Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

VPN Routing Situation

Posted on 2012-04-02
2
Medium Priority
?
316 Views
Last Modified: 2012-05-08
Okay, we have in total we'll say 7 sites/locations. Two of these are managed by ourselves and the rest are managed by the ISP. The two that we manage (router 1 and router 2) are connected via a site-to-site/ipsec-l2l (one is an ASA 5510, one is an ASA 5505) and ONE (router 2) of these is also connected to a single ISP router via an additional site-to-site.

All of the ISP routers are connected in a mesh network using MPLS and we don't have any access to these. The local IP scheme in use is 192.168.1-8.xxx we'll say.

Assuming the ISP has their equiptment setup correctly, how will it be possible to make router 1 (and router 2 for that matter) communicate with the rest of the locations? I'm guessing I need to put some type of route in the ASA's like:

route inside 192.168.0.0 255.255.0.0 [isp_wanIP]

Can you even do static routes across a lan to lan VPN?
0
Comment
Question by:TechGuy_007
2 Comments
 

Expert Comment

by:Bassam_bnd
ID: 37798850
I think you need to access your ISP routers as will,
because the inversed route should configure on those routers.
0
 
LVL 26

Accepted Solution

by:
Fred Marshall earned 2000 total points
ID: 37799188
Well, first of all I'd just skip the VPN part (in concept for now) because you have an MPLS sort of connection and have the choice of using VPN or not, right?  I think the routing issues are similar.

I'm rather surprised that there are "ISP routers" involved but maybe I don't understand the setup yet.

In the MPLS setups that I'm familiar with, the ISP provides what really looks like a switch and all your sites plug into that switch in essence.

What we do with this is the following:

Set up a router at each site that's connected to the MPLS.
Set up an "interim subnet" that supports all the connections to the MPLS.
So, you might have:
192.168.100.101 to 192.168.100.107 for 7 sites all on the "ISP" or MPLS side of routers at each site.
Then on the LAN side of those routers you would have, let us say, subnets:
10.0.1.0 /24 through 10.0.7.0/24.
So, for example, one router would have
10.0.1.0/24 on the LAN side and 192.168.100.101 on the WAN side.
10.1.2.0/24 on the LAN side and 192.168.100.102 on the WAN side.
etc.

Each router will have routes going to each subnet via the router WAN addresses.
Each LAN gateway will have routes going to all the subnets pointing to its local interconnect router address such as 10.0.1.xxx.
0

Featured Post

WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question