Bilal, thanks for your swift response, yes it is MPLS VPN and all your assumption is correct. Shall I run below command under bgp in head office to propagate default route to our MPLS network? 

neighbor 192.168.149.29 default-originate

Thanks

Yes that should do it, please remember this will propagate the default route to the rest of your MPLS VPN sites even if you don't actually have a default route. If your HQ is the only exit point then should be fine.

main thing is to get the PE routers to see the default.

hope it helps

Bilal

Bilal, I already advertised default route under bgp with the above command in head office router, now internet traffic is reaching to head office router but it is not going out. Below is the result from Branch office.

Router#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router#traceroute 8.8.8.8
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.150.49 [AS 35819] 4 msec 24 msec 28 msec
  2 192.168.149.29 [AS 35819] 32 msec 32 msec 32 msec
  3 192.168.149.30 [AS 35819] 32 msec 32 msec 36 msec
  4  *  *  *
  5  *  *  *
  6  *  *  *
  7  *  *  *
  8  *  *  *

Thanks, I am able to access internet in my branch office now. I am really thankful to all your efforts.

Bilal, I wish if you could help me again. We have installed one firewall in head office after router to share internet to branch offices which are connected with MPLS. We have configured firewall with static default route to router. I have disabled natting on router interfaces in head office.I can access internet from head office but not from branch offices. MPLS network is established through firewall as I can access branch office network behind firewall from head office. Below is configuration for head office and branch office router:

Head Office Cisco router:

interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.312
 description "IP-VPN-12 Mbps"
 encapsulation dot1Q 312
 ip address 192.168.149.30 255.255.255.252
!
interface GigabitEthernet0/0.340
 description "DIA-12 Mbps"
 encapsulation dot1Q 340
 ip address 37.216.210.14 255.255.255.240
!
interface GigabitEthernet0/1
 description "LAN"
 ip address 37.216.214.113 255.255.255.252 secondary
 ip address 10.10.10.253 255.255.255.0
 duplex auto
 speed auto
!
router bgp 65000
 bgp log-neighbor-changes
 network 10.10.10.0
 network 10.249.11.0
 network 192.168.10.0
 network 200.10.0.0
 redistribute connected
 redistribute static
 neighbor 192.168.149.29 remote-as 35819
 neighbor 192.168.149.29 password 12345678
 neighbor 192.168.149.29 default-originate
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 37.216.208.13
ip route 0.0.0.0 0.0.0.0 10.10.10.254 2
ip route 200.10.0.0 255.255.255.0 10.10.10.254
!

Branch Office Router:

!
interface FastEthernet8
 description "LAN CONNECTION"
 ip address 10.249.18.254 255.255.255.0 secondary
 ip address 200.50.0.254 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0
 description "WAN LINK"
 ip address 192.168.150.50 255.255.255.252
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
!
interface Async1
 no ip address
 encapsulation slip
!
interface GMPLS0
 no ip address
 no fair-queue
 no keepalive
!
router bgp 65000
 bgp log-neighbor-changes
 network 10.249.18.0
 network 200.50.0.0
 redistribute connected
 redistribute static
 neighbor 192.168.150.49 remote-as 35819
 neighbor 192.168.150.49 password 12345678
!
ip forward-protocol nd
!
!
no ip http server
ip http access-class 23
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.150.49
!
!

Firewall LAN IP is 10.10.10.254

It is bit more tricky now. How will you advertise default route to the MPLS provider routers (PE's)? Can your firewalls do bgp? [before we did bgp default originate]

Or maybe at HQ you can ask to do OSPF or something instead? Depends on what you're firewall supports. You have in packet/routing mode rather than transparent/inline mode so it is difficult.

Correct me if I'm wrong please, you have like this:

Branch --- MPLS --- HQ Firewall --- HQ Router --- Internet

Thanks for your reply, We are using sonciwall firewall at head office and yes it can do bgp. Using OSPF will be complicated.

We have this network:

Branch --- MPLS ---Internet --- HQ Router--- HQ Firewall 

Our head office router has both MPLS and internet terminated and we have connected its LAN port to our firewall.

So everything is still the same? Normally you are meant to have like this:

Branch --- MPLS --- HQ Router --- HQ FW --- Internet

Since you already have default originate on your HQ router, from your branch office, is it still getting as far as HQ? You need to tell me where your internet is now connected, is it still on your router or is it moved to the firewall?

Yes, everything is still same except I disabled natting on router since we installed firewall as due to this nat, internet was working on branch offices which you asked me do it in your earlier post. Now after disabling nat, Internet traffic is reaching up to HQ router but not going to firewall for internet access. I have disabled natting on HQ router's MPLS interface. Below is traceroute result from branch office. 192.168.149.30 is HQ router and 192.168.149.29 is ISP router.

Router#traceroute 8.8.8.8
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.150.49 24 msec 4 msec 4 msec
  2 192.168.149.29 [AS 35819] 32 msec 32 msec 32 msec
  3 192.168.149.30 [AS 35819] 32 msec 32 msec 36 msec
  4  *  *  *
  5  *  *  *
  6  *  *  *
  7  *  *  *
  8  *  *  *
  9  *  *  *
 10  *  *  *
 11  *  *  *

Internet is terminated on router and on router LAN interface we assign one IP address 10.10.10.253 and connected it to firewall LAN port with IP address 10.10.10.254

So you want internet traffic to reach HQ router from branch, and then go through firewall? But already internet connection is on HQ router...

HQ router is connected to firewall to provide internet access to all users in HO and branch offices in order to restrict access to internet. Internet connection is terminated on HQ router but natting is disabled due to firewall so we can't access internet with private local IPs until we use a public IP.

Yes we want internet traffic for branch offices to go through firewall. Internet at HO is OK as it going through firewall but we need same for branch offices.

It is not easily possible. You should terminate the internet connection on the HQ firewall, and not router.

I dont understand why you added these static routes? It does not achieve anything apart from default route to firewall:

ip route 0.0.0.0 0.0.0.0 37.216.208.13
ip route 0.0.0.0 0.0.0.0 10.10.10.254 2
ip route 200.10.0.0 255.255.255.0 10.10.10.254

If firewall has default route to the router as well then there is routing loop, they will send default traffic to each other,

It should be like this.

Branch >> MPLS >> HQ Router >> HQ FW >> INTERNET

The positioning of the firewall at the moment is inappropriate and should be directly connected to internet.