cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
525
Views
0
Helpful
6
Replies

MPLS and VPN

matthew-ramsey
Level 1
Level 1

Okay so I'm new to this wonderful world of MPLS. I have just set up my first remote site and and the head end. All of the traffic on the internal networks the 172.27.1.0/24 172.27.27.2.0/24 work fine and talk. I have a Pix ASA 5510 which has a VPN to a remote netwokr let's say 192.168.1.0/24. I want the traffic from my remote MPLS network 172.27.30.0/24 to be able to talk with this network also. Is there any big magic I need to perform? I have a route to the network in my local switch. Ihave allowed the .30 network to talk to the 192.168.0.0/24 network via the VPN configuration. Still no Joy.

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Matthew

So you have a WAN router at HQ that connects to the MPLS network and also at HQ you have a firewall that connects via VPN to a remote network ?

If so and you want your remote MPLS site to be able to communicate via VPN to the remote network then this has nothing to do with MPLS as such.

Have you added the remote site network to your VPN crypto map acl ?

Have you allowed the remote site traffic to use the VPN ?

Same question about NAT on the firewall ?

Jon

View solution in original post

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

Matthew

So you have a WAN router at HQ that connects to the MPLS network and also at HQ you have a firewall that connects via VPN to a remote network ?

If so and you want your remote MPLS site to be able to communicate via VPN to the remote network then this has nothing to do with MPLS as such.

Have you added the remote site network to your VPN crypto map acl ?

Have you allowed the remote site traffic to use the VPN ?

Same question about NAT on the firewall ?

Jon

Correct I have a WAN router at HQ and an ASA 5510 Firewall for internet and VPN's to several remote locations. the default gateway for my MPLS is a layer 3 switch however. This layer 3 switch has a default route to the Firewall for everything it doesn't no about. I put the ACL in my ASA 5510 and put it into my Pix 515e on the other end of the remote site. I did a traceroute and I see it hit the following

  1. MPLS router at site
  2. MPLS network entry
  3. MPLS network exit
  4. Core 3560 Layer three switch for easy 172.27.1.5
  5. times out on the next hope which is 172.27.1.3 for both internet and trying to talk to the remote VPN.

It looks like the ASA is not allowing any traffic from my new subnet

Matthew

Hi,

Better can you paste the your topology diagram. It will give better understanding of your network and can give the solution

regards

karuppu

Okay part of it is resolved. I found that I hadn't allowed the 172.27.30.0/24 network to be NAT'ed

for internet...Still working on the Remote VPN connectiivty

Alright let me first state I do not like the graphical interface first

Half the changes i commited through the interface did not take. After going into the command line on my ASA I found that the CryptoMap's hadn't updated to allow the 172.27.30.0/24 network. Also noticed that even though I had added the 172.27.30.0/24 network to the Nat networks for internet it had not decided it wanted to commit to that one either. SSH worked wonderfully.

Matthew

I'm not a fan of the Graphical interface for the Cisco firewalls either. I have been burnt before where i thought it was doing something only to find it doing something else. That's why i stick the CLI

Glad you got it sorted.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: