Bridging MPLS Link between ISR Router and ASA Firewall

[Curiosityx]

Greetings, ive been wrestling with this for awhile now.

We have an MPLS link presented on ethernet comming into the premises, the link is configured as a 802.1q trunk with two vlans, one for a link into the MPLS cloud lets call it vlan 10 and one vlan which will provide an internet services for the business lets call it vlan 20. A /28 public address block has been allocated for internet access.

The ethernet link terminates on a Cisco 3825 ISR with a 4 Port ethernet Hwic installed.

What i would like to do is bridge the internet vlan onto the outside interface of an ASA 5510 then back onto the router so that internal users can access both internet resources and the mpls network on a common gateway.

Is this possible with the current hardware setup?

Regards

 

[bigredshark]

Greetings, ive been wrestling with this for awhile now.

We have an MPLS link presented on ethernet comming into the premises, the link is configured as a 802.1q trunk with two vlans, one for a link into the MPLS cloud lets call it vlan 10 and one vlan which will provide an internet services for the business lets call it vlan 20. A /28 public address block has been allocated for internet access.

The ethernet link terminates on a Cisco 3825 ISR with a 4 Port ethernet Hwic installed.

What i would like to do is bridge the internet vlan onto the outside interface of an ASA 5510 then back onto the router so that internal users can access both internet resources and the mpls network on a common gateway.

Is this possible with the current hardware setup?

Regards

It's easily possible, multiple ways of doing it, easiest is bringing the ISP connection into a switching port on the HWIC, simply sending vlan 10 to the ASA untrust over another switching port, then connecting the trust side to a new vlan30 back on the ISR (another switching interface). Create a routing interface on vlans 20 and 30, either use static routes or OSPF/EIGRP/BGP for a default route to the ASA trust interface. Then use a hardware routing interface on the ISR as the gateway for the LAN.

There are more complex ways involving VRFs I can think of, but unless you have extra requirements they seem needlessly complex...

 

[atomiser]

can you setup a trunk link from the 3825 to your downstream 5510? then setup logical interfaces on outside interface of the 5510? then set the security levels on the logical interfaces? then connect your internal lan to the inside interface? set the default route on the 5510 to be the upstream internet router, and then static routes to your networks on the other side of the mpls network to the nearest upstream router on that side? then setup the necessary acls? can't see any obvious reason why that wouldn't work?

 

[bigredshark]

can you setup a trunk link from the 3825 to your downstream 5510? then setup logical interfaces on outside interface of the 5510? then set the security levels on the logical interfaces? then connect your internal lan to the inside interface? set the default route on the 5510 to be the upstream internet router, and then static routes to your networks on the other side of the mpls network to the nearest upstream router on that side? then setup the necessary acls? can't see any obvious reason why that wouldn't work?

Needlessly complex though given he has the HWIC (which is basically a 4 port switch)

 

[atomiser]

i started to reply then went away from the computer for a mo, by which time you sneaked in your suggestion...which is a much better one! i'm still learning on the whole networking front!

 

[Curiosityx]

It's easily possible, multiple ways of doing it, easiest is bringing the ISP connection into a switching port on the HWIC, simply sending vlan 10 to the ASA untrust over another switching port, then connecting the trust side to a new vlan30 back on the ISR (another switching interface). Create a routing interface on vlans 20 and 30, either use static routes or OSPF/EIGRP/BGP for a default route to the ASA trust interface. Then use a hardware routing interface on the ISR as the gateway for the LAN.

There are more complex ways involving VRFs I can think of, but unless you have extra requirements they seem needlessly complex...

Im glad you have it clear in your head i do find it quite difficult to visualise a scenario without putting it into practise So if ive got this straight:

Appologies also forgot to mention that we will most likely be running BGP on this CE Router.

ASA Outside Interface - 1.1.1.1 255.255.255.0
ASA Inside Interface - 10.171.40.251 255.255.255.0


interface ethernet 0/0
ip address 1.1.1.1 255.255.255.0
nameif outside
security-level 0
!
interface ethernet 0/1
ip address 10.171.40.251 255.255.255.0
nameif inside
security-level 90
!





interface GigabitEthernet0/0
ip address 10.171.40.252 255.255.255.0 - Connection to Customer Internal Lan
media-type rj45
negotiation auto
speed auto
duplex auto
bridge-group 2
!
interface GigabitEthernet0/1 - Connection to MPLS Ethernet Circuit
speed 100
duplex full
media-type rj45
negotiation auto
!
interface GigabitEthernet0/1.10 - Vlan to MPLS Network
172.18.255.2 255.255.255.252
encapsulation dot1q 10
bridge-group 1
!
interface GigabitEthernet0/1.20- Vlan to MPLS Internet Service
no ip address
encapsulation dot1q 20
bridge-group 2
!
interface FastEthernet0/0/0 - Connection to ASA Outside Interface
switchport access vlan 20
speed 100
duplex full
!
interface FastEthernet0/0/1 - Connection to ASA Inside Interface
switchport access vlan 10
speed 100
duplex full
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface vlan 10
no ip address
bridge-group 1
!
interface vlan 20
no ip address
bridge-group 2
!

