Connect two sites using Cisco ASA via a MPLS connection

Currently we have client that is expanding their business to an additional building.  They have decided to use an MPLS to interconnect the two buildings, allowing the remote site to use the main site's resources and communicate in between each other effectively via voice and data communications.  

Windstream is providing the MPLS in between their two routing devices and then handing it off to our ASA 5500s.  The network setup is Main LAN -> Switch - > Cisco ASA -> Windstream Router -> MPLS -> Windstream Router -> Cisco ASA -> Remote LAN.  Currently each site handles its own internet connection.  Both ASAs have two connections to the windstream device; one on the ASA's outside interface to a interface on the Windstream router designated for Internet traffic, and one connection to one of the ASA's  inside-network switchports connecting to the interface on the Windstream router designated for traffic in between the two LANs.  

I was able to get both networks to communicate with each other via pings by creating a static route on the ASAs to the inside network windstream router interface for each corresponding LAN.  I then had to create a NAT exemption rule for inboud and outboud traffic on the ASA inside-network interface, as packet traces revealed that NAT was blocking communications.  Once this was done I was able to communicate via pings in-between the sites, however I can't perform any other more complicated functions in between the LANs like RDP or accessing shares.  

As a troubleshooting step I have already allowed all IP (even added TCP and UDP for good measure) traffic inbound and outbound from these LANs to occur, so I know it is not a firewall rule that is preventing it.  I have also performed a packet trace using the 3389 RDP port in between the sites and it passes, even though actually performing the function does not.  If any other information is needed to help us troubleshoot this issue, please let us know.  

Thank You      
LVL 1
webfullcircleAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mcp_jonCommented:
0
gavvingCommented:
To rule out configuration issues with the ASAs we'll really need to see the configurations.  Can you post sanitized configs (remove passwords, external IPs, etc)?

Also, what about routing configurations on the Windstream routers?  Do they have routes configured for the inside IP block at each site and point to the interface of the ASA to get to that IP block?  Can you source pings from the inside interfaces of the ASAs and ping to the other end?  Do that by doing the command:

management-access inside

then

ping inside <IP of remote windstream ethernet>
ping inside <IP of remote ASA windstream interface>
ping inside <IP of inside ASA interface>
ping inside <IP of server on inside LAN at remote site>

What is the result of those tests?
0
webfullcircleAuthor Commented:
mcp jon,
Thank you for your link, however I do not believe it will resolve my issue as our sites have two connections to their windstream router; an inside and outside interface.  The windstream has an interface specifically setup to handle insed traffic inbetween the two sites.  That link seems to be for a scenario where there is only one interface offered by the ISP.

gavving,
Yes I am able to ping from one router to another using the ping tool provided by the ASDM.  I can also ping from a computer on one side to a server on the other side.  A tracert does come back with the name of the main site's server when I run it from a PC on the remote site.  I have attached the two configurations being used on these ASAs; ASA1config is the main site's ASA and ASA2config is the remote site's.  The main ASA does have VPN setup but I am trying to use the mpls to interconnect the two sites, the vpn is for mobile users.  I have changed the ip addresses and domain name, but tried to keep them consistent so if there is an error in my setup it can still be discovered. asa1config1.txt ASA2Config.txt ASA2Config.txt asa1config1.txt
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

gavvingCommented:
Now it's clear what you're trying to do.  I thought from your description that you had the windstream mpls connection plugged into a DMZ vlan on the firewall.  You're probably using the ethernet ports on the firewall, but actually have the mpls connection plugged into the inside vlan.  

So this means that you're trying to use the ASA as a router, something that it actually doesn't do very well.  Historically all traffic flowing into the PIX/ASA platform had to be inspected and NATed (or excluded from NAT), and thus this type of configuration actually didn't work.  The packet would hit the ASA, go in the inside interface, go out the inside interface, be routed to the next hop and traverse correctly.  The problem is the packet coming back from the destination never hits the ASA.  It's sent directly from the MPLS connection on the windstream router to the PC, so that means the ASA never inspected it.  So when the next packet comes from the source, it hits the ASA, it has no idea that the tcp session is valid, and drops it.  It never saw the reply, it assumes there was no reply.  

Anyway, the fix is one of 2 solutions.  Either make your default gateway the Windstream MPLS router, and have it's default gateway set to inside interface of the ASA.  It will take care of the routing and then MPLS traffic never hits the ASA.  Or you can configure tcp-state bypass routing on the ASA.  This sets up the ASA to route the traffic in/out the inside interface but ignore the fact that it's not seeing both sides of the tcp conversation.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gavvingCommented:
FYI here's another link that has a more applicable example:

http://inetpro.org/wiki/ASA_Asymmetric_Routing
0
mcp_jonCommented:
Much clear now :)

Just like Gavving said, ASA and PIx are somewhat weird when it comes to act as a Router.

Have you checked his link ?

Cheers.
0
webfullcircleAuthor Commented:
That sounds like exactly what is happening.  I will try to set it up this afternoon for TCP-State bypass and see how it works.  I will update this question on whether or not it works once I get it thoroughly tested, however I am optimistic this will be the solution to my problem.  Thank you gavving.
0
webfullcircleAuthor Commented:
I've got to upgrade both ASAs to get this solution to work as they are lower than version 8.2 .  I will be upgrading both ASAs over the weekend and then attempting this proposed solution.
0
gavvingCommented:
I just thought of this, but I'd upgrade to 8.2.5.  If you go to the higher versions than that the NAT methodology changes completely.  Make sure you completely read up on it if you go to a version higher than 8.2.x.
0
webfullcircleAuthor Commented:
I used this solution with ASAs upgaded to 8.2.5 and it worked properly.  I did have to add one additional step to get this to work which was to setup NAT u-turning, using a static NAT rule with the norandomsqu option.  Thank you for your assistance it was extremely helpful gavving.
0
webfullcircleAuthor Commented:
The links and the explanation of how it was a solution was extremely helpful.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.