I do not have very much experience configuring PIX/ASA. Would getting the bgp template from XO still help me? From my understanding the XO router has a port that I connect my PIX and ASA into that allows all traffic. So doesn’t this just mean I need to configure the ASA at location 2 to talk to the PIX at location 1?
0
 
LVL 1

Author Comment

by:almostfamous
ID: 35494681
I know that the actually XO routers are configured correctly talking to all my locations. It's passed the XO router is where I am confused on what to do. All the locations are working I just need to add one more location to the already existing MPLS.
0
 
LVL 1

Author Comment

by:almostfamous
ID: 35494704
I should post a show run on the PIX and ASA but all the public IP's and login would be public to the world if i do that... Would it help to post it and what should i do about masking the login and public IP addresses? Should i just asterisk them out?
0
 
LVL 4

Expert Comment

by:JorisFRST
ID: 35494871
Change passwords for password Ans public ips for public1,2,3
0
 
LVL 4

Expert Comment

by:JorisFRST
ID: 35494904
You don't need the bgp template then.
If you have VPN routers everywhere you might want to setup your own routing protocol instance (eigrp, bgp).
On this instance you redistribute your VPN routes as a lower priority.
So to get it working today you just put static routes for your other sites toward XO mpls router.

Next step is implimenting your own routing protocol instance on your routers to have automatically decided to use VPN if mpls is down.
0
 
LVL 1

Author Comment

by:almostfamous
ID: 35498540
I guess I just need better understanding on the actual issue. Also I am not experienced in this field. I am use to outsourcing this kind of work. I think I can trace route from the ASA to the other locations but can’t ping. I think this is because NAT is translating the IP and not translating it on the way back. I wish I can make this question work 10,000 points because I need someone to explain it to me so I can understand it to be able to know what I am doing.
0
 
LVL 1

Author Comment

by:almostfamous
ID: 35507933
Location: 1  
Hardware:   ASA5510

pixfirewall# show run
: Saved
:
ASA Version 7.2(4)
!
hostname pixfirewall
domain-name default.domain.invalid
enable password  encrypted
passwd encrypted
names
!
interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address  Public IP *.*.119.194 255.255.255.240
 ospf cost 10
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.18.1 255.255.255.0
 ospf cost 10

interface Ethernet0/2
 nameif Dyer-MPLS
 security-level 0
 ip address 10.1.5.253 255.255.255.0
 ospf cost 10
!
interface Ethernet0/3
 nameif VOIP
 security-level 0
 ip address 192.168.19.1 255.255.255.0
 ospf cost 10
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 no ip address
 ospf cost 10
 management-only
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_cryptomap extended permit ip 192.168.18.0 255.255.255.0 172.1.0.0 255.255.0.0
access-list outside_cryptomap extended permit ip 192.168.18.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.19.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.1.0.0 255.255.0.0
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.19.0 255.255.255.0 192.168.6.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu VOIP 1500
mtu management 1500
mtu Dyer-MPLS 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.18.0 255.255.255.0
static (inside,outside) tcp  Public IP *.*.119.195 www 192.168.18.199 www netmask 255.255.255.255
static (inside,outside) tcp  Public IP *.*.119.195 8000 192.168.18.199 8000 netmask 255.255.255.255
static (inside,outside) tcp  Public IP *.*.119.195 2000 192.168.18.198 2000 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0  Public IP *.*.119.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.18.0 255.255.255.0 management
http 192.168.18.0 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 inside
snmp-server host outside Public IP *.*.58.68 community dsisnmp
no snmp-server location
no snmp-server contact
snmp-server community dsisnmp
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set pfs
crypto map outside_map1 1 set peer Public IP *.*.135.190
crypto map outside_map1 1 set transform-set ESP-3DES-SHA
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
management-access inside
dhcpd dns 192.168.1.3 192.168.1.9
!
dhcpd address 192.168.18.100-192.168.18.200 inside
dhcpd enable inside
!
 
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 2
tunnel-group Public IP *.*.135.190 type ipsec-l2l
tunnel-group Public IP *.*.135.190 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e49175d2dd47f1822b17b3eef32352d2
: end

pixfirewall#  

pixfirewall#
0
 
LVL 1

Author Comment

by:almostfamous
ID: 35508080
Location: 2
Hardware: PIX-515E


pixfirewall# show run
: Saved
:
PIX Version 8.0(4)
!
hostname pixfirewall
domain-name ***********.com
enable password encrypted
passwd  encrypted
names
name 192.168.1.2 Exchange_Server description Exchange Server
name 192.168.1.3 DNS_Server
name 192.168.20.0 CO-LoLan description Co Location Lan
name 10.4.20.0 PNT description New PNT connection
name 192.168.1.117 SQLDSI description DSI LOcal SQL
name 192.168.6.0 CA_Phone_Sys description Santa Ana Phone System
name 172.16.4.0 Atlanta
name 10.2.10.0 Chicago
name 192.168.18.0 Dyer
name 192.168.2.0 Hosting.com
name 192.168.1.0 Warner
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address Public IP *.*.135.190 255.255.255.240
 ospf cost 10
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.1.4.252 255.255.255.0
 ospf cost 10
!
interface Ethernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet3
 nameif dmz-phone
 security-level 20
 ip address 192.168.6.254 255.255.255.0
 ospf cost 10
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
boot system flash:/pix804.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server DNS_Server
 domain-name ***********.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_2
 network-object 10.1.1.0 255.255.255.0
 network-object Warner 255.255.255.0
 network-object 192.168.5.0 255.255.255.0
 network-object CA_Phone_Sys 255.255.255.0
 network-object Dyer 255.255.255.0
object-group network DM_INLINE_NETWORK_3
 network-object 192.168.10.0 255.255.255.0
 network-object Hosting.com 255.255.255.0
object-group service jboss tcp
 description JBOSS Access
 port-object eq 8080
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network DM_INLINE_NETWORK_4
 network-object 10.1.1.0 255.255.255.0
 network-object Warner 255.255.255.0
 network-object 192.168.5.0 255.255.255.0
 network-object PNT 255.255.255.0
object-group network DM_INLINE_NETWORK_5
 network-object 10.1.1.0 255.255.255.0
 network-object Warner 255.255.255.0
 network-object CA_Phone_Sys 255.255.255.0
 network-object Hosting.com 255.255.255.0
 network-object 192.168.168.0 255.255.255.0
object-group network DM_INLINE_NETWORK_7
 network-object 10.1.1.0 255.255.255.0
 network-object Warner 255.255.255.0
object-group network DM_INLINE_NETWORK_9
 network-object 10.1.1.0 255.255.255.0
 network-object Warner 255.255.255.0
object-group network DM_INLINE_NETWORK_12
 network-object 10.1.1.0 255.255.255.0
 network-object Warner 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_3
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_4
 protocol-object ip
 protocol-object icmp
object-group network DM_INLINE_NETWORK_6
 network-object 10.1.1.0 255.255.255.0
 network-object Warner 255.255.255.0
object-group network DM_INLINE_NETWORK_10
 network-object 192.168.5.0 255.255.255.0
 network-object CA_Phone_Sys 255.255.255.0
object-group network DM_INLINE_NETWORK_8
 network-object 10.1.1.0 255.255.255.0
 network-object Warner 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_7
 protocol-object ip
 protocol-object icmp
object-group network DM_INLINE_NETWORK_14
 network-object Warner 255.255.255.0
 network-object 10.1.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_13
 network-object 10.1.1.0 255.255.255.0
 network-object Warner 255.255.255.0
 network-object CA_Phone_Sys 255.255.255.0
 network-object Dyer 255.255.255.0
object-group network DM_INLINE_NETWORK_16
 network-object 10.1.1.0 255.255.255.0
 network-object Warner 255.255.255.0
 network-object CA_Phone_Sys 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_6
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_8
 protocol-object ip
 protocol-object icmp
object-group network DM_INLINE_NETWORK_11
 network-object PNT 255.255.255.0
 network-object 192.168.168.0 255.255.255.0
object-group network GA_VPN_Net
 description Access Objects for GA VPN
 network-object 192.168.30.0 255.255.255.0
 network-object CA_Phone_Sys 255.255.255.0
object-group network LocalNet_plusPhone
 description Vpn Group to ATL with phone group
 network-object Warner 255.255.255.0
 network-object CA_Phone_Sys 255.255.255.0
object-group network DM_INLINE_NETWORK_1
 network-object Warner 255.255.255.0
 network-object Hosting.com 255.255.255.0
object-group network DSI_Sites
 network-object Chicago 255.255.255.0
 network-object Atlanta 255.255.255.0
 network-object Dyer 255.255.255.0
 network-object Hosting.com 255.255.255.0
