Routing remote office to internet problem...

Answered Question
Feb 28th, 2008

Hi,


We have obtained a dedicated link between 2 of our offices and I purchased 2 1811 routers to make the connection. All is working fine for the remote office to access our main office, however the remote office needs to access the internet directly and they cannot access anything beyond our main office. The WAN link is connected using the WAN ports, the remote office is on the VLAN port using IP set of 10.0.8.x. The main office is on the network of 10.0.0.x. The WAN ports are on the IP set of 10.0.1.x. From the remote office I can ping the firewall and the traceroute to the firewall works fine. When I traceroute to the internet from the remote office it stops on the WAN port of the main office router. I created the default route for 0.0.0.0 to the firewall on the router in the main office and all security and NAT is disabled on both routers. Any ideas would be appreciated...


Thanks,


Tom

Correct Answer by Richard Burts about 9 years 2 hours ago

Tom


It is guess based on what we have been told so far that the issue is most likely an issue on the firewall. There are a couple of things that the firewall needs besides having a route to 10.0.8.0. In particular the firewall needs to have address translation logic that includes that subnet. Can you tell us if the firewall is translating that subnet and has appropriate access rules to allow that subnet out and responses to return?


HTH


Rick

Correct Answer by rahul0904 about 9 years 19 hours ago

Can you provide with the trace to any internet site? also as suggested by Mr. chuckwilson, please check for the default route at remote office.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
chuckwilson Thu, 02/28/2008 - 21:23

A. Are you running a routing protocol between the routers; ie is there a default route on your remote office router pointing back to the main office?


B. Has outbound access been allowed on the firewall for 10.0.8.x? Does the firewall have a route to 10.0.8.x?


Are there any acl's on your routers?


Another possibility is the ios version on your routers- I know this is crazy but some of the newer boxes with what Cisco calls "ip base" will only route one hop- They are designed for stub networks.

tom.porter Fri, 02/29/2008 - 05:11

A. No, I am not running a routing protocol. There is a default route on the remote office router to the main office.


B. Yes, the packets get out of the remote office router, they get to the external interface of the main office router. The firewall has a route to 10.0.8.x. I can ping the internal interface of the firewall from the remote office from any 10.0.8.x IP...


The IOS is version is 12.4(6)T9, Release Software (fc2).


Thanks,


Tom

Correct Answer
rahul0904 Thu, 02/28/2008 - 21:40

Can you provide with the trace to any internet site? also as suggested by Mr. chuckwilson, please check for the default route at remote office.


Correct Answer
Richard Burts Fri, 02/29/2008 - 14:15

Tom


It is guess based on what we have been told so far that the issue is most likely an issue on the firewall. There are a couple of things that the firewall needs besides having a route to 10.0.8.0. In particular the firewall needs to have address translation logic that includes that subnet. Can you tell us if the firewall is translating that subnet and has appropriate access rules to allow that subnet out and responses to return?


HTH


Rick

tom.porter Fri, 02/29/2008 - 18:54

I believe so, the address translation is for 10.0.x.x with a mask of 255.255.0.0. I looked into this as well as I suspected this but the translation rules look ok. We are using a Cisco PIX 515E firewall...


Thanks,


Tom

tom.porter Fri, 02/29/2008 - 18:51

Yes,


Our firewall is at 10.0.0.1, the traceroute for that is as follows:


10.0.8.1

10.10.0.1

10.0.0.1


All packets are successful.


To the internet, I get:


10.0.8.1

10.10.0.1 <-- WAN port on main office router.

*

*

*

etc...


My default route in my remote office is to 10.10.0.1, should this be elsewhere?


Thanks,


Tom


tom.porter Fri, 02/29/2008 - 19:58

Thank you all for your help, it looks like you were all right. First I created a network route to the main office. I then created a global route to the main office router. I then started getting errors at my firewall accessing the internet and I found the mask that was blocking that. I corrected that and it started working ok, thank you...


Tom

Richard Burts Sat, 03/01/2008 - 09:34

Tom


I am glad that you got it working. Thank you for posting back to the forum to indicate that the problem was solved and how you solved it (and thanks for rating responses). It makes the forum more useful when people can read about problems and can read what was done to resolve the problem.


The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.


HTH


Rick

Actions

This Discussion