Solved

MPLS Design and Web Browsing from remote sites

Posted on 2014-04-02
5
28 Views
Last Modified: 2016-02-14
Hi

We are changing to a private MPLS solution where several remote sites will be connected back into an HQ site.  These remote sites will need the ability to web browse via the Main sites secured internet connection.

The proposed solution is to drop in an MPLS utilising Juniper SRX110 (3rd party supplied), these will all terminate to another single SRX110 at the main site.

I have been told that i will need some for of NAT translator in order to allow the remote clients to browse the internet, is this correct?  if so where would it be placed?  Also any recommendations on this, perhaps an ASA5510?

I have attached a very basic layout of what i believe it should look like, please feel free to comment.

Once again your assistance with this is appreciated.

Thanks
Drawing1.jpg
0
Comment
Question by:dyson8604
  • 3
  • 2
5 Comments
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 39973675
I'm using an SRX240 as a main site firewall.  I wouldn't add that level of cost and complexity for the MPLS interfaces however.
Your diagram is almost like what one might envision.
I'm using RV042's for this purpose.
(The only thing with them is that the main site WAN port in on the "inside" and the main site LAN port is on the MPLS - which is the opposite for the remote site routers).
This is a pretty simple application.

One good way to do it is this:
Select an "interim LAN" subnet like 192.168.200.0/24.
This will run over the MPLS.

Put a router (in router mode with no NAT) at each site connecting to the MPLS.
Remote LANs as you have them:
192.168.10.0/24
192.168.11.0.24
192.1658.12.0/24
Main site 192.168.254.0/24

Main site router:
192.168.254.109 on LAN side; 192.168.200.009 on MPLS side.
Site 1 router:
192.168.10.1 on LAN side: 192.168.200.110 on MPLS side.
Site 2 router:
192.168.11.1 on LAN side: 192.168.200.111 on MPLS side.
Site 1 router:
192.168.12.1 on LAN side: 192.168.200.112 on MPLS side.

Since the remote site routers will be the site's internet gateway then that takes care of routing there.
Since the main site router won't be the site's internet gateway then you will need routes in the main site internet gateway like this:
192.168.10.0/24 to 192.168.254.109
192.168.11.0/24 to 192.168.254.109
192.168.12.0/24 to 192.168.254.109

Also, if the main site internet gateway has any sort of LAN-side monitoring such as stateful packet inspection, be aware of this:
- packets arriving from the remote sites to the main site will go directly out onto the wire on the main site LAN, bypassing the main site internet gateway.
- packets returning from the above *will* go first to the internet gateway which may block them as being not in response to anything it knows about.
So, you may need to add a setting or two to the main site internet gateway to accomdate this sort of issue.
0
 

Author Comment

by:dyson8604
ID: 39975623
Hi

thanks for response, most of that makes sense and stacks up.  In relation to the returning packets, I understand they will hit the internet gateway (Netscreen) first, how are these then translated to the remote sites?

thanks again.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 39975689
They get to the remote sites by the routes I listed.
The routes tell the router to send the packets to the local MPLS interface device.

I should have mentioned:
The MPLS devices need routes to each of the sites.
So the MPLS device at 192.168.10.0/24 would have routes to
192.168.254.0 to 192.168.200.109
192.168.11.0 to 192.168.200.111
192.168.12.0 to 192.168.200.112
.........and similarly for the other 3 MPLS routers - pointing to the other 3 subnets.

This assumes that you want the remote sites interconnected as well as connected to the main site.  If all you want is a main site connection then you only need the first one.
But the main site MPLS device needs them all as in:
192.168.10.0 to 192.168.200.110
192.168.11.0 to 192.168.200.111
192.168.12.0 to 192.168.200.112
(and to 0.0.0.0 which should be taken care of by the router's own entered gateway address.)
The remote sites' gateway would be the "interim LAN" address of the main site MPLS router.
The main site's gateway would be the main site internet gateway LAN address.

So, on the main site internet gateway would have a route that sends packets destined for the remote sites to the MPLS device.
The MPLS device will have a route that sends the packets to the remote site MPLS device on the "interim LAN" (as above).
The MPLS device at the remote site will forward the packets to its own LAN and out onto the wire without adding any special routes at that end for that purpose.
0
 

Author Comment

by:dyson8604
ID: 39991917
hi fmarshall

any chance of a basic anonymised diagram of your setup so i can quick reference etc?  cheers
0
 
LVL 25

Accepted Solution

by:
Fred Marshall earned 500 total points
ID: 39993165
***Main site:

Internet gateway router assigned LAN address of 10.1.1.1/24
LAN routes added to remote subnets:
10.1.2.0/24 to 10.1.1.2 (the local MPLS router)
10.1.3.0/24 to 10.1.1.2 (the local MPLS router)

RV042 Main site MPLS router: (see footnote)
In Router Mode (not Gateway Mode)
*WAN* assigned IP address 10.1.1.2/24 and connected to the site LAN.
RV042 site 2 MPLS router:
In Router Mode (not Gateway Mode)
*LAN* assigned IP address 10.1.2.2/24 and connected to the site LAN.
Gateway 10.1.1.1
DNS 10.1.1.1
*LAN* assigned IP address 192.168.200.201 and connected to the MPLS
Routes to remote sites:
10.1.2.0/24 to 192.168.200.202
10.2.3.0/24 to 192.168.200.203

***Remote Site #2

RV042 site 2 MPLS router:
In Router Mode (not Gateway Mode)
*WAN* assigned IP address 192.168.200.202 and connected to the MPLS
Gateway 192.168.200.201***Remote Site #3
DNS 192.168.200.201
*LAN* assigned IP address 10.1.2.2
Routes to remote sites:
10.1.1.0/24 to 192.168.200.201
10.2.3.0/24 to 192.168.200.203

***Remote Site #3

RV042 site 3 MPLS router:
In Router Mode (not Gateway Mode)
*WAN* assigned IP address 192.168.200.203 and connected to the MPLS
Gateway 192.168.200.201
DNS 192.168.200.201
*LAN* assigned IP address 10.1.3.2/24 and connected to the site LAN.
Routes to remote sites:
10.1.1.0/24 to 192.168.200.201
10.2.3.0/24 to 192.168.200.203

*Footnote:  For the RV042 to do this job, it appears that it's necessary for the WAN ports to all "point toward" the internet source.  So, the WAN and LAN connections at the main site are the reverse of the WAN and LAN connections at the remote sites.  The remote site connections s look more typical and the main site connections look a little strange.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

SSL is a very common protocol used these days when browsing the web.  The purpose is to provide security to communication, but how does it do it?  There are several pieces at work that have to be setup before SSL will even work and it requires both …
AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now