MPLS router with firewall

Unanswered Question
Aug 12th, 2010
User Badges:

Can i setup my network such that i placed a Cisco ASA firewall between my mpls router and cisco switch ?


---------------------                     --------------------                         -----------------                 ------------------

| MPLS Router |    -------------  | ASA Firewall |     ---------------  |   Switch     |   ------------ |    VLANs    |

---------------------                     ---------------------                        -----------------               ------------------

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Fri, 08/13/2010 - 03:34
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Yeow,


this is possible, depending on support of MDIX or not you may need a cross-over cable between ASA and MPLS router.


Hope to help

Giuseppe

yeow_km Fri, 08/13/2010 - 05:14
User Badges:

the ASA I m referring to is 5510. What mode do i configure for the ASA, routed or transparent mode is recommended ?

the mpls router is connecting to other remote office in the WAN.

Nagaraja Thanthry Fri, 08/13/2010 - 07:09
User Badges:
  • Cisco Employee,

Hello,


ASA cannot participate in MPLS label exchange. In routed mode, that will

result in breaking your MPLS communication. So, transparent mode would be

better.


Hope this helps.


Regards,


NT

yeow_km Fri, 08/13/2010 - 07:22
User Badges:

Can the ASA do NAT in the environment as mentioned ?


Since MPLS router is already in private IP segment and switch is on another different private IP segment.

Nagaraja Thanthry Fri, 08/13/2010 - 07:34
User Badges:
  • Cisco Employee,

Hello,


In transparent mode, ASA cannot do NAT (in the latest version it supports

NAT to it's own IP) and is not recommended.


Regards,


NT

Chetan Kumar Ress Fri, 08/13/2010 - 10:56
User Badges:
  • Silver, 250 points or more

Hi


As per your senario it look like en enterprise network. So you won't requrie MPLS lable Propagation in your internet network.


If possible  can clear that weather you want to Propagate the MPLS Lable in you internet network or do you run MPLS in you routers & switchs  or do you have only an MPLS Link from your SP.


And if you won't require MPLS lable Propagation or you have not configured MPLS in intenal network  then you can configure ASA in routed mode & can use all feature that you requried.





Regards

Chetan Kumar

http://chetanress.blogspot.com

Giuseppe Larosa Sun, 08/15/2010 - 07:13
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Yeow,

if your site is a customer site of a L3 VPN, you can use the ASA in routed mode, this will allow you to interconnect the MPLS routers in the outside and the internal L3 switches on the "inside"


you probably just need to route between ASA interfaces, unless you have address overlapping with other sites or with the IP subnet used with the MPLS service provider.


Hope to help

Giuseppe

Actions

This Discussion