topic Should the Router in the in Network Security

ASA WAN Through MPLS

coolmon1981 — Tue, 12 Mar 2019 08:05:28 GMT

Hi Everyone,

I hope one of you can help me or point me into the right direction. Please be gentle i'm a newbe.

From my HQ i'm able to access internet through the ASA, and i would like my users at my branch site to use the same internet connection through the MPLS circuit

On my branch site i'm able to receive IP address from my DHCP server that stands in HQ, and i'm able to ping the ip address of the ASA firewall. from any vlan on my branch office.

When i do a traceroute from the router on the branch site to the ip of firewall on HQ it looks like this.

Tracing the route to 10.1.100.4
VRF info: (vrf in name/id, vrf out name/id)
 1 172.16.33.1 0 msec 0 msec 0 msec
 2 172.16.22.1 4 msec 4 msec 4 msec
 3 172.16.1.1 0 msec 0 msec 4 msec
 4 172.16.1.2 4 msec 4 msec 4 msec

and if i do a traceroute to 8.8.8.8

Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
 1 172.16.33.1 0 msec 0 msec 0 msec
 2 172.16.33.2 0 msec 0 msec 0 msec
 3 172.16.33.1 0 msec 0 msec 0 msec
 4 172.16.33.2 4 msec 0 msec 0 msec
 5 172.16.33.1 0 msec 0 msec 0 msec
 6 172.16.33.2 4 msec 0 msec 0 msec
 7 172.16.33.1 4 msec 0 msec 4 msec
 8 172.16.33.2 0 msec 0 msec 0 msec
 9 172.16.33.1 4 msec 0 msec 8 msec
 10 172.16.33.2 0 msec 0 msec 0 msec

I hope some would be able to see what i'm missing

Thank You

Best Regards.

You need to tell your MPLS

Philip D'Ath — Thu, 04 Aug 2016 03:08:36 GMT

You need to tell your MPLS provider to add a default route pointing to your ASA.

Hi;

coolmon1981 — Thu, 04 Aug 2016 08:35:59 GMT

Hi;

So i would need to add this to my PE1, PE2 and P Router in order to make it work

ip route 0.0.0.0 0.0.0.0 10.1.100.4 where 10.1.100.4 is the ip of ASA

Thanks

I have tried to add ip route

coolmon1981 — Thu, 04 Aug 2016 20:56:24 GMT

I have tried to add ip route 0.0.0.0 0.0.0.0 10.1.100.4 to SW conected to PE1 and the Router connected to PE2
and i have added default-information originate and redistribute ospf 2 match internal external 1 to both provider edge router.

but the result is the same or am i completely wrong.

router ospf 2 vrf DTL
 redistribute bgp 3292 subnets
 network 172.16.1.0 0.0.0.3 area 0
 network 172.16.1.4 0.0.0.3 area 0
 default-information originate
!
router ospf 1
 mpls ldp autoconfig
 network 2.2.2.2 0.0.0.0 area 0
 network 172.16.11.0 0.0.0.3 area 0
!
router bgp 3292
 bgp log-neighbor-changes
 neighbor 4.4.4.4 remote-as 3292
 neighbor 4.4.4.4 update-source Loopback0
 ! 
 address-family vpnv4
 neighbor 4.4.4.4 activate
 neighbor 4.4.4.4 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf DTL
 redistribute ospf 2 match internal external 1
 default-information originate
 exit-address-family

Hope you will be able to tell we what i should add the the Provider Edge 1 router in order to make it work.

Thank You

You should only need to add

Philip D'Ath — Fri, 05 Aug 2016 00:13:31 GMT

You should only need to add it to the routers that are layer 3 adjacent to the firewall.

Should the Router in the

coolmon1981 — Fri, 05 Aug 2016 07:06:07 GMT

Should the Router in the second site not also have the ip route 0.0.0.0 0.0.0.0 10.1.100.4 so it would now where to cast the trafic.

I'm unsure how to make a default route on the MPLS because what i have attempted in the previous post did not work, would you be able to tell me how i should make the default rate?

