Typical CE Cisco router setup with MPLS/direct connection with two sites?

Wanted to see if I'm climbing the wrong tree or not -

Have a new MPLS setup going in place with a direct connection between two sites and both sites having internet - the ISP is providing an Ethernet hand-off with Adtran routers.

I have the task of configuring the CE (customer) router (Cisco) at both locations - with the config I believe it may just be a matter of ACLs and possibly NAT/PAT.

Is there more possibly to it - am I missing anything?
Would anyone know of an example config for Cisco?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I assume you mean to say that both sites will have a separate internet connection, but by chance did you mean that internet will be provided via MPLS?

The difference in configuration is pretty minimal, but you are correct that each router will need some routing configuration done for internal traffic, and then configuration for the NAT/Firewall portion of the config.

Most times I configure MPLS, I use BGP with the ISP, but if you only have two sites and don't plan to expand you could potentially go with static routing.

Config snippets, assuming you'll have a separate interface for internet

!IOS Firewall
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip inspect name myfw esmtp timeout 3600

!outside interface
interface FastEthernet1
 description $ETH-WAN$
 ip address
!define ACL that allows inbound traffic such as ICMP, HTTPS, SMTP, etc. 
 ip access-group 110 in
 ip nat outside
 ip inspect myfw out
 ip virtual-reassembly
 load-interval 30
 no cdp enable

access-list 110 permit icmp any any administratively-prohibited
access-list 110 permit icmp any any echo
access-list 110 permit icmp any any echo-reply
access-list 110 permit icmp any any packet-too-big
access-list 110 permit icmp any any time-exceeded
access-list 110 permit icmp any any traceroute
access-list 110 permit icmp any any unreachable
access-list 110 permit tcp any eq 25
access-list 110 permit tcp any eq 443
access-list 110 deny   ip any any log

!internet default route
ip route

!outbound nat
ip nat inside source list 102 interface FastEthernet1 overload

!first deny internal traffic (from being NAT'd) when destined for internal addresses
!This stops traffic going between the sites from being NAT'd which would cause a problem
access-list 102 deny   ip
access-list 102 permit ip any

!MPLS, assuming you'll go with BGP

interface fa0
ip address

router bgp 65501
no sync
net mask
neighbor remote-as 4072

Open in new window

This is pretty quick and generic, so there may be many changes needed to make your situation work, but most of those changes will be things specific to you - such as IP addresses.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AMtekAuthor Commented:
Each site is supposed to have it's own separate internet connection from the same provider with a direct link (MPLS) between the sites.

Previously there was a separate ISP for each site and they were connected with an IPSec VPN.

So there is NAT/PAT already on each config for the internal network's routers (Cisco) along with an ACL for the IPSec - just wondering if/how much the configs might change with this setup.
Basically, all the configuration related to internet connectivity should remain the same, except any required changes like public IP, gateway, etc. if the ISP is changing. What will change is that you can remove the VPN configuration (assuming no other vpn configuration is needed for things like client vpn), and you will either run static routing or BGP on the MPLS-connected interface. Internet traffic will use the static default route to get to the outside world, and BGP/static routes will point to the subnets that exist internally between the sites. Just make sure that on the interface that connects to MPLS, don't enable nat otherwise things could get goofy or plainly not work.
AMtekAuthor Commented:
ty, so the ISP installed their own routers, they said I didn't have to do anything with configs except for the external IP and a single static route for internet - they took my info for subnets in both sites and put info in their routers to broadcast.

so my question now is related to NAT/PAT - since the internet/direct link (MPLS) is over the same cable - how would I setup NAT/PAT?
I have several servers with static NAT configured in one site, then an overload statement for each subnet.

again each site has internet, thanks
If you get internet and MPLS on the same physical link, and this is with no logical separation using VLANs/tags, this can still be done, but it is just slightly more complicated... at first. Once you see it working, then it makes total sense.

You will need to make use of an extended ACL for this to work.

The access-list will first deny traffic that you DON'T want to be Nat'd, then it will permit all other traffic to be NAT'd. The example below is very broad. You can certainly reduce the private addresses to just those that exist within your organization.

!Deny NAT anytime the destination is a private IP address (RFC1918)
access-list 101 deny   ip any
access-list 101 deny   ip any
access-list 101 deny   ip any
!Permit the NAT any other time
access-list 101 permit ip any any

!Define the nat rule. Anything denied in ACL 101 will not qualify for NAT and therefore will pass through unaltered. Anything that is permitted by ACL 101 will be translated to the IP that exists on interface fa0/0
ip nat inside source list 101 interface fa0/0 overload

Open in new window

That's the basics of if. If you have multiple nat statements, you may need to apply this ACL to every statement, or, all things depending, you may need to make use of route-maps that call on these ACL's.

If anything, post your scrubbed config and we can help get that hammered out.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.