cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
593
Views
0
Helpful
8
Replies

How to merger MPLS VPN to IPSec VPN

garilynni
Level 1
Level 1

My question is how to merge a new site which is MPLS VPN into existing WAN of 30 sites that are all linked with PIX IPSec tunnels.

This new SiteC needs to use an application server on SiteB and get to a mail server on SiteA. Internet traffic initiated from new SiteC needs to go via SiteB PIX.

Please see attached document.

Thanks

8 Replies 8

Giuseppe Larosa
Hall of Fame
Hall of Fame

hello Gari,

you need to modify the IPsec configuration between sitea and siteb so that also traffic coming from siteC's ip subnets will be encrypted.

You need to modify some ACLs keeping their mirrored structure.

You may need to modify other ACLs applied to interfaces on routers and PIXs as needed.

Some static routes will be added too for the siteC's subnets to make them known on site A and site B devices.

siteB exit point to siteC is the router with next-hop 10.3.1.50.

Depending on the type of interaction with the MPLS VPN service provider you need also to advertise from siteB's CE all the siteA and siteB ip subnets of interest: the SP will propagate this info to siteC as needed (of just a default route can be enough)

Hope to help

Giuseppe

garilynni
Level 1
Level 1

Hi Giuseppe,

Thank you for your reply but I am still unsure where to begin. Can you provide some examples of the lines to add and/or modify in the SiteA PIX and SiteB PIX. Below is the current lines for the links between SiteA and SiteB. I added line in SiteB PIX but not sure if you can have two different internal IP subnets using sameGlobal IP address? Also SiteB host are currently set for default gateway 10.3.1.1 which is the e1 interface on the PIX, would I need to install an internal router for the default gateway and assign the e1 interface to 10.3.1.1 and change the e1 interface to something for example 10.3.1.254 then add static routes?

ip route 0.0.0.0 0.0.0.0 10.3.1.254 [to traffic to SiteB Pix]

ip route 10.3.2.0 0.0.0.0. 10.3.1.50 [to route traffic going Site C via CE router]

Can you explain more or give example what you said about the advertising from SiteB's CE the subnets for SiteA 10.100.0.0 & SiteB 10.3.1.0? What would be clear explanation to ISP to set this up in their CE route as they manage both CE's or is there another way without having to deal with ISP?

[ SiteA PIX]

access-list NoNat permit ip 10.100.0.0 255.255.0.0 10.3.1.0 255.255.255.0

access-list SiteB permit ip 10.100.0.0 255.255.0.0 10.3.1.0 255.255.255.0

crypto map MyIPSECVPN 35 ipsec-isakmp

crypto map MyIPSECVPN 35 match address SiteB

crypto map MyIPSECVPN 35 set peer xxx.xxx.95.50

crypto map MyIPSECVPN 35 set transform-set strong

isakmp key ******** address xxx.xxx.95.50 netmask 255.255.255.255

[ SiteB PIX]

access-list NoNat permit ip 10.3.1.0 255.255.255.0 10.100.0.0 255.255.0.0

access-list SiteA permit ip 10.3.1.0 255.255.255.0 10.100.0.0 255.255.0.0

crypto map MyIPSECVPN 9 ipsec-isakmp

crypto map MyIPSECVPN 9 match address SiteA

crypto map MyIPSECVPN 9 set peer xxx.xxx.66.2

crypto map MyIPSECVPN 9 set transform-set strong

isakmp key ******** address xxx.xxx.66.2 netmask 255.255.255.255

[ add to SiteB PIX - traffic coming from SiteC ip subnet will be encrypted.

going to SiteA]

access-list NoNat permit ip 10.3.2.0 255.255.255.0 10.100.0.0 255.255.0.0

access-list SiteA permit ip 10.3.2.0 255.255.255.0 10.100.0.0 255.255.0.0

crypto map MyIPSECVPN 10 ipsec-isakmp

crypto map MyIPSECVPN 10 match address SiteA

crypto map MyIPSECVPN 10 set peer xxx.xxx.66.2

crypto map MyIPSECVPN 10 set transform-set strong

isakmp key ******** address xxx.xxx.66.2 netmask 255.255.255.255

[ add to SiteB PIX - route traffic going to SiteC]

Route inside 10.3.2.0 255.255.255.0 10.3.1.50

Hello Gary,

I'm not an expert of PIX configuration, however some concepts are independent of the type of device you use.