!
bridge irb
!
bridge 1 protocol ieee
bridge 2 protocol ieee
!
ip route 0.0.0.0 0.0.0.0 10.171.40.251


Is this similar to what you had in mind?

Regards

 

[bigredshark]

Broadly, I'd bring the MPLS link into the HWIC though (unless it's a Gig circuit) so instead of bridge groups just have ...

ASA

interface ethernet 0/0
ip address 1.1.1.1 255.255.255.0
nameif outside
security-level 0
!
interface ethernet 0/1
ip address 10.1.1.2 255.255.255.252
nameif inside
security-level 90


ISR

interface GigabitEthernet0/0
ip address 10.171.40.252 255.255.255.0 - Connection to Customer Internal Lan
media-type rj45
negotiation auto
speed auto
duplex auto
bridge-group 2
!
interface FastEthernet0/0/9 - Connection to MPLS Circuit
switch mode trunk
switch trunk allow vlan 10, 20
speed 100
duplex full
!
interface FastEthernet0/0/1 - Connection to ASA Outside Interface
switchport access vlan 20
speed 100
duplex full
!
interface FastEthernet0/0/2 - Connection to ASA Inside Interface
switchport access vlan 30
speed 100
duplex full
!
interface FastEthernet0/0/3
!
interface vlan 10
172.18.255.2 255.255.255.252
!
interface vlan 20
no ip address
!
interface vlan 30
ip 10.0.0.1 255.255.255.252
!

ip route 0.0.0.0 0.0.0.0 10.1.1.2

I think that makes sense though it'd be easier to explain what I'm doing there with a diagram in retrospect....

I've also added a /30 for connecting the ASA to the ISR on the inside/trust side as it makes more sense than in my head than having the LAN subnet all over the place.

 

[Curiosityx]

Broadly, I'd bring the MPLS link into the HWIC though (unless it's a Gig circuit) so instead of bridge groups just have ...

ASA

interface ethernet 0/0
ip address 1.1.1.1 255.255.255.0
nameif outside
security-level 0
!
interface ethernet 0/1
ip address 10.1.1.2 255.255.255.252
nameif inside
security-level 90


ISR

interface GigabitEthernet0/0
ip address 10.171.40.252 255.255.255.0 - Connection to Customer Internal Lan
media-type rj45
negotiation auto
speed auto
duplex auto
bridge-group 2
!
interface FastEthernet0/0/9 - Connection to MPLS Circuit
switch mode trunk
switch trunk allow vlan 10, 20
speed 100
duplex full
!
interface FastEthernet0/0/1 - Connection to ASA Outside Interface
switchport access vlan 20
speed 100
duplex full
!
interface FastEthernet0/0/2 - Connection to ASA Inside Interface
switchport access vlan 30
speed 100
duplex full
!
interface FastEthernet0/0/3
!
interface vlan 10
172.18.255.2 255.255.255.252
!
interface vlan 20
no ip address
!
interface vlan 30
ip 10.0.0.1 255.255.255.252
!

ip route 0.0.0.0 0.0.0.0 10.1.1.2

I think that makes sense though it'd be easier to explain what I'm doing there with a diagram in retrospect....

I've also added a /30 for connecting the ASA to the ISR on the inside/trust side as it makes more sense than in my head than having the LAN subnet all over the place.

Thank you ever so much, i completely missed the point in regards to terminating the trunk on the HWIC card!

Just one query if use a /30 between the ASA Inside Interface and the ISR will i still be able to NAT services to the customer internal LAN on the 10.171.40.0 /24 range?

Regards

 

[atomiser]

if i've understood this setup correctly then you'll only have a two addresses on that network - one for the isr, and one for the asa... i think for nat you would have to do port re-direction on the asa to the internal hosts. this will probably work fine for you, so long as you don't have multiple internal servers running applications using the same port - for example, multiple web servers. you could always increase the size of the network between the two boxes though if you wanted to dedicate addresses for nat purposes.

 

[bigredshark]

Thank you ever so much, i completely missed the point in regards to terminating the trunk on the HWIC card!

Just one query if use a /30 between the ASA Inside Interface and the ISR will i still be able to NAT services to the customer internal LAN on the 10.171.40.0 /24 range?