access-list Outside_cryptomap extended permit ip Warner 255.255.255.0 Hosting.com 255.255.255.0
access-list Outside_access_in remark Allow email traffic
access-list Outside_access_in extended permit tcp any host Exchange_Server eq smtp
access-list Outside_access_in remark Webmail Access
access-list Outside_access_in extended permit tcp any host Exchange_Server eq www
access-list outside_access_in remark Allow SMTP Traffic to Mail Server
access-list outside_access_in extended permit tcp any host Public IP *.*.135.188 eq smtp
access-list outside_access_in remark Allow Access to webmail
access-list outside_access_in extended permit tcp any host Public IP *.*.135.188 eq www
access-list outside_access_in remark Sql access for Pnt
access-list outside_access_in extended permit tcp host Public IP *.*.223.201 host Public IP *.*.135.180 eq 1433
access-list outside_access_in extended permit tcp host Public IP *.*.253.53 host Public IP *.*.135.180 eq 1433
access-list outside_access_in extended permit tcp any host Public IP *.*.135.181 eq ssh
access-list outside_access_in extended permit tcp any host Public IP *.*.135.188 eq https
access-list outside_access_in extended permit tcp any host Public IP *.*.135.188 eq domain
access-list outside_access_in extended permit tcp any host Public IP *.*.135.178
access-list outside_access_in extended permit ip Dyer 255.255.255.0 Chicago 255.255.255.0
access-list outside_access_in extended permit ip Hosting.com 255.255.255.0 Dyer 255.255.255.0
access-list outside_access_in extended permit tcp host Public IP *.*.195.179 host Public IP *.*.135.180 eq 1433
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_13 Hosting.com 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_3
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_NETWORK_10
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_16 object-group DM_INLINE_NETWORK_11
access-list inside_nat0_outbound extended permit ip Warner 255.255.255.0 CO-LoLan 255.255.255.0
access-list inside_nat0_outbound extended permit ip Warner 255.255.255.0 192.168.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 host 172.1.0.94
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 host 172.1.0.94
access-list inside_nat0_outbound extended permit ip Warner 255.255.255.0 host 172.17.4.0
access-list inside_nat0_outbound extended permit ip Warner 255.255.255.0 172.17.4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 Dyer 255.255.255.0
access-list inside_nat0_outbound extended permit ip CA_Phone_Sys 255.255.255.0 192.168.19.0 255.255.255.0
access-list policy-nat extended permit ip Warner 255.255.255.0 172.1.0.0 255.255.0.0
access-list policy-nat extended permit ip Warner 255.255.255.0 192.168.108.0 255.255.255.0
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 object-group DM_INLINE_NETWORK_9 any
access-list inside_access_in extended permit object-group TCPUDP 192.168.5.0 255.255.255.0 Warner 255.255.255.0 eq domain
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 CA_Phone_Sys 255.255.255.0 object-group DM_INLINE_NETWORK_7
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 Hosting.com 255.255.255.0 object-group DM_INLINE_NETWORK_14
access-list inside_access_in extended permit icmp 192.168.5.0 255.255.255.0 object-group DM_INLINE_NETWORK_6
access-list inside_access_in extended permit ip Warner 255.255.255.0 172.17.4.0 255.255.255.0
access-list inside_access_in extended permit tcp any host Public IP *.*.135.178
access-list inside_access_in extended permit ip Dyer 255.255.255.0 Hosting.com 255.255.255.0
access-list inside_access_in extended permit ip Hosting.com 255.255.255.0 Dyer 255.255.255.0
access-list dmz-dev_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 object-group DM_INLINE_NETWORK_5
access-list dmz-phone_nat0_outbound extended permit ip CA_Phone_Sys 255.255.255.0 192.168.30.0 255.255.255.0
access-list dmz-phone_nat0_outbound extended permit ip CA_Phone_Sys 255.255.255.0 object-group DM_INLINE_NETWORK_4
access-list dmz-phone_access_in extended permit object-group DM_INLINE_PROTOCOL_7 object-group DM_INLINE_NETWORK_12 CA_Phone_Sys 255.255.255.0
access-list dmz-phone_access_in extended permit object-group DM_INLINE_PROTOCOL_8 PNT 255.255.255.0 CA_Phone_Sys 255.255.255.0
access-list dmz-phone_access_in extended permit ip Dyer 255.255.255.0 Hosting.com 255.255.255.0
access-list dmz-phone_access_in extended permit ip Hosting.com 255.255.255.0 Dyer 255.255.255.0
access-list dmz-phone_access_in extended permit ip Chicago 255.255.255.0 Dyer 255.255.255.0
access-list dmz-phone_access_in extended permit object-group DM_INLINE_PROTOCOL_6 CA_Phone_Sys 255.255.255.0 any
access-list outside_4_cryptomap extended permit ip object-group LocalNet_plusPhone 192.168.30.0 255.255.255.0