You have this scenario

SiteA --- IPseC/internet --- SiteB __ SiteB_CE ++++ MPLS ++++ SiteC_CE

So:

from the point of view of SiteA it looks like as SiteB has added some IP subnets, just equivalent as one or more new Vlans and their IP subnets have been added at siteB

the new network is SiteC LAN segment

10.3.2.0/24

so now you need to permit ipsec traffic between

siteA to siteB

siteA to siteC

you should add

access-list NoNat permit ip 10.100.0.0 255.255.0.0 10.3.2.0 255.255.255.0

access-list SiteB permit ip 10.100.0.0 255.255.0.0 10.3.2.0 255.255.255.0

B) site B

double role

B.1 ipsec

from ipsec point of view a new ip subnet has been added to site B

this part is already clear to you as you stated you add a line to each ACL.

B.2 routing PIX to SiteB_CE

fine

Route inside 10.3.2.0 255.255.255.0 10.3.1.50

B.3 site B CE routing

you can point directly to SiteB pix inside using 10.3.1.1 as next-hop they are in the same IP subnet no need for other device or ip address

SiteB_CE

ip route 10.100.0.0 255.255.0.0 10.3.1.1

then depending on the type of service

I suppose you got a L3 VPN service with CE managed by ISP

let's suppose they use BGP

router bgp 650xx

neigh PE_B remote-as isp-AS-number

network 10.100.0.0 255.255.0.0

network 10.3.1.0 255.255.255.0

no auto-summary

no sync

!

3)

site C

just BGP

router bgp 650xx

neigh PE_C remote-as isp-AS-number

network 10.3.2.0 255.255.255.0

no auto-summary

no sync

!

This is just an example.

Ask to ISP people to have the subnets of interest advertised over the MPLS VPN.

This has to be done on CE routers I don't see any other way.

Hope to help

Giuseppe

Hello Giuseppe,

I had to put this issue on hold for awhile and now getting back on it. I wanted to give you an update on my progress from the last instructions you gave me. I had to put an internal router at SITE-B because adding the line in SITE-B Pix (route inside 10.3.2.0 255.255.255.0 10.3.1.50) still had unsuccessful results when pinging 10.3.2.50 from pc on the 10.3.1.0 subnet. It did work if pinging from the PIX because I guess the traffic was originating from the PIX and it routed to the 3com router at SITE-B 10.3.1.50 and then on to the 10.3.2.50 3com router at SITE-C.

On SITE-B Pix I changed the inside interface to 10.3.1.49 which was 10.3.1.1 and added following line to route to internal LAN router.

route inside 10.3.2.0 255.255.255.0 10.3.1.1 1

What I have now on the internal LAN router is the following

ip route 0.0.0.0 0.0.0.0 10.3.1.49

ip route 10.3.2.0 255.255.255.0 10.3.1.50

I now can ping SITE-C from SITE-B and was able to RDP remote connect to PC at SITE-C and ping successful back to SITE-B.

Other items yet to be worked out:

1. From SITE-A to be able to ping SITE-C

2. From SITE-C to be able to get to internet using SITE-B as the internet gateway.

3. From SITE-C to be able to get to SITE-A mailserver.

ISP has finally added static route in the SITE-B CE router which I wasn't sure to use SITE-B internal router 10.3.1.1 or the PIX 10.3.1.49? I can't test this until a PC gets hooked back to the SITE-C CE router hopefully next week. I was able to get partial configurations from ISP on both 3Com routers model 5012 please see attached.

