MPLS router with firewall

Unanswered Question
Aug 12th, 2010

Can i setup my network such that i placed a Cisco ASA firewall between my mpls router and cisco switch ?

---------------------                     --------------------                         -----------------                 ------------------

| MPLS Router |    -------------  | ASA Firewall |     ---------------  |   Switch     |   ------------ |    VLANs    |

---------------------                     ---------------------                        -----------------               ------------------

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Fri, 08/13/2010 - 03:34

Hello Yeow,

this is possible, depending on support of MDIX or not you may need a cross-over cable between ASA and MPLS router.

Hope to help


yeow_km Fri, 08/13/2010 - 05:14

the ASA I m referring to is 5510. What mode do i configure for the ASA, routed or transparent mode is recommended ?

the mpls router is connecting to other remote office in the WAN.

Nagaraja Thanthry Fri, 08/13/2010 - 07:09


ASA cannot participate in MPLS label exchange. In routed mode, that will

result in breaking your MPLS communication. So, transparent mode would be


Hope this helps.



yeow_km Fri, 08/13/2010 - 07:22

Can the ASA do NAT in the environment as mentioned ?

Since MPLS router is already in private IP segment and switch is on another different private IP segment.

Nagaraja Thanthry Fri, 08/13/2010 - 07:34


In transparent mode, ASA cannot do NAT (in the latest version it supports

NAT to it's own IP) and is not recommended.



Chetan Kumar Ress Fri, 08/13/2010 - 10:56


As per your senario it look like en enterprise network. So you won't requrie MPLS lable Propagation in your internet network.

If possible  can clear that weather you want to Propagate the MPLS Lable in you internet network or do you run MPLS in you routers & switchs  or do you have only an MPLS Link from your SP.

And if you won't require MPLS lable Propagation or you have not configured MPLS in intenal network  then you can configure ASA in routed mode & can use all feature that you requried.


Chetan Kumar

Giuseppe Larosa Sun, 08/15/2010 - 07:13

Hello Yeow,

if your site is a customer site of a L3 VPN, you can use the ASA in routed mode, this will allow you to interconnect the MPLS routers in the outside and the internal L3 switches on the "inside"

you probably just need to route between ASA interfaces, unless you have address overlapping with other sites or with the IP subnet used with the MPLS service provider.

Hope to help



This Discussion