Thank You

Hi;

ahmedshoaib — Sun, 07 Aug 2016 21:18:30 GMT

Hi;

After reviewing the configuration I found an extra command on your branch router which is telling you MPLS (PE2) Router to forward the traffic back to branch router. Please remove the default-information originate command under ospf process. This information need to advertise from HO DS switches.

Branch RTR:

router ospf 1

no default-information originate always

The above configuration will resolve the looping issue b/w PE2 & Branch RTR.

If you want to enable to default information originate command from HO then you need to modify the following configuration:

(Optional) Part-1 HO DS Switches:

router ospf 1

default-information originate always

(Optional) Part-2 Branch RTR:

no ip route 0.0.0.0 0.0.0.0 10.1.100.4

Thanks & Best regards;

Hi,

coolmon1981 — Sat, 13 Aug 2016 20:25:56 GMT

Hi,

I have removed default-information originate always and removed ip route 0.0.0.0 0.0.0.0 10.1.100.4 from the branch router.

and i have added the default-information originate always to both DSW in my HQ.

I don't get the loop anymore on the branch router. but i cant do internet either.

From Windows
Tracing route to 8.8.8.8 over a maximum of 30 hops
  1     5 ms           1 ms     2 ms      10.2.99.2
  2   10.2.99.2     reports: Destination host unreachable.

From Branch Router
Tracing the route to google-public-dns-a.google.com (8.8.8.8)
VRF info: (vrf in name/id, vrf out name/id)
 1 * * * 
 2 * * * 
 3 * * * 
 4 * * * 
 5 * * * 
 6 * * * 
 7 * * * 
 8 * * * 
 9 * * * 
 10 * * *

If i do a (show ip route)

do show ip route 
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 ia - IS-IS inter area, * - candidate default, U - per-user static route
 o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
 + - replicated route, % - next hop override

Gateway of last resort is not set

 1.0.0.0/32 is subnetted, 1 subnets
O IA 1.1.1.1 [110/3] via 172.16.33.1, 1d13h, GigabitEthernet1/0/1
 5.0.0.0/32 is subnetted, 1 subnets
C 5.5.5.5 is directly connected, Loopback0
 6.0.0.0/32 is subnetted, 1 subnets
O IA 6.6.6.6 [110/4] via 172.16.33.1, 1d13h, GigabitEthernet1/0/1
 7.0.0.0/32 is subnetted, 1 subnets
O 7.7.7.7 [110/2] via 10.2.50.2, 1d11h, Vlan50
 [110/2] via 10.2.30.2, 1d11h, Vlan30
 [110/2] via 10.2.20.2, 1d11h, Vlan20
 [110/2] via 10.2.10.2, 1d11h, Vlan10
 10.0.0.0/8 is variably subnetted, 19 subnets, 2 masks
O IA 10.1.10.0/24 [110/3] via 172.16.33.1, 1d13h, GigabitEthernet1/0/1
O IA 10.1.20.0/24 [110/3] via 172.16.33.1, 1d13h, GigabitEthernet1/0/1
O IA 10.1.30.0/24 [110/3] via 172.16.33.1, 1d13h, GigabitEthernet1/0/1
O IA 10.1.40.0/24 [110/4] via 172.16.33.1, 1d13h, GigabitEthernet1/0/1
O IA 10.1.50.0/24 [110/3] via 172.16.33.1, 1d13h, GigabitEthernet1/0/1
O IA 10.1.99.0/24 [110/3] via 172.16.33.1, 1d13h, GigabitEthernet1/0/1
O IA 10.1.100.0/24 [110/3] via 172.16.33.1, 1d13h, GigabitEthernet1/0/1
C 10.2.10.0/24 is directly connected, Vlan10
L 10.2.10.1/32 is directly connected, Vlan10
C 10.2.20.0/24 is directly connected, Vlan20
L 10.2.20.1/32 is directly connected, Vlan20
C 10.2.30.0/24 is directly connected, Vlan30
L 10.2.30.1/32 is directly connected, Vlan30
C 10.2.40.0/24 is directly connected, Vlan40
L 10.2.40.1/32 is directly connected, Vlan40
C 10.2.50.0/24 is directly connected, Vlan50
L 10.2.50.1/32 is directly connected, Vlan50
C 10.2.99.0/24 is directly connected, Vlan99
L 10.2.99.1/32 is directly connected, Vlan99
 172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks
O IA 172.16.1.0/30 [110/2] via 172.16.33.1, 1d13h, GigabitEthernet1/0/1
O IA 172.16.1.4/30 [110/2] via 172.16.33.1, 1d13h, GigabitEthernet1/0/1
C 172.16.33.0/30 is directly connected, GigabitEthernet1/0/1
L 172.16.33.2/32 is directly connected, GigabitEthernet1/0/1
O 172.16.33.4/30 [110/2] via 172.16.33.1, 1d12h, GigabitEthernet1/0/1
 [110/2] via 10.2.50.2, 1d11h, Vlan50
 [110/2] via 10.2.30.2, 1d11h, Vlan30
 [110/2] via 10.2.20.2, 1d11h, Vlan20

