Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
737
Views
0
Helpful
1
Replies

ASA and MPLS

rywatters
Level 1
Level 1

‎04-16-2009 10:30 AM - edited ‎03-11-2019 08:19 AM

I have a remote location that my Corporate office connects to through an IPSec tunnel at the moment. We've decided to upgrade and get an MPLS tunnel between our two locations. Every time I try to force traffic from one location to another, something is dropping packets out and killing the traffic.

Corporate office runs in a Class C subnet in the vein of 10.9.6.x and the remote office is in a Class C subnet in the vein of 10.5.6.x. So, for example, I have the MPLS routers connected by two interfaces: their serial link that goes to the MPLS network, and their FastEthernet ports are connected to the local subnets at 10.9.6.9 and 10.5.6.9, respectively. I take down the IPSec tunnel and put in routes to go from one subnet to the other on the ASAs at each location which are configured as the default gateways for each location. I can ping from 10.9.6.9 to 10.5.6.9 and vice versa, but when I try to ping from 10.9.6.9 to 10.5.6.100 it fails.

Both ASAs have routes set up kind of like below:

Corp

route inside 10.5.6.0 255.255.255.0 67.128.216.245

route inside 67.128.216.244 255.255.255.252 10.9.6.9

Remote

route inside 10.9.6.0 255.255.255.0 67.149.140.241

route inside 67.128.216.240 255.255.255.252 10.5.6.9

Like I've said, I can ping from 10.9.6.9 to 10.5.6.9 without a problem. When I try to ping to another host on the other subnet, I lose the traffic. Now, on my syslog messages I saw that it couldn't find a translation group for the reply back message when I sent a ping, so I put in a NAT exemption for the replies but then they just never show up at the other end.

For clarification, please ask any questions. I'm just trying to see if what I'm trying to work with is even possible.

Labels:
0 Helpful
1 Reply 1

Collin Clark
VIP Alumni
VIP Alumni

‎04-16-2009 10:51 AM

Ryan-

What you want to do is possible. A quick question first. Are you running a routing protocol on your network? If yes, are you adverse to running it on your ASA (assuming it supports it)?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card