Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1015
Views
0
Helpful
12
Replies

INTERNET ACCESS FROM REMOTE BRANCHES

Go to solution
tomocisco
Level 1
Level 1

‎09-24-2008 06:02 AM - edited ‎03-03-2019 11:40 PM

Hi every body! It's nice to know that I can connect to a network of professionals such as this one who are always ready to offer solutions to problems.

I recently posted a conversation on configuring cisco 871 for internet access and I got my problem resolved because my company LAN can now browse the internet.

The next challenge facing me now is how to get our remote branches to access the internet.

From the configuration I have, I can ping my ISP gateway (Router) from the remote branch. I can even ping public ip addresses such as www.yahoo.com & www.google.com. But yet no system from the branch office can access the internet. All the systems in the branch office however can access all the systems in the head office, and they are joined to the same domain with the head office systems.

Since I can reach my isp from the router (by ping command), could it be that this problem is a window related one or is it a configuration problem.

Below is the config of my branch office router.

show run

Building configuration...

Current configuration : 3272 bytes

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

hostname Oliverouter

boot-start-marker

boot-end-marker

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 debugging

logging console critical

aaa new-model

aaa authentication login local_authen local

aaa authorization exec local_author local

aaa session-id common

resource policy

clock timezone PCTime 1

ip subnet-zero

no ip source-route

ip tcp synwait-time 10

ip cef

no ip bootp server

ip domain name olivemfb.com

ip name-server 172.20.x.y

ip name-server 172.20.x.z

ip name-server 77.220.x.y

ip name-server 77.220.y.x

interface Null0

no ip unreachables

interface FastEthernet0/0

description $LAN Interface$

ip address 172.25.2.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

duplex auto

speed auto

no mop enabled

interface FastEthernet0/1

description $WAN FW_OUTSIDE$

ip address 172.30.1.2 255.255.255.0

ip access-group sdm_fastethernet0/1_in in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

duplex auto

speed auto

no mop enabled

ip classless

ip route 0.0.0.0 0.0.0.0 172.30.1.1 permanent

ip route 172.20.1.0 255.255.255.0 172.30.1.1 permanent

ip route 172.25.0.0 255.255.0.0 172.30.1.1 permanent

ip http server

ip http authentication local

ip http timeout-policy idle 60 life 86400 requests 10000

ip access-list extended sdm_fastethernet0/1_in

remark SDM_ACL Category=1

permit ip 172.20.1.0 0.0.0.255 172.25.2.0 0.0.0.255 log

permit ip 172.25.0.0 0.0.255.255 172.25.2.0 0.0.0.255 log

deny ip any 172.25.2.0 0.0.0.255 log

logging trap debugging

access-list 100 remark mile12toho

access-list 100 remark SDM_ACL Category=4

access-list 100 remark Traffic from mile 12 to headoffice

access-list 100 permit ip 172.25.2.0 0.0.0.255 172.20.1.0 0.0.0.255 log

access-list 101 remark SDM_ACL Category=4

access-list 101 permit ip 172.25.0.0 0.0.255.255 172.20.1.0 0.0.0.255

access-list 102 remark SDM_ACL Category=4

access-list 102 permit ip 172.20.1.0 0.0.0.255 172.25.0.0 0.0.255.255 log

access-list 103 remark SDM_ACL Category=4

access-list 103 permit ip 172.25.0.0 0.0.255.255 172.25.2.0 0.0.0.255

access-list 104 remark SDM_ACL Category=4

access-list 104 deny ip any 172.25.2.0 0.0.0.255 log

no cdp run

control-plane

n authorized user!^C

line con 0

login authentication local_authen

transport output telnet

line vty 0 4

authorization exec local_author

login authentication local_authen

transport input telnet

line vty 5 15

authorization exec local_author

login authentication local_authen

transport input telnet

scheduler allocate 20000 1000

end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to tomocisco

‎09-25-2008 12:05 PM

Tom

If you change John's suggestion from

permit tcp any any eq established

to

permit tcp any any established

then it should work. And the line as you added it should work for normal HTTP (but not HTTPS).

If you can ping public addresses from the rotuer but not from end systems it suggests that the problem is that outside does not have a route back to the source. One thing that would cause this symptom is if the source addresses (from the branch LAN) were not being translated when they go out to the Internet. If the network was not previously set for Internet access then it is likely that there is no translation for the branch addresses.

Can you check and see if there is any address translation for the branch addresses as they go to the Internet?

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
12 Replies 12

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎09-24-2008 06:04 AM

What are you getting when you try to browse? What are your DNS settings on the workstation? Are you using DHCP?

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to John Blakley

‎09-24-2008 09:30 AM

Thomas

I believe that your problem is in your inbound access list:

ip access-list extended sdm_fastethernet0/1_in

remark SDM_ACL Category=1

permit ip 172.20.1.0 0.0.0.255 172.25.2.0 0.0.0.255 log

permit ip 172.25.0.0 0.0.255.255 172.25.2.0 0.0.0.255 log

deny ip any 172.25.2.0 0.0.0.255 log

There is not anything in this access list that would permit incoming traffic that originated in the Internet. You can not browse the Internet if no response can get back to you. I suggest that the access list needs to be re-written to permit traffic originating from the Internet.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
tomocisco
Level 1
Level 1
In response to Richard Burts

‎09-24-2008 09:59 AM

Hi Rick

Thanks for your contribution.

Please can you write a sample access-list statements i can add to permit traffic originating from the internet.

I appreciate your time to attend to me.

Tom

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to tomocisco

‎09-24-2008 10:48 AM

Tom

Before I can suggest a good sample access-list statement there is an issue that must be resolved. An access list is configured to implement some policy. Some policies are relatively broad in what they permit and some are quite restrictive. Your current access list rreflects a very restrictive policy. The policy restricts access to the local subnet (172.25.2.0/24) to only 2 specific subnets (172.20.1.0/24 and 172.25.0.0/16) and denies any other access. That policy does not include any Internet access. So if you are going to add Internet access then the policy must change. But what should the new policy be? Will it be a broad permit any Internet traffic? Or will it be somewhat restrictive in what is to be permitted? Once we know what they new policy should be then we can produce sample access-list statements.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
tomocisco
Level 1
Level 1
In response to Richard Burts

‎09-25-2008 04:32 AM

Hi Rick,

Thanks for your response. You are right, our policy is very restrictive due to our job nature. But we intend to loosen up a bit and allow for Internet access. For now we want a broad permit any Internet traffic. With time we will monitor the nature of traffic we are having and know if to disallow access to specific sites and what to allow.

I will appreciate it if I will have access list statements that will help me achieve that.

Thanks

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to tomocisco

‎09-25-2008 04:48 AM

Tom

If you want to loosen up a bit the first thing that you need to do is to remove this line from the access list:

deny ip any 172.25.2.0 0.0.0.255 log

since it denies traffic from anywhere to destinations in the local LAN.

Beyond that it is a bit difficult to know what you should do. The suggestion from John about permit tcp any any established would allow responses incoming for tcp sessions established by users on the local LAN without permitting traffic initiated from the Internet. But it does not do anything for ICMP or for UDP. So perhaps the thing to do would be to add this line to the access list which will permit everything:

permit ip any any

And one could then ask that since everything is permitted whether you need the access list on the interface at all since it is not denying any traffic.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
tomocisco
Level 1
Level 1
In response to John Blakley

‎09-24-2008 09:50 AM

when i try to browse the system will show that server cannot be found. The DNS settings iam using on the work station are the dns server we have at our head office LAN, i even tried to add the dns address of our isp directly to the system but still no improvement.

i am not using DHCP.

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to tomocisco

‎09-24-2008 10:02 AM

Try to put this in your existing acl:

permit tcp any any eq established

Put it before your deny statement.

Let me know if that helps!

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
tomocisco
Level 1
Level 1
In response to John Blakley

‎09-25-2008 04:37 AM

Hi John,

I added that but got an error message, so i added this:

permit tcp any any eq www established log

But still i could not browse from any of the systems. (NB I can ping any public address on the Internet from the router but not from the end systems)

Thanks

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to tomocisco

‎09-25-2008 05:37 AM

Do you get any hits on the line when you try to go out? You may want to try Rick's suggestion about adding "permit ip any any log" to your public acl, and then I would remove your acl that's applied to the internal interface (if there is one). also, can you do a "sh xlate" and post a few lines from that?

--John

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to tomocisco

‎09-25-2008 12:05 PM

Tom

If you change John's suggestion from

permit tcp any any eq established

to

permit tcp any any established

then it should work. And the line as you added it should work for normal HTTP (but not HTTPS).

If you can ping public addresses from the rotuer but not from end systems it suggests that the problem is that outside does not have a route back to the source. One thing that would cause this symptom is if the source addresses (from the branch LAN) were not being translated when they go out to the Internet. If the network was not previously set for Internet access then it is likely that there is no translation for the branch addresses.

Can you check and see if there is any address translation for the branch addresses as they go to the Internet?

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
tomocisco
Level 1
Level 1
In response to Richard Burts

‎10-02-2008 11:15 AM

Hi Rick

Thanks so much.

I will try this out and I will get back to you when it works.

Tom

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card