Regards

You'd need to ask somebody who uses an ASA unfortunately, I can create a Netscreen MIP (the same thing basically) to an interface on the internal LAN in the same scenario so I'd be surprised if not.

Oh, obviously though, if you use static routes and ASA will need a route to the internal LAN subnet via 10.0.0.1

 

[Curiosityx]

You'd need to ask somebody who uses an ASA unfortunately, I can create a Netscreen MIP (the same thing basically) to an interface on the internal LAN in the same scenario so I'd be surprised if not.

Oh, obviously though, if you use static routes and ASA will need a route to the internal LAN subnet via 10.0.0.1

No problem, Thank you very much for your time.

if i've understood this setup correctly then you'll only have a two addresses on that network - one for the isr, and one for the asa... i think for nat you would have to do port re-direction on the asa to the internal hosts. this will probably work fine for you, so long as you don't have multiple internal servers running applications using the same port - for example, multiple web servers. you could always increase the size of the network between the two boxes though if you wanted to dedicate addresses for nat purposes.

Very useful cheers, need to speak with the client in relation to how many services were talking about but its a good start.

 

[hang10z]

HI Guys,

This thread is the only information I can find on my current project too. I am grappling with how to implement it with my current equipment. I have a asa 5510 and a cisco 2811 router. The router only has 2 ethernet ports, the rest are vwic cards.. so I only have two ports to work with. I also have a hp 6108 switch which is a layer 3 switch. I want to know if I followed bigredshark's advice above it would work for me.. or do I need at least 3 ports on my router....

I have the same 801.q blended mpls/internet service over ethernet as Curiosityx

Any help you guys could give me is much appreciated...

 

[Curiosityx]

HI Guys,

This thread is the only information I can find on my current project too. I am grappling with how to implement it with my current equipment. I have a asa 5510 and a cisco 2811 router. The router only has 2 ethernet ports, the rest are vwic cards.. so I only have two ports to work with. I also have a hp 6108 switch which is a layer 3 switch. I want to know if I followed bigredshark's advice above it would work for me.. or do I need at least 3 ports on my router....

I have the same 801.q blended mpls/internet service over ethernet as Curiosityx

Any help you guys could give me is much appreciated...

Greetings, the method i finally used was to install a 4 Port HWIC (HWIC-4ESW)

The internet facing vlan was placed into a bridge group, by default all the ethernet ports on the HWIC are a member of VLAN 1 which was also added into the same bridge group as the internet facing vlan.

One of the ethernet ports on the HWIC was when then connected to the outside interface of the ASA whilst the others were shutdown. In our case the internet facing vlan was allocated a /30 netblock, one of the addresses was terminated on the outside of the ASA whilst the other was handled by the ISP as the circuit was presented on ethernet ARP could then be used to establish layer 3 connectivity.

I found this method to be more useful as it doesnt require the use of access lists on the router pricipally because it is bypassed completely.

bridge irb
!
!
interface GigabitEthernet0/0
 description Connection to Internal Lan
 no ip address
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/0.1
 encapsulation dot1Q 1 native
 ip address ************************
!
interface GigabitEthernet0/0.50
 encapsulation dot1Q 50
 ip address ************************
 ip helper-address ************************
!
interface GigabitEthernet0/1
 description Link To MPLS Cloud
 no ip address
 duplex full
 speed 10
 media-type rj45
 no cdp enable
!
interface GigabitEthernet0/1.1721
 description Internet Facing Vlan
 bandwidth 2048
 encapsulation dot1Q 1721
 bridge-group 1
!
interface GigabitEthernet0/1.1921
 description Mpls Facing Vlan
 bandwidth 6144
 encapsulation dot1Q 1921
 ip address ************************
!
interface FastEthernet0/0/0
 description Link to ASA5510 - Outside
 duplex full
 speed 100
 no cdp enable
!         
interface FastEthernet0/0/1
 shutdown 
!         
interface FastEthernet0/0/2
 shutdown 
!         
interface FastEthernet0/0/3
 shutdown 
!         
interface Vlan1
 no ip address
 bridge-group 1

Hope this helps

Regards

 

[hang10z]

aaah... so you did need a 3rd port on your router in order to work things out...


Hey do you have a email address I could send a visio file to? YOu mind if you take a look at somethign I put together?

I cannot test really because it is a environment that is in use...

if not no biggy.. I appreciate all the feedback you have given me so far..

 

[Curiosityx]

No problem, Drop me an email to extropedia (at) btintenet.com. There are other methods as discussed above using SVI's between vlans but ill see what can be done with your setup.

Regards