cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2148
Views
0
Helpful
8
Replies

ASA WAN Through MPLS

coolmon1981
Level 1
Level 1
Hi Everyone,
I hope one of you can help me or point me into the right direction. Please be gentle i'm a newbe.
From my HQ i'm able to access internet through the ASA, and i would like my users at my branch site to use the same internet connection through the MPLS circuit 
On my branch site i'm able to receive IP address from my DHCP server that stands in HQ, and i'm able to ping the ip address of the ASA firewall. from any vlan on my branch office. 
When i do a traceroute from the router on the branch site to the ip of firewall on HQ it looks like this.
Tracing the route to 10.1.100.4
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.33.1 0 msec 0 msec 0 msec
2 172.16.22.1 4 msec 4 msec 4 msec
3 172.16.1.1 0 msec 0 msec 4 msec
4 172.16.1.2 4 msec 4 msec 4 msec
and if i do a traceroute to 8.8.8.8
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.33.1 0 msec 0 msec 0 msec
2 172.16.33.2 0 msec 0 msec 0 msec
3 172.16.33.1 0 msec 0 msec 0 msec
4 172.16.33.2 4 msec 0 msec 0 msec
5 172.16.33.1 0 msec 0 msec 0 msec
6 172.16.33.2 4 msec 0 msec 0 msec
7 172.16.33.1 4 msec 0 msec 4 msec
8 172.16.33.2 0 msec 0 msec 0 msec
9 172.16.33.1 4 msec 0 msec 8 msec
10 172.16.33.2 0 msec 0 msec 0 msec
I hope some would be able to see what i'm missing 
Thank You
Best Regards.
1 Accepted Solution

Accepted Solutions

ahmedshoaib
Level 4
Level 4

Hi;

 

After reviewing the configuration I found an extra command on your branch router which is telling you MPLS (PE2) Router to forward the traffic back to branch router. Please remove the default-information originate command under ospf process. This information need to advertise from HO DS switches.

 

Branch RTR:

router ospf 1

no default-information originate always

 

The above configuration will resolve the looping issue b/w PE2 & Branch RTR.

 

If you want to enable to default information originate command from HO then you need to modify the following configuration:

 

(Optional) Part-1 HO DS Switches:

router ospf 1

 default-information originate always

 

(Optional) Part-2 Branch RTR:

no ip route 0.0.0.0 0.0.0.0 10.1.100.4

 

Thanks & Best regards;

View solution in original post

8 Replies 8

Philip D'Ath
VIP Alumni
VIP Alumni

You need to tell your MPLS provider to add a default route pointing to your ASA.

Hi;

So i would need to add this to my PE1, PE2 and P Router in order to make it work

ip route 0.0.0.0 0.0.0.0 10.1.100.4 where 10.1.100.4 is the ip of ASA

Thanks

You should only need to add it to the routers that are layer 3 adjacent to the firewall.

Should the Router in the second site not also have the ip route 0.0.0.0 0.0.0.0 10.1.100.4 so it would now where to cast the trafic.

I'm unsure how to make a default route on the MPLS because what i have attempted in the previous post did not work, would you be able to tell me how i should make the default rate?

Thank You

I have tried to add ip route 0.0.0.0 0.0.0.0 10.1.100.4 to SW conected to PE1 and the Router connected to PE2
and i have added default-information originate and redistribute ospf 2 match internal external 1 to both provider edge router.
but the result is the same or am i completely wrong. 

router ospf 2 vrf DTL
redistribute bgp 3292 subnets
network 172.16.1.0 0.0.0.3 area 0
network 172.16.1.4 0.0.0.3 area 0
 default-information originate
!
router ospf 1
mpls ldp autoconfig
network 2.2.2.2 0.0.0.0 area 0
network 172.16.11.0 0.0.0.3 area 0
!
router bgp 3292
bgp log-neighbor-changes
neighbor 4.4.4.4 remote-as 3292
neighbor 4.4.4.4 update-source Loopback0
!
address-family vpnv4
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 send-community extended
exit-address-family
!
address-family ipv4 vrf DTL
redistribute ospf 2 match internal external 1
default-information originate
exit-address-family
Hope you will be able to tell we what i should add the the Provider Edge 1 router in order to make it work. 
Thank You

ahmedshoaib
Level 4
Level 4

Hi;

 

After reviewing the configuration I found an extra command on your branch router which is telling you MPLS (PE2) Router to forward the traffic back to branch router. Please remove the default-information originate command under ospf process. This information need to advertise from HO DS switches.