access-list VPN2 extended permit ip 192.168.31.0 255.255.255.0 172.1.0.0 255.255.0.0
access-list VPN2 extended permit ip 192.168.31.0 255.255.255.0 host 172.1.0.94
access-list VPN2 extended permit ip 192.168.30.0 255.255.255.0 host 172.1.0.94
access-list VPN2 extended permit ip 10.1.1.0 255.255.255.0 host 172.1.0.94
access-list VPN2 extended permit ip 192.168.31.0 255.255.255.0 192.168.108.0 255.255.255.0
access-list VPN2 extended permit ip Dyer 255.255.255.0 172.1.0.0 255.255.0.0
access-list outside_6_cryptomap extended permit ip Warner 255.255.255.0 172.17.4.0 255.255.255.0
access-list outside_6_cryptomap extended permit ip Warner 255.255.255.0 Chicago 255.255.255.0
access-list outside_6_cryptomap extended permit ip Warner 255.255.255.0 172.18.4.0 255.255.255.0
access-list outside_cryptomap7 extended permit ip 172.1.0.0 255.255.0.0 Dyer 255.255.255.0
access-list outside_cryptomap7 extended permit ip Warner 255.255.255.0 Dyer 255.255.255.0
access-list outside_cryptomap7 extended permit ip CA_Phone_Sys 255.255.255.0 192.168.19.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz-phone 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any dmz-phone
asdm image flash:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 Warner 255.255.255.0 dns
nat (dmz-phone) 0 access-list dmz-phone_nat0_outbound
nat (dmz-phone) 1 CA_Phone_Sys 255.255.255.0
static (inside,outside) tcp Public IP *.*.135.180 1433 SQLDSI 1433 netmask 255.255.255.255
static (inside,outside) tcp Public IP *.*.135.181 ssh 192.168.1.41 ssh netmask 255.255.255.255
static (inside,outside) tcp Public IP *.*.135.183 www 192.168.1.199 www netmask 255.255.255.255
static (inside,outside) tcp Public IP *.*.135.183 2000 192.168.1.198 2000 netmask 255.255.255.255
static (inside,outside) tcp Public IP *.*.135.183 8000 192.168.1.199 8000 netmask 255.255.255.255
static (inside,outside) tcp Public IP *.*.135.178 https 192.168.1.45 https netmask 255.255.255.255
static (inside,outside) tcp Public IP *.*.135.178 www 192.168.1.45 9080 netmask 255.255.255.255
static (inside,outside) 192.168.31.0  access-list policy-nat
static (inside,outside) Public IP *.*.135.188 Exchange_Server netmask 255.255.255.255 dns
static (outside,outside) Dyer Dyer netmask 255.255.255.0
static (outside,outside) 172.1.0.0 172.1.0.0 netmask 255.255.0.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz-phone_access_in in interface dmz-phone
route outside 0.0.0.0 0.0.0.0 Public IP *.*.75.177 1
route inside 10.1.1.0 255.255.255.0 10.1.4.253 1
route inside 10.1.2.0 255.255.255.0 10.1.4.253 1
route inside Warner 255.255.255.0 10.1.4.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
aaa authorization exec authentication-server
http server enable
http 0.0.0.0 0.0.0.0 inside
snmp-server host inside 192.168.1.45 community dsi
snmp-server host outside Public IP *.*.58.68 community dsisnmp
no snmp-server location
no snmp-server contact
snmp-server community dsisnmp
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set pfs
crypto map outside_map1 1 set peer Public IP *.*.56.68
crypto map outside_map1 1 set transform-set ESP-3DES-SHA
crypto map outside_map1 1 set security-association lifetime seconds 28800
crypto map outside_map1 1 set security-association lifetime kilobytes 4608000
crypto map outside_map1 4 match address outside_4_cryptomap
crypto map outside_map1 4 set peer Public IP *.*.97.158
crypto map outside_map1 4 set transform-set ESP-3DES-MD5
crypto map outside_map1 4 set security-association lifetime seconds 28800
crypto map outside_map1 4 set security-association lifetime kilobytes 4608000
crypto map outside_map1 5 match address VPN2
crypto map outside_map1 5 set peer Public IP *.*.58.68
crypto map outside_map1 5 set transform-set ESP-3DES-MD5
crypto map outside_map1 5 set security-association lifetime seconds 28800
crypto map outside_map1 5 set security-association lifetime kilobytes 4608000
crypto map outside_map1 6 match address outside_6_cryptomap
crypto map outside_map1 6 set peer Public IP *.*.8.226
crypto map outside_map1 6 set transform-set ESP-3DES-MD5
crypto map outside_map1 6 set security-association lifetime seconds 28800
crypto map outside_map1 6 set security-association lifetime kilobytes 4608000
crypto map outside_map1 7 match address outside_cryptomap7
crypto map outside_map1 7 set pfs
crypto map outside_map1 7 set peer Public IP *.*.119.194
crypto map outside_map1 7 set transform-set ESP-3DES-SHA
crypto map outside_map1 7 set security-association lifetime seconds 28800
crypto map outside_map1 7 set security-association lifetime kilobytes 4608000
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.1.10 source inside prefer
tftp-server inside 192.168.1.62 Pix-COnfig


tunnel-group Public IP *.*.56.68 type ipsec-l2l
tunnel-group Public IP *.*.56.68 ipsec-attributes
 pre-shared-key *
tunnel-group Public IP *.*.97.158 type ipsec-l2l
tunnel-group Public IP *.*.97.158 ipsec-attributes
 pre-shared-key *
tunnel-group Public IP *.*.58.68 type ipsec-l2l
tunnel-group Public IP *.*.58.68 ipsec-attributes
 pre-shared-key *
tunnel-group Public IP *.*.8.226 type ipsec-l2l
tunnel-group Public IP *.*.8.226 ipsec-attributes
 pre-shared-key *
tunnel-group Public IP *.*.119.194 type ipsec-l2l
tunnel-group Public IP *.*.119.194 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e8967d64e99205fe893b6ac20e871947
: end

pixfirewall#  

pixfirewall#

pixfirewall# exit

Logoff

0
 
LVL 1

Author Comment

by:almostfamous
ID: 35508111
Here are the Locations on the MPLS: Location 2 (Warner), Atlanta, Chicago. The new location that i need is Dyer (Location 1). As far as the ISP/MPLS provider everything is configured and tested.
0
 
LVL 4

Accepted Solution

by:
JorisFRST earned 2000 total points
ID: 35719931
Hi, sorry for the late answer, was away for business whole last week.

i'm looking at your configs, and you're not running a router protocol.

You have fixed routes in location 2 :
route inside 10.1.1.0 255.255.255.0 10.1.4.253 1
route inside 10.1.2.0 255.255.255.0 10.1.4.253 1
route inside Warner 255.255.255.0 10.1.4.253 1

You should do the same in Location 1 and add the subnet for Location 1 on all the other to go to MPLS.
example on location 1 : route Dyer-MPLS 10.1.1.0 255.255.255.0  10.1.5.254 1
on location 2 : route inside 192.168.18.0 255.255.255.0 10.1.4.253 1
on location 2 : route inside 10.1.5.0 255.255.255.0 10.1.4.253 1
If your provider is aware of the 192.168.18.0 network being behind 10.1.4.253 these static routes should enable traffic through MPLS between location 1 and 2.


(although, I see a mismatch with location 2 : interface Ethernet1
 nameif inside  ip address 10.1.4.252 255.255.255.0 where your IP is 252 and not 253, is this a different setup from location 1 ?)


If you want to be able to do automatic failover, there's 2 option s:
You run a routing protocol on your asa / pix (eigrp is the easiest) and work with the ISP to redisribute your routes on their router)
Or use IP SLA's (i'm not sure if it's supported on your PIX 515 version).

For IP SLA :
See cisco article :
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

But in this case I wouldn't do IP SLA, as when only part of the mpls network is down, the other routers won't send the traffic back through VPN.


I hope this helps you ?
0
 
LVL 1

Author Comment

by:almostfamous
ID: 35817594
I am sorry for the late response too... Had to put this project on hold 3 weeks ago. Hired a temp which should be here today to help me with it. Thank you for your help and time.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question