Hi Jon,

Yes, both MPLS and Internet terminate on the ASA. See attached topology diagram (not real IP).

Thanks a lot for your help.

Kevin

Kevin

It depends on whether the ASA is receiving routes for the MPLS networks.

If it is then as suggested by dhopfmueller you can simply have a default route pointing to the internet router.

If the ASA isn't receiving routes from the MPLS router then assuming you are using private IP addressing you could have a single summary route on the ASA covering all the remote networks pointing to the MPLS router which should work fine.

Are you wanting to use the internet as a backup in case of MPLS failure eg. a VPN ?

Jon

Hi Jon,

Yes, the internet will be as a backup in case of MPLS failure.

Does the following routing configure will work?

route outside 0.0.0.0 0.0.0.0 172.29.71.2 eq www  (172.29.71.2 is the ip address on ISP router)

route outside 0.0.0.0 0.0.0.0 172.29.72.2 (172.29.72.2 is IP address on MPLS CE)

route inside 0.0.0.0 0.0.0.0 172.29.70.1 (172.29.70.1 is IP address on internal router)

Thanks,

Kevin

You can't have multiple default routes pointing to different next hops otherwise the ASA won't know where to send the right traffic to.

Your default route should be point to the ISP router.

You then need a route or routes pointing to the MPLS router for the remote networks ie. your other sites.

If you have multiple internal networks behind the ASA inside interface you also need routes for those.

If you want to use the internet as backup then it depends on what you are trying to protect against ie.

if you are simply trying to use the backup if the local MPLS router or it's connection fails then you can use a static route (or routes) on the ASA and track them.

If you want to use the VPN if a remote site fails ie. to get to that site then it would be much better if you used a dynamic routing protocol over your MPLS network and had the ASA receive these routes then if the remote site fails you no longer receives those routes and the default route via the ISP is used ie. the VPN.

Really depends on what you are trying to do.

Jon

My confuse is how do I configure ASA at branch office to separate the internet traffic and data/voip traffic, and direct internet traffic only go through its internet connection, and data/voip traffic will go through MPLS connection. Could you give an example of configuration using my topology, please.

For VPN backup, OSPF routing is planned to use over MPLS network, will it do the job?
 

Thanks a lot,

Kevin

Are you going to be using OSPF between the MPLS router and the ASA ?

If so you simply need a static default route on the ASA pointing to the ISP router.

The ASA will have more specific OSPF routes for your MPLS networks.

If you aren't running OSPF to the ASA then what is -

1) the internal range of subnets behind the ASA inside interface

and

2) what are the remote MPLS ranges ie. no need to list them all but what IP addressing are you using ?

Jon

Yes, OSPF will be using between MPLS router and ASA.

so the following configure will work:

route outside 0.0.0.0 0.0.0.0 172.29.71.2

route inside 10.10.40.0 255.255.255.0 172.29.72.2

route inside 20.20.20.0 255.255.255.0 172.29.72.2

All traffic for voip at another branch office (10.10.40.0/24) and data (20.20.20.0/24) will go through MPLS router, and all other traffic will go through ISP router?

There three local data LAN / VoIP segments:

Branch office 1: 10.10.10.0/24 VoIP    192.168.70.0/24 Data

Branch office 2: 10.10.20.0/24 VoIP    192.168.80.0/24 Data

Branch office 3: 10.10.30.0/24 VoIP    192.168.90.0/24 Data

Also I have xx.xx.xx.33/29 public IP address ranges for each office from the ISP.

Thanks,

Kevin

That should work fine as long as the ASA receives the OSPF routes because it will only use the default route for any traffic it doesn't have a more specific entry in it's routing table for.

And it should have more specific entries for all the MPLS networks.

Jon

Hi Jon,

Thank you so much.

another question, do I need to use ospf authentication when I configure OSPF on ASA?

Kevin

I'm not aware that you have to use it in order for it to work but I could be wrong.

Really up to you but considering it is your firewall you may want to consider it.

Jon

Great. Thank you so much, Jon. Your help is very appreciated.

Kevin

No problem, glad to have helped.

Jon