emeka57
asked on
Cisco ASDM config with MPLS & backup site to site VPN
Hi -
I currently have 5 locations with identical setups:
Cisco ASA 5510 8.4(5) ASDM 7.1(1)52
primary circuit 100mbps fiber (with site-to-site MPLS)
backup circuit 100/50mbps cable
addt'l circuit 20/5mbps cable
Currently, we're running site-to-site VPNs from each site to every other site. I created an MPLS route to one other site. I could ping their MPLS gateway, but could not get to anything beyond that. I've since removed that route.
My ideal setup, at each site, would look like this:
primary circuit 100mbps (with MPLS site-to-site connectivity) - if this fails:
use the backup circuit (100/50mbps cable) to provide DIA and site-to-site connectivity via VPN
alternative circuit for spillover or for guest internet access
I currently have 5 locations with identical setups:
Cisco ASA 5510 8.4(5) ASDM 7.1(1)52
primary circuit 100mbps fiber (with site-to-site MPLS)
backup circuit 100/50mbps cable
addt'l circuit 20/5mbps cable
Currently, we're running site-to-site VPNs from each site to every other site. I created an MPLS route to one other site. I could ping their MPLS gateway, but could not get to anything beyond that. I've since removed that route.
My ideal setup, at each site, would look like this:
primary circuit 100mbps (with MPLS site-to-site connectivity) - if this fails:
use the backup circuit (100/50mbps cable) to provide DIA and site-to-site connectivity via VPN
alternative circuit for spillover or for guest internet access
ASKER
Yes. Can you assist me in setting this up via ASDM?
What do I need to request from my ISP? Routing tables?
What do I need to request from my ISP? Routing tables?
I presume you have a routed VPN. Can the ISP publish their routes for the MPLS via a routing protocol, eg. RIP/OSPF? If not, we're going to need to use routes with and SLA monitor. eg.
route MPLS 192.168.0.0 255.255.254.0 172.31.0.1 1 track 6
route MPLS 192.168.2.0 255.255.255.0 172.31.0.1 1 track 6
track 6 rtr 1680 reachability
sla monitor 1680 type echo protocol ipIcmpEcho 172.31.1.1 interface MPLS
Once you've done this, you apply a standard IPsec VPN config. Have you done that before?
route MPLS 192.168.0.0 255.255.254.0 172.31.0.1 1 track 6
route MPLS 192.168.2.0 255.255.255.0 172.31.0.1 1 track 6
track 6 rtr 1680 reachability
sla monitor 1680 type echo protocol ipIcmpEcho 172.31.1.1 interface MPLS
Once you've done this, you apply a standard IPsec VPN config. Have you done that before?
Sorry, I should have explained the command line config. There will be options in ASDM to create the SLA monitor when creating the routes.
If packets are destined for 192.168.0.0/23 & 192.168.2.0/24 traffic will be routed via any other route due to the metric being 1. This will only happen if track 4 is OK. Track 6 calls SLA monitor 1680. SLA Monitor 1680 send pings out of interface MPLS to address 172.31.1.1 via 172.31.0.1.
This assumes that 172.31.1.1 and 172.31.0.1 are the MPLS gateway routers.
If these routes get removed from the routing table, the packets will get routes out the interface with the next best route, falling back to the default route if necessary.
To configure the VPN see http://www.petenetlive.com/KB/Article/0000072.htm.
If packets are destined for 192.168.0.0/23 & 192.168.2.0/24 traffic will be routed via any other route due to the metric being 1. This will only happen if track 4 is OK. Track 6 calls SLA monitor 1680. SLA Monitor 1680 send pings out of interface MPLS to address 172.31.1.1 via 172.31.0.1.
This assumes that 172.31.1.1 and 172.31.0.1 are the MPLS gateway routers.
If these routes get removed from the routing table, the packets will get routes out the interface with the next best route, falling back to the default route if necessary.
To configure the VPN see http://www.petenetlive.com/KB/Article/0000072.htm.
ASKER
I'm familiar with configuring site-to-site VPNs. What I am unclear to is the following:
a. creating routes for MPLS traffic over my MPLS gateway
b. making the site-to-site the failover is MPLS fails
All using ASDM 8.4(5)
a. creating routes for MPLS traffic over my MPLS gateway
b. making the site-to-site the failover is MPLS fails
All using ASDM 8.4(5)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This can be achieved. I am using type of setup. The thing to remember is that the routing decision takes place before the IPsec decision/rules. The overview is as follows.
Routing setup:
The easiest thing to do is read out the routing tables from your MPLS provider if they can set that up for you. If not, setup static routes using SLA monitoring to ping the remote site MPLS router. This then routes the traffic via one interface or the other.
VPN setup:
Configure the VPN on each interface you want to encrypt traffic on. You can configure encryption on one or both egress interfaces according to the company requirements.
It's not too much additional config per firewall if you want to encrypt the traffic on both egress interfaces.
Depending on how your company is looking to grow the VPN config will get increasingly complex.
We currently have approx. 30 sites and our VPN config runs to hundreds of lines for each firewall. Cisco produce a management tool call Cisco Security Manager. This makes setting up the VPN rules a breeze. You just add a firewall and tell it which subnets to encrypt and it generates the config and deploys it to each firewall for you.
let me know if you need detailed config commands.