Solved

Need help doing MPLS on Cisco ASA 5510's

Posted on 2014-07-30
3
739 Views
Last Modified: 2014-08-25
So my ISP has put a router on the inside of each network at both locations. From the ASA's, I am able to ping the other internal router interface, so I know the MPLS is up and passing traffic. I cannot however communicate over the internal subnets (192.168.40.0, to 192.168.40.128). Can someone take a look at this and let me know where I am messing up? I will only post the one config unless you need more. They are pretty much identical setups.

!
hostname DALLAS

!
interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address OUTSIDEPUBLIC 255.255.255.240
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.40.129 255.255.255.128
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!

ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.40.134
 name-server 8.8.8.8
 domain-name DOMAIN
same-security-traffic permit intra-interface
access-list 110 extended permit ip 192.168.40.128 255.255.255.128 192.168.47.0 255.255.255.0
access-list 110 extended permit ip 192.168.40.128 255.255.255.128 192.168.40.0 255.255.255.128
access-list 100 extended permit icmp any any
access-list 130 extended permit ip 192.168.40.128 255.255.255.128 192.168.40.0 255.255.255.128
access-list acl_out extended deny tcp any any eq smtp
access-list acl_out extended permit ip any any
access-list outside_nat0_outbound extended permit ip 192.168.40.128 255.255.255.128 192.168.40.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.40.128 255.255.255.128 192.168.40.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 0 access-list outside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 192.168.40.131 www netmask 255.255.255.255
access-group 100 in interface outside
access-group acl_out in interface inside
route outside 0.0.0.0 0.0.0.0 OUTSIDEGATEWAYIP 1
route inside 192.168.40.0 255.255.255.128 192.168.40.220 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set BT esp-3des esp-sha-hmac
crypto ipsec transform-set CB esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Houston 31 match address 131
crypto map Houston 31 set peer A DIFFERENT NON MPLS SITE
crypto map Houston 31 set transform-set myset

crypto map Houston interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 47
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 51
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn

tunnel-group NON MPLS type ipsec-l2l
tunnel-group NON MPLS ipsec-attributes
 pre-shared-key *****

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:694940d5721c0d6407165d595c9855f0
: end
0
Comment
Question by:j_crow1
  • 2
3 Comments
 
LVL 20

Expert Comment

by:rauenpc
Comment Utility
I believe you are running into asynchronous routing. What this means is that the users on the inside are likely configured to use the ASA directly as a default gateway. When they send out traffic, it uses the ASA as a default gateway, and the ASA has a route on the inside to forward traffic. You've already permitting same-security intra-interface traffic (although I don't see a no nat statement for the traffic), so this may be good or not quite finished. Either way, let's assume that the traffic reaches the destination. On the return side, the traffic will make it from the remote site back to your local MPLS router in Dallas. Since that router is on the same subnet as your users, the router sends traffic directly to the user. Now your user sends another packet using the ASA as a default gateway, and the ASA will drop the traffic because it never saw the return traffic and considers this a broken or invalid session.
You have three choices to resolve this:
Configure the ASA to ignore state information for the user traffic. I do not recommend ever doing this unless absolutely necessary.
Change the default gateway to use the MPLS router instead of the ASA. The router will not care about the state information, so asynchronous traffic won't be an issue. This does mean that you have to rely on the ISP router for MPLS and internet-bound traffic routing. The ISP router will need some configuration done to support this routing. I'm not a huge fan of relying on ISP equipment when that wasn't the intention from the get-go, but this is a valid solution.
The best solution is to implement your own router or layer 3 switch, and let that decide if the traffic should go via MPLS or ASA to reach its destination. This gives you the best control, usually the best performance, and also provides the most efficiency when it comes to traffic patterns.
0
 

Author Comment

by:j_crow1
Comment Utility
So where would I put the new router? After my ASA and between the Internet router as well as the MPLS router?
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
Comment Utility
The logical placement depends on whether you go with a router or a layer 3 switch. The layer 3 switch is the best choice.
If we are talking the layer 3 switch, then it will replace the switch you have (or one of the switches, likely the one that connects to both the ASA and the MPLS router), and, once configured, users will use the new switch as a default gateway, and the switch will direct traffic. Logically this means that the switch is placed in front of the ASA and MPLS router on the inside of the network. Since it's all layer2 in terms of subnetting, this device won't really be in front of, beside, or behind anything.
If you go with the router, it could hang off the same switch that the MPLS router and ASA connect to. Like the layer3 switch, once the router is configured users will use that as a default gateway. This does mean that all traffic will hairpin through that router, so if you put an old router with a 10M interface in place to do this, the combine traffic for internet and MPLS would never be able to exceed 10M because all traffic would have to get to the router through the 10M connection before being directed to MPLS/ASA. With the L3 switch, your speed limit would theoretically be the slowest physical link in the path so if the user and MPLS/ASA had a gig connection, then the user could run at gig speeds. You MPLS and Internet speed will be the limiting factor in that scenario.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now