Need help doing MPLS on Cisco ASA 5510's

So my ISP has put a router on the inside of each network at both locations. From the ASA's, I am able to ping the other internal router interface, so I know the MPLS is up and passing traffic. I cannot however communicate over the internal subnets (, to Can someone take a look at this and let me know where I am messing up? I will only post the one config unless you need more. They are pretty much identical setups.

hostname DALLAS

interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Ethernet0/3
 no nameif
 no security-level
 no ip address

ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 domain-name DOMAIN
same-security-traffic permit intra-interface
access-list 110 extended permit ip
access-list 110 extended permit ip
access-list 100 extended permit icmp any any
access-list 130 extended permit ip
access-list acl_out extended deny tcp any any eq smtp
access-list acl_out extended permit ip any any
access-list outside_nat0_outbound extended permit ip
access-list outside_1_cryptomap extended permit ip
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 0 access-list outside_nat0_outbound
nat (inside) 1
static (inside,outside) tcp interface www www netmask
access-group 100 in interface outside
access-group acl_out in interface inside
route outside OUTSIDEGATEWAYIP 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http management
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set BT esp-3des esp-sha-hmac
crypto ipsec transform-set CB esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Houston 31 match address 131
crypto map Houston 31 set peer A DIFFERENT NON MPLS SITE
crypto map Houston 31 set transform-set myset

crypto map Houston interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 47
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 51
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
telnet timeout 5
ssh outside
ssh inside
ssh timeout 5
console timeout 0
dhcpd address management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

tunnel-group NON MPLS type ipsec-l2l
tunnel-group NON MPLS ipsec-attributes
 pre-shared-key *****

class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end
Who is Participating?
The logical placement depends on whether you go with a router or a layer 3 switch. The layer 3 switch is the best choice.
If we are talking the layer 3 switch, then it will replace the switch you have (or one of the switches, likely the one that connects to both the ASA and the MPLS router), and, once configured, users will use the new switch as a default gateway, and the switch will direct traffic. Logically this means that the switch is placed in front of the ASA and MPLS router on the inside of the network. Since it's all layer2 in terms of subnetting, this device won't really be in front of, beside, or behind anything.
If you go with the router, it could hang off the same switch that the MPLS router and ASA connect to. Like the layer3 switch, once the router is configured users will use that as a default gateway. This does mean that all traffic will hairpin through that router, so if you put an old router with a 10M interface in place to do this, the combine traffic for internet and MPLS would never be able to exceed 10M because all traffic would have to get to the router through the 10M connection before being directed to MPLS/ASA. With the L3 switch, your speed limit would theoretically be the slowest physical link in the path so if the user and MPLS/ASA had a gig connection, then the user could run at gig speeds. You MPLS and Internet speed will be the limiting factor in that scenario.
I believe you are running into asynchronous routing. What this means is that the users on the inside are likely configured to use the ASA directly as a default gateway. When they send out traffic, it uses the ASA as a default gateway, and the ASA has a route on the inside to forward traffic. You've already permitting same-security intra-interface traffic (although I don't see a no nat statement for the traffic), so this may be good or not quite finished. Either way, let's assume that the traffic reaches the destination. On the return side, the traffic will make it from the remote site back to your local MPLS router in Dallas. Since that router is on the same subnet as your users, the router sends traffic directly to the user. Now your user sends another packet using the ASA as a default gateway, and the ASA will drop the traffic because it never saw the return traffic and considers this a broken or invalid session.
You have three choices to resolve this:
Configure the ASA to ignore state information for the user traffic. I do not recommend ever doing this unless absolutely necessary.
Change the default gateway to use the MPLS router instead of the ASA. The router will not care about the state information, so asynchronous traffic won't be an issue. This does mean that you have to rely on the ISP router for MPLS and internet-bound traffic routing. The ISP router will need some configuration done to support this routing. I'm not a huge fan of relying on ISP equipment when that wasn't the intention from the get-go, but this is a valid solution.
The best solution is to implement your own router or layer 3 switch, and let that decide if the traffic should go via MPLS or ASA to reach its destination. This gives you the best control, usually the best performance, and also provides the most efficiency when it comes to traffic patterns.
j_crow1Author Commented:
So where would I put the new router? After my ASA and between the Internet router as well as the MPLS router?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.