Thank You

Best Regards

Hi Ahmedshoaib,

coolmon1981 — Sat, 13 Aug 2016 21:56:38 GMT

Hi Ahmedshoaib,

Thanks alot i found the error, i have removed default-information originate on PE2 under

topic Should the Router in the in Network Security

ASA WAN Through MPLS

Hi Everyone,

I hope one of you can help me or point me into the right direction. Please be gentle i'm a newbe.

From my HQ i'm able to access internet through the ASA, and i would like my users at my branch site to use the same internet connection through the MPLS circuit

On my branch site i'm able to receive IP address from my DHCP server that stands in HQ, and i'm able to ping the ip address of the ASA firewall. from any vlan on my branch office.

When i do a traceroute from the router on the branch site to the ip of firewall on HQ it looks like this.

and if i do a traceroute to 8.8.8.8

I hope some would be able to see what i'm missing

Thank You

Best Regards.

You need to tell your MPLS

Hi;

I have tried to add ip route

I have tried to add ip route 0.0.0.0 0.0.0.0 10.1.100.4 to SW conected to PE1 and the Router connected to PE2
and i have added default-information originate and redistribute ospf 2 match internal external 1 to both provider edge router.

but the result is the same or am i completely wrong.

Hope you will be able to tell we what i should add the the Provider Edge 1 router in order to make it work.

Thank You

You should only need to add

Should the Router in the

Hi;

Hi,

Hi Ahmedshoaib,

router BGP 3292
address-family ipv4 vrf DTL
no default-information originate

And on PE1 i removed

router ospf 2 vrf DTL
no default-information originate

Thanks again for your help

topic Should the Router in the in Network Security

ASA WAN Through MPLS

Hi Everyone,

I hope one of you can help me or point me into the right direction. Please be gentle i'm a newbe.

From my HQ i'm able to access internet through the ASA, and i would like my users at my branch site to use the same internet connection through the MPLS circuit

On my branch site i'm able to receive IP address from my DHCP server that stands in HQ, and i'm able to ping the ip address of the ASA firewall. from any vlan on my branch office.

When i do a traceroute from the router on the branch site to the ip of firewall on HQ it looks like this.

and if i do a traceroute to 8.8.8.8

I hope some would be able to see what i'm missing

Thank You

Best Regards.

You need to tell your MPLS

Hi;

I have tried to add ip route

I have tried to add ip route 0.0.0.0 0.0.0.0 10.1.100.4 to SW conected to PE1 and the Router connected to PE2and i have added default-information originate and redistribute ospf 2 match internal external 1 to both provider edge router.

but the result is the same or am i completely wrong.

Hope you will be able to tell we what i should add the the Provider Edge 1 router in order to make it work.

Thank You

You should only need to add

Should the Router in the

Hi;

Hi,

Hi Ahmedshoaib,

router BGP 3292address-family ipv4 vrf DTLno default-information originate

And on PE1 i removed

router ospf 2 vrf DTLno default-information originate

Thanks again for your help

I have tried to add ip route 0.0.0.0 0.0.0.0 10.1.100.4 to SW conected to PE1 and the Router connected to PE2
and i have added default-information originate and redistribute ospf 2 match internal external 1 to both provider edge router.

router BGP 3292
address-family ipv4 vrf DTL
no default-information originate

router ospf 2 vrf DTL
no default-information originate