I think you instructed to also add to the SITE-B CE router a static route 10.100.0.0 255.255.0.0 10.3.1.1 which at that time was the inside interface of the SITE-B PIX but is now the SITE-B internal LAN router. So I just had them add in a static route 0.0.0.0 0.0.0.0 10.3.1.1

(Continued on next Post)

(Continued from previous post)

Can you clearify again on your last comment “have subnet of interest advertized over the MPLS VPN. I ask this because SITE-C and SITE-B will be the only locations on the cloud. I know this sounds strange.Below are the current lines on the tunnel in SITE-A PIX

access-list NoNat permit ip 10.100.0.0 255.255.0.0 10.3.1.0 255.255.255.0

access-list SITE-B permit ip 10.100.0.0 255.255.0.0 10.3.1.0 255.255.255.0

crypto map MyIPSECVPN 35 ipsec-isakmp

crypto map MyIPSECVPN 35 match address SITE-B

crypto map MyIPSECVPN 35 set peer xxx.xxx.95.50

crypto map MyIPSECVPN 35 set transform-set strong

isakmp key ******** address 200.198.95.50 netmask 255.255.255.255 (I assume this would apply to the second set of crypto lines for the second tunnel since both tunnels would use same public IP address)

Because I already have above lines for origional tunnel going to SITE-B when I attempt to enter the access-list lines below for new subnet 10.3.2.0 I get error "ACE not added. Possible duplicate entry

access-list NoNat permit ip 10.100.0.0 255.255.0.0 10.3.2.0 255.255.255.0 (this goes in fine)

access-list SITE-B permit ip 10.100.0.0 255.255.0.0 10.3.2.0 255.255.255.0 (this one I get error)

Then I tried with unsuccessful results using below lines but tunnel doesn't come up. I don't understand how this could work because the original tunnel is built using a public ip address associated to 10.3.1.0 subnet on SITE-B PIX and I'm attempting to try to get a second tunnel going between both PIXs for the 10.3.2.0 traffic.

access-list NoNat permit ip 10.100.0.0 255.255.0.0 10.3.2.0 255.255.255.0

access-list SITE-BB permit ip 10.100.0.0 255.255.0.0 10.3.2.0 255.255.255.0

crypto map MyIPSECVPN 36 ipsec-isakmp

crypto map MyIPSECVPN 36 match address SITE-BB

crypto map MyIPSECVPN 36 set peer xxx.xxx.95.50

crypto map MyIPSECVPN 36 set transform-set strong

I have been unsuccessful trying to ping SITE-C from either the router itself or a client after adding these lines and when I do a sh cry ipsec sa I don't see a tunnel for 10.3.2.0. This has been the most difficult to understand. Another way to look at this is I have 2 LANs now that I'm want to both go out the one external interface. I have heard of a method but not sure if this would fit my situation where the PIX can be configured with nat/global pairs or statics or nat 0's between the inside and outside interface. If this is something you are familiar this may be the way to do it…..possibly?

I have attached an updated drawing. Thank you so far for the help and I hope you or someone else on your team has seen this scenario before who can offer any assistance.Thanks again

Can anyone tell me if what I am trying to do is possible or can recommend another solution?

Hello Gari,

sorry

I've missed your follow-up on this interesting issue.

I have to read carefully your last updates.

In any case:

you don't need to build a second IPsec tunnel between siteA and siteB

A single tunnel for both LANs is what is needed

it is possible that some static or nat commands are needed on the pix.

The suggestion is to look at the current working configuration.

What commands are on siteA pix for net 10.3.1.0/24 ?

Whatever commands are present in addition to static routes need to be replicated for net 10.3.2.0/24

Note: I try to see at siteA pix config if present in first posts

Edit:

I see that the complete config of pix of siteA is not reported however the way to go is the one described above:

use

sh run | inc 10.3.1.0 to see all occurrences of this string in the pix config

copy everything to a text editor.

create equivalent lines for 10.3.2.0/24

Edit2:

The ACL issue is odd it should accept additional lines (there are some execeptions for routers when isakmp is not used) but in some specific case the ACL is to be single-line.

if there is a limitation of a single line ACL you can overcome this by using a larger mask.

you can try to match with 10.3.0.0 255.255.252.0.

Adapt this on siteB mirror ACL as needed.

Hope to help

Giuseppe

Mohamed Sobair
Level 7
Level 7

Hi,

On Site's A Pix, you should allow access to the mail server from the outside on ports 25,110.

You will also need to creat VPN client with easy VPN and configure "Split tunneling" from routers on Site's C toward Site B Pix. The Spilit Tunneling config would allow the VPN client to gain access to the internet through the same incoming interface for the VPN connection.

HTH

Mohamed

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: