yes, no control over the AT&T MPLS Network router.

the ip default gateway used to say 192.168.3.254, but I changed it hoping to let the ASA do all the routing instead of the MPLS router.

I'll remove it.

so to make sure I'm straight here, I can add an interface (like inside2 i.e 192.168.3.253) and point my core switch to route the .50 traffic through that, correct?

Lee

Actually my apologies but i forgot about the return traffic.

The traffic would be routed over the VPN tunnel to site 50 but when traffic is returned it will use the existing interface you have because that is where the routes are pointing and i don't think that will work. I say don't think because the ASA still sees the entire connection but it would be using 2 different inside interfaces.

I'm going to post on the Firewalling forum to see if this would be an issue and i should get a response fairly soon.

In the meantime, what is the model of the L3 switch ?

Jon

3750X. 

I'm planning on disconnecting the MPLS Router (50.254) at the remote site and using the same IP Address on the ASA that's doing the tunnel (50.254),. so I think return traffic should be fine.

my issue is getting to the site because the MPLS router keeps pointing traffic to the MPLS network, and not to my tunnel.

I can add another router in my office and point mpls traffic to the MPLS network, and point Site2Site traffic to the ASA.

But I figured my 3750's should be able to do that themselves.

Let me know if you hear more.

Lee

I'm planning on disconnecting the MPLS Router (50.254) at the remote site and using the same IP Address on the ASA that's doing the tunnel (50.254),. so I think return traffic should be fine.

In the following when i refer to HQ i justy mean the site you are initiating the VPN from.

Do you want to test the tunnel before disconnecting the MPLS router at site 50. If so then here are the problems -

1) outbound traffic goes to the AT&T router for site 50 and is sent to the MPLS cloud. We can fix this with a separate connection as discussed.

2) traffic from site 50 to your HQ subnets would go via the MPLS connection at site 50. We can only fix this by doing NAT on your src IPs from HQ before going down the VPN tunnel. Your 3750 doesn't do NAT but your spare router probably would. So we could NAT your HQ addresses so when they are returned from site 50 they are sent down the VPN tunnel. And when they get to HQ ASA that ASA won't have a route to these addresses because you have used NAT so we can add a route to ASA via the new inside interface.

I had a response on my post and they suggested using NAT at the remote site. If we did this you would not need a separate connection. You simply use a subnet that the AT&T does not receive via MPLS and it should forward it on to the ASA at HQ.  This would be instead of 1) above but we still need to do 2).

If you did NAT the remote site subnets it would have to be policy NAT as you only want to NAT the remote IPs when they come down the VPN tunnel not when they go to the internet.

Having said all that, once you disconnect the MPLS router at site 50 it should work without any extra config/kit anywhere because site 50 will no longer advertise it's subnets to your HQ site so when you  try to connect from your core switch the AT&T router at HQ should simply send it on to the ASA because it doesn't know about site 50s subnets anymore. This is assuming you are exchanging routes across MPLS with a routing protocol and not using statics.  If you are using statics on the AT&T router then we are back to the above solutions.

If removing the MPLS router at site 50 stops the HQ AT&T router learning the routes then doing 1) and 2) above will only be so you can test the tunnel while the MPLS router at site 50 is conneced. Once you disconnect it you won't need any of it.

Sorry to overload you with info but it all depends on quite a few things as you can see above.

Jon

Jon,

thank you for your help.  Your ideas gave me many things to think about.

I figured out a way to go that will serve me completely going forward in the future.

here'as what I did,

I nstalled a second router between my 192.168.3.x network and my DMZ 172.16.100.x

I pointed all traffic on it to go straight to my ASA.

My ASA has static rules to point traffic back to the DMZ side of the  MPLS router for the MPLS sites,

and the remote ip address of each tunnel for the tunnelled point to point sites.  (I don't know if the second piece is neccessary or not, but it doesn't seem to be doing any harm)

This should allow me to just change the addresses on the ASA and not worry about MPLS thinking it knows the best route.  all i should need to do is change the address on the ASA, and clear any route cache that may be present.

router1#sho ip route

Gateway of last resort is 172.16.100.2 to network 0.0.0.0

     172.16.0.0/24 is subnetted, 1 subnets

C       172.16.100.0 is directly connected, FastEthernet0/1

S    192.168.0.0/24 [1/0] via 172.16.100.2

S    192.168.50.0/24 [1/0] via 172.16.100.2

C    192.168.3.0/24 is directly connected, FastEthernet0/0

S*   0.0.0.0/0 [1/0] via 172.16.100.2

so my core poits to 3.253, and that device points to the ASA.

so the ASA decides where traffic comes and goes to.

