We currently have out T1 attached to a 5505. We have IPsec site to site tunnels that also terminate on the outside interface of the 5505.
We are getting rid of the T1 and bringing in a manged MPLS circuit which will run off of a 1841 ISR. I would like the 5505 to pretty much work as is with little change. Whats the easiest way to accomplish this? Of course the MPLS will come with new external IP.
Current Design ---> T1<------>[asa5505]<------->[LAN]
New design---------> Mpls<-------><------>[asa 5505]<------->[LAN]
1. Whats the easiest way to drop in the 1841 without having to change all my ASA acl's.
2. How would I terminate my ipsec site to site tunnels on asa outside interface. Now that the WAN interface is on 1841 and not ASA how would I terminate the other side of tunnel? Can I leave my tunnel end points on ASA or do they now have to terminate on 1841?
3. How would I configue outside interface on ASA to communicate out 1841 MPLS?
Once you have your MPLs link up it will be either static route or dynamic routing that you configure on edge router 1841
To answer your questions
The router first need to have full visibility about your MPLs enabled remote sites
Your Asa has to have route pointing to this router for remote networks or you can run routing protocol between them such as ospf
Your acl will be depending on the source LAN ip address coming into your Asa side
If helpful rate
Sent from Cisco Technical Support iPhone App
just to add regarding your IPSec
i am not sure if this is a private MPLS L3 VPN for your company ? if yes then why you want to use IPSec ? unless you wantto encrypt all youe traffice from being seen by the ISP
in anyway if you are going to use the SP MPLS cloud for communications with other brnaches then just make sure that you advertised the subnet between te 1841 and the ASA so that the ASA outside interface will be reachable
if this is MPLS for internet access and the servic eprovider will give you public IP/range
than they will give a private IP maybe to configure it in the router interface for peering with MPLS SP
and then you can NAT the public IP/range or configure it between the router and the ASA of you have enough IPs and in this way the out site interface of the ASA will be reachable thorugh a Public IP