 

Branch RTR:

router ospf 1

no default-information originate always

 

The above configuration will resolve the looping issue b/w PE2 & Branch RTR.

 

If you want to enable to default information originate command from HO then you need to modify the following configuration:

 

(Optional) Part-1 HO DS Switches:

router ospf 1

 default-information originate always

 

(Optional) Part-2 Branch RTR:

no ip route 0.0.0.0 0.0.0.0 10.1.100.4

 

Thanks & Best regards;

Hi,

I have removed default-information originate always and removed ip route 0.0.0.0 0.0.0.0 10.1.100.4 from the branch router.

and i have added the default-information originate always to both DSW in my HQ.

I don't get the loop anymore on the branch router. but i cant do internet either. 

From Windows
Tracing route to 8.8.8.8 over a maximum of 30 hops
1 5 ms 1 ms 2 ms 10.2.99.2
2 10.2.99.2 reports: Destination host unreachable.

From Branch Router
Tracing the route to google-public-dns-a.google.com (8.8.8.8)
VRF info: (vrf in name/id, vrf out name/id)
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
If i do a (show ip route)

do show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets
O IA 1.1.1.1 [110/3] via 172.16.33.1, 1d13h, GigabitEthernet1/0/1
5.0.0.0/32 is subnetted, 1 subnets
C 5.5.5.5 is directly connected, Loopback0
6.0.0.0/32 is subnetted, 1 subnets
O IA 6.6.6.6 [110/4] via 172.16.33.1, 1d13h, GigabitEthernet1/0/1
7.0.0.0/32 is subnetted, 1 subnets
O 7.7.7.7 [110/2] via 10.2.50.2, 1d11h, Vlan50
[110/2] via 10.2.30.2, 1d11h, Vlan30
[110/2] via 10.2.20.2, 1d11h, Vlan20
[110/2] via 10.2.10.2, 1d11h, Vlan10
10.0.0.0/8 is variably subnetted, 19 subnets, 2 masks
O IA 10.1.10.0/24 [110/3] via 172.16.33.1, 1d13h, GigabitEthernet1/0/1
O IA 10.1.20.0/24 [110/3] via 172.16.33.1, 1d13h, GigabitEthernet1/0/1
O IA 10.1.30.0/24 [110/3] via 172.16.33.1, 1d13h, GigabitEthernet1/0/1
O IA 10.1.40.0/24 [110/4] via 172.16.33.1, 1d13h, GigabitEthernet1/0/1
O IA 10.1.50.0/24 [110/3] via 172.16.33.1, 1d13h, GigabitEthernet1/0/1
O IA 10.1.99.0/24 [110/3] via 172.16.33.1, 1d13h, GigabitEthernet1/0/1
O IA 10.1.100.0/24 [110/3] via 172.16.33.1, 1d13h, GigabitEthernet1/0/1
C 10.2.10.0/24 is directly connected, Vlan10
L 10.2.10.1/32 is directly connected, Vlan10
C 10.2.20.0/24 is directly connected, Vlan20
L 10.2.20.1/32 is directly connected, Vlan20
C 10.2.30.0/24 is directly connected, Vlan30
L 10.2.30.1/32 is directly connected, Vlan30
C 10.2.40.0/24 is directly connected, Vlan40
L 10.2.40.1/32 is directly connected, Vlan40
C 10.2.50.0/24 is directly connected, Vlan50
L 10.2.50.1/32 is directly connected, Vlan50
C 10.2.99.0/24 is directly connected, Vlan99
L 10.2.99.1/32 is directly connected, Vlan99
172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks
O IA 172.16.1.0/30 [110/2] via 172.16.33.1, 1d13h, GigabitEthernet1/0/1
O IA 172.16.1.4/30 [110/2] via 172.16.33.1, 1d13h, GigabitEthernet1/0/1
C 172.16.33.0/30 is directly connected, GigabitEthernet1/0/1
L 172.16.33.2/32 is directly connected, GigabitEthernet1/0/1
O 172.16.33.4/30 [110/2] via 172.16.33.1, 1d12h, GigabitEthernet1/0/1
[110/2] via 10.2.50.2, 1d11h, Vlan50
[110/2] via 10.2.30.2, 1d11h, Vlan30
[110/2] via 10.2.20.2, 1d11h, Vlan20

Thank You

Best Regards

Hi Ahmedshoaib,

Thanks alot i found the error, i have removed default-information originate on PE2 under

router BGP 3292
address-family ipv4 vrf DTL
no default-information originate
And on PE1 i removed
router ospf 2 vrf DTL
no default-information originate
Thanks again for your help

Best regards

Review Cisco Networking for a $25 gift card