Let me know if you think there will be any issues with my plan.

Thanks again...

Lee

Lee

So do you have this -

             ->  new router   -> 

core ->                                  -> ASA -> internet

             ->  AT&T router ->

If so, i'm not entirely following what you are doing but i will write out what i think should happen and see if it matches yours

site 50 = 192.168.50.0/24

You want to bypass the MPLS AT&T and use a VPN tunnel for site 50

1) on core switch/router

ip route 192.168.50.0 255.255.255.0 

this will mean traffic for site 50 goes direct to ASA

2) return traffic from site 50. Is the MPLS router still going to be connected and would site 50 use that as it's return path ?

What is at site 50 ie. is there a core switch that does routing like HQ or not ?

I ask because if site 50 uses the MPLS cloud it obviously won't work but because you have the router you can NAT the source IPs to a different range. Then add a route at site 50 to point this new subnet back to the ASA. Actually you might not need to add a route as i assume any unknown routes in site 50 get sent to the ASA anyway ?

If you do disconnect MPLS at site 50 you may still need to NAT because when the packets are returned via the VPN tunnel the ASA at HQ will think they should be sent to the MPLS AT&T router. 

Remember when the packets are returned to HQ the destination IP will be a subnet attached to the core switch. For normal internet traffic (ie non VPN) to and from HQ the path is -

core switch -> AT&T router -> ASA -> internet

internet -> ASA -> AT&T router -> core switch

and i presume you don't want to change this ?

If you don't then the easiest thing to do is when an internal subnet at HQ wants to connect via VPN it goes via the new router. You can then NAT the source IPs to a new range. You then add a route to the HQ ASA for that new range pointing to the router. So return traffic from the VPN goes via the router and non VPN traffic is unaffected.

Does this make sense ?

Jon

here's my new config

I think you miss the point that I'm unplugging the MPLS router from the 50 site.

My NY Office used to be on MPLS.  When we terminated the MPLS circuit,

I took an ASA, used the same x.x.x.254 gateway address as it's inside address.

built a tunnel back to HQ, and it came right up.  I didn't need to NAT anything or do anything special.

I pointed the route on my core switch to the HQ ASA address and since MPLS didn't know about the network anymore, it lit right up.

to avoid the MPLS network, I'm going to reroute 192.168.50.x to the NEW router. 3.253

disconnect the MPLS circuit from the 50 lan. (50.254)

build the tunnel in the ASA and attach the 50 ASA as the same address as the old MPLS address (50.254)

it should just work. 

no?

once the MPLS circuit at site 50 is disconnected formally via AT&T, it won't matter anyway.  the tunnel will work by default.

I just want to get them on the better circuit sooner, because AT&T Disconnects take 30 days or more to be completed.

Lee

I think you miss the point that I'm unplugging the MPLS router from the 50 site.

No, i was more concerned about what heppens when traffic got back to HQ.

I pointed the route on my core switch to the HQ ASA address and since MPLS didn't know about the network anymore, it lit right up.

I may be misunderstanding but if the AT&T MPLS router at HQ doesn't know about site 50 anymore why do you need the new router ie. as you say the router just forwarded the traffic onto your ASA at HQ.

I can only see a need for the new router if the AT&T MPLS router at HQ thinks that site 50 is reachable via MPLS. If it doesn't you don't need it.

Jon

AT&T does still know about site 50.

that's why i need a new route.

and eventually, the at&t mpls network will go away and they will want their router back,

so I need to move off that router anyway.

I appreciate your help sir..

the whole nat thing is just throwing me because I don't need to do that on the other tunnelled sites.

i'm just trying to redirect around the mpls router.

Lee

I am honestly not trying to complicate things for you. Can you answer this specific queston ?

Is the new router going to connect to a different interface on the HQ ASA ?

Jon

no.

the dmz address of the ASA is 172.16.100.2

the DMZ address of the MPLS router is 172.16.100.3

the DMZ of the NEW router is 172.16.100.10

edited