J Mack,

Try giving a more complete description of the problem. This may get you help faster.

I had already posted this. But again to no response.

I have two 515e's at different locations which are currently connected using a L2L vpn.

We have just had a managed BT MPLS link installed.

We gave BT our internal network ranges and they confirmed their side of the work has been completed.

what I want to do now is use the pix at either end to route and connect the internal networks.

So far I have managed to establish connectivity between the 515e's on their 192.168.1.0/24 and 192.168.3.0/24 networks but am not sure where to go now?

I have posted the configs for both PIX's and would be really grateful if anoyone could help.

Kind regards

J Mack

Hi,

I'd like to help you, but you need to be a lot more specific about what you want to do.

You say that BT is routing the internal network, but you also say you want to configure NAT? Which is it?

If you want to NAT, what addresses do you need to access from each location?

What do you want to permit?

The BTWAN has the same security level as the outside, do you want traffic to flow freely between those interfaces?

Hi thanks,

We gave BT a list of our internal networks before they set up they MPLS. However i thought i may have to NAT as i'm using PIX's instead of routers?

The internal address at each location are 192.168.96.0/21 and 1.0.84.0/24.

I don't need the BTWAN and outside to flow freely as they both sites have they're own internet break outs. However i'd be interested to know if this is possible as a means of failover?

In short what i what to acheive is connect my internal LANS accross the MPLS, using my 515's to route internal traffic to the BT routers.

Regards

John

You do not have to NAT unless you want to.

But in order to access a network from lower to higher security level you need a static and access-list statement.

If you do not want to NAT it is quite simple, just configure a static for the entire network:

static (inside,BTWAN) 1.0.84.0 1.0.84.0 netmask 255.255.255.0

You also need a route statement on each side, pointing to the BT router.

And finally you need an access-list to let traffic enter from BTWAN. Apply it to the BTWAN interface:

access-group acl_btwan in interface BTWAN

You can indeed use the WAN link as a backup for outbound internet traffic. If the primary gateway is down that static route is removed and a static route to the BT network is installed in the routing table.

Here is the documentation for it:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

You also have to configure NAT for the backup connection, something like global (BTWAN) 20 interface to let the internal network exit that way.

I hope this helps.

Hi,

That is very helpful,

Would something like this be appropriate for the acl.

access-list acl_btwan permit ip 192.168.96.0 255.255.248.0 1.0.84.0 255.255.255.0

access-group acl_btwan in interface BTWAN

and for the second PIX

access-list acl_btwan permit ip 1.0.84.0 255.255.255.0 192.168.96.0 255.255.248.0

access-group acl_btwan in interface BTWAN

regards

John

Yes. But then you will permit everything between the networks.

It will but, it is all going to be part of the same domain. So this is really a LAN extension. Would you do this differently?

If the information that passes between the sites is very sensitive, I would use IPSec between the firewalls to encrypt everything over the provider network. Or I might use IPSec anyway acctually, just in case :-)

Ok thanks, i'll look into that.

Just one more question, after adding the static command i can now ping 192.168.3.2 from a node on the 1.0.84.0 network however i cannot ping the bt router int, 192.168.3.1. (this is pingable from the PIX). Does that seem correct to you?

thanks

j mack

Then it does not look like the BT router knows about the 1.0.84.0 network, which it probably should do. And you can't reach the remote network as well?