cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3773
Views
0
Helpful
4
Replies

How to route Internet traffic through MPLS

rupertf
Level 1
Level 1

Hi Everyone,

Can someone please help me with the following suitation urgently?

I am working for a company based in Sydney Australia, the company recently open an office in London UK, therefore we are going to get leased lined based on MPLS.

We were advised that Customer Edge router will be CISCO1941/K9. We want to our UK client to access our web-based applications via MPLS network instead of internet. The UK office is using BT Business ADSL with 5 Static IP address (please note the modem IP address is actually dynamic), we are going to get a Cisco 857/K9 router which will be used for the entry for the UK client to access the MPLS network. My question will be how do I configure the Cisco 857 router to allow one of the public ip to access the MPLS network. It appears that there are two options, and I am not sure if this is going to work or which one is working better. I have attached two diagrams for clarification of my case.

Option 1

Cisco WAN interface get Dynamic IP (PPPoA) from BT

LAN Interface (4 Port) get the assigned 5 Static IP addresses

One of the five IPs (217.xx.xx.169) will be assigned to the FE1 (Cisco 1941), any traffic to 217.xx.xx.169 will be routed to the WAN interface of Cisco 1941 to access Sydney service (located in Sydney LAN, mostly http and https traffic)

One of the five IPs to 217.xx.xx.170 will be assigned to the WAN interface of Sonicwall Firewall Router which also serve as Internet Access Gateway for LAN users, All trafiic destined for Sydney LAN will be using FE0 (Cisco 1941) as gateway

Option 2

Many thanks,

Rupert

Cisco WAN interface get Dynamic IP (PPPoA) from BT

LAN Interface (4 Port) will get 192.168.0.1, Cisco 857 router will be the default gateway for LAN users, using one to many NAT, also one to one NAT, One of the five IPs (217.xx.xx.169) will be forwarded to the FE0 (Cisco 1941), any traffic to 217.xx.xx.169 will be routed to the WAN interface of Cisco 1941 to access Sydney service (located in Sydney LAN, mostly http and https traffic)

4 Replies 4

milan.kulik
Level 10
Level 10

Hi,

why don't you simply interconnect your offices through MPLS using private IP addresses?

All you might need then would be an internal DNS server translating "internal" server names to their private IP addresses.

IMHO, that would be much easier than complicated routing/NATing while using public Ip addressing.

HTH,

Milan

Hi Milan,

Thank you for your quick response. The inter-office will be through MPLS using private IP address. Apart from our UK staff to use the MPLS, we also want our UK client to use MPLS as soon as the client connect to one particular IP address, that's why I am not sure which is the best way to route it.

Thanks,

Rupert

Hi Rupert,

none of your scernarios is 100% clear to me from NATing and routing back to London points of view.

As you have a FW in London involved, why don't you configure NATing necessary on the FW?

You could configure the FW to accept the packets with 217.xx.xx.169 destination address and forward them to Sydney using private source and destination addresses with no routing changes necessary.

(I've done something similar in the past on a Checkpoint FW.)

BTW, this is not a good idea from security point of view: a traffic coming from the Internet should not be sent to your internal servers directly, it should be terminated in a DMZ only.

But my understanding is you want to permit that anyway?

HTH,

Milan

Hi Milan,

Thank you for your suggestion. That is what I menat to do orioginally. However, due to the British Telecom using PPPoA as authentication type, the FW can only take one public ip address, the only option will using port forwarding from FW to the Customer Edge (CE) router's LAN ip address. We are going to try to see if we can configure the Cisco 857 router as pure brige mode, trying to use FW's PPPoE as authtication type, if it succeds, that means that FW gets 5 Public addresses, then we will have no problem to do NATing to route the particular IP address to CE's LAN ip address. This is the best option as indicated by without compromising security.

Thank you once again for your input.

Rupert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: