• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 386
  • Last Modified:

Typical CE Cisco router setup with MPLS/direct connection with two sites?

Wanted to see if I'm climbing the wrong tree or not -

Have a new MPLS setup going in place with a direct connection between two sites and both sites having internet - the ISP is providing an Ethernet hand-off with Adtran routers.

I have the task of configuring the CE (customer) router (Cisco) at both locations - with the config I believe it may just be a matter of ACLs and possibly NAT/PAT.

Is there more possibly to it - am I missing anything?
Would anyone know of an example config for Cisco?
0
AMtek
Asked:
AMtek
  • 3
  • 2
1 Solution
 
rauenpcCommented:
I assume you mean to say that both sites will have a separate internet connection, but by chance did you mean that internet will be provided via MPLS?

The difference in configuration is pretty minimal, but you are correct that each router will need some routing configuration done for internal traffic, and then configuration for the NAT/Firewall portion of the config.

Most times I configure MPLS, I use BGP with the ISP, but if you only have two sites and don't plan to expand you could potentially go with static routing.

Config snippets, assuming you'll have a separate interface for internet

!IOS Firewall
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip inspect name myfw esmtp timeout 3600

!outside interface
interface FastEthernet1
 description $ETH-WAN$
 ip address 9.9.9.9 255.255.255.248
!define ACL that allows inbound traffic such as ICMP, HTTPS, SMTP, etc. 
 ip access-group 110 in
 ip nat outside
 ip inspect myfw out
 ip virtual-reassembly
 load-interval 30
 no cdp enable

access-list 110 permit icmp any any administratively-prohibited
access-list 110 permit icmp any any echo
access-list 110 permit icmp any any echo-reply
access-list 110 permit icmp any any packet-too-big
access-list 110 permit icmp any any time-exceeded
access-list 110 permit icmp any any traceroute
access-list 110 permit icmp any any unreachable
access-list 110 permit tcp any 9.9.9.9 eq 25
access-list 110 permit tcp any 9.9.9.9 eq 443
access-list 110 deny   ip any any log


!internet default route
ip route 0.0.0.0 0.0.0.0 9.9.9.8

!outbound nat
ip nat inside source list 102 interface FastEthernet1 overload

!first deny internal traffic (from being NAT'd) when destined for internal addresses
!This stops traffic going between the sites from being NAT'd which would cause a problem
access-list 102 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any

!MPLS, assuming you'll go with BGP

interface fa0
ip address 10.255.255.1 255.255.255.252

router bgp 65501
no sync
net 192.168.1.0 mask 255.255.255.0
neighbor 10.255.255.2 remote-as 4072

Open in new window



This is pretty quick and generic, so there may be many changes needed to make your situation work, but most of those changes will be things specific to you - such as IP addresses.
0
 
AMtekAuthor Commented:
Each site is supposed to have it's own separate internet connection from the same provider with a direct link (MPLS) between the sites.

Previously there was a separate ISP for each site and they were connected with an IPSec VPN.

So there is NAT/PAT already on each config for the internal network's routers (Cisco) along with an ACL for the IPSec - just wondering if/how much the configs might change with this setup.
0
 
rauenpcCommented:
Basically, all the configuration related to internet connectivity should remain the same, except any required changes like public IP, gateway, etc. if the ISP is changing. What will change is that you can remove the VPN configuration (assuming no other vpn configuration is needed for things like client vpn), and you will either run static routing or BGP on the MPLS-connected interface. Internet traffic will use the static default route to get to the outside world, and BGP/static routes will point to the subnets that exist internally between the sites. Just make sure that on the interface that connects to MPLS, don't enable nat otherwise things could get goofy or plainly not work.
0
 
AMtekAuthor Commented:
ty, so the ISP installed their own routers, they said I didn't have to do anything with configs except for the external IP and a single static route for internet - they took my info for subnets in both sites and put info in their routers to broadcast.

so my question now is related to NAT/PAT - since the internet/direct link (MPLS) is over the same cable - how would I setup NAT/PAT?
I have several servers with static NAT configured in one site, then an overload statement for each subnet.

again each site has internet, thanks
0
 
rauenpcCommented:
If you get internet and MPLS on the same physical link, and this is with no logical separation using VLANs/tags, this can still be done, but it is just slightly more complicated... at first. Once you see it working, then it makes total sense.

You will need to make use of an extended ACL for this to work.

The access-list will first deny traffic that you DON'T want to be Nat'd, then it will permit all other traffic to be NAT'd. The example below is very broad. You can certainly reduce the private addresses to just those that exist within your organization.

!Deny NAT anytime the destination is a private IP address (RFC1918)
access-list 101 deny   ip any 192.168.0.0 0.0.255.255
access-list 101 deny   ip any 172.16.0.0 0.15.255.255
access-list 101 deny   ip any 10.0.0.0 0.255.255.255
!Permit the NAT any other time
access-list 101 permit ip any any

!Define the nat rule. Anything denied in ACL 101 will not qualify for NAT and therefore will pass through unaltered. Anything that is permitted by ACL 101 will be translated to the IP that exists on interface fa0/0
ip nat inside source list 101 interface fa0/0 overload

Open in new window



That's the basics of if. If you have multiple nat statements, you may need to apply this ACL to every statement, or, all things depending, you may need to make use of route-maps that call on these ACL's.

If anything, post your scrubbed config and we can help get that hammered out.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now