Trouble routing internet traffic through WAN

larry · ‎04-08-2009

One of my network locations is losing their direct internet connection and I need to keep them up by routing all of their internet traffic to a second location that has internet connectivity. The two networks are connected via T1 lines.

The two cisco routers are connected via their own network: 10.1.10.5 (remote) and 10.1.10.6 (local) The remote network is 10.1.1.0 and the local network is 10.1.2.0.

I modifed the internet route from 0.0.0.0 0.0.0.0 10.1.2.6 (local firewall) to 10.1.10.5 (remote router), but all internet traffic stops at 10.1.10.5. The remote router has a route for internet traffic directing it to the remote firewall, but for some reason it stops at the router.

What am I missing?

Jon Marshall · ‎04-08-2009

Does the remote firewall have a route back to the source network ?

Perhaps a quick schematic of the connectivity would help.

Jon

Giuseppe Larosa · ‎04-08-2009

Hello Larry,

you need to provide return path routes on the site with internet access.

and you need to modify NAT rules to allow packets with source 10.1.1.0 to be translated to access the internet.

Hope to help

Giuseppe

larry · ‎04-08-2009

Hello and thanks for the reply. There are return routes already in place between the 10.1.1.0 network and 10.1.2.0 network. For some reason, though, the packets just stop at the router network 10.1.10.5.

Here are the routes from the config:

Local side...

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.1.10.5

ip route 10.1.1.0 255.255.255.0 10.1.10.5

no ip http server

!

Remote side

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.1.1.6

ip route 10.1.2.0 255.255.255.0 10.1.10.6

no ip http server

!

I know that the first config seems redundant with both routes going to 10.1.10.5, but I changed the internet route from going to the local firewall at 10.1.2.6 and kept the second route while I troubleshoot. Once the packets got to 10.1.10.5 on the remote end, I thought the remote route for internet traffic would send it to 10.1.1.6 (the remote firewall), but it doesn't.

lamav · ‎04-08-2009

Hi:

Does the FW have a route back to the 10.1.2.0/24 network?

Traffic originates on 10.1.2.0 at the local router. The local router uses the default to get to the remote router. Then the remote router defaults to the FW.

The FW will PAT the traffic and forward out to the Internet.

The FW will receive return traffic destined for the PAT address and perform the translation to forward to the internal host that sits on 10.1.2.0.

Does it know how to get back there?

SIDE NOTE: As a quick aside, I wonder if your FW is even forwarding the traffic out. It may only have a PAT overload statement that points to/calls an ACL that only includes the source network at the remote site and not the network at the local site, since the local site was designed to use its own Internet connection. Just a thought...

But even if the FW does successfully PAT 10.1.2.0 traffic to a public IP, it will build that NAT translation - and on the return it will need to have a route back to the internal network.

HTH

Victor