Solved: Internet traffic over bgp

catahoula · ‎02-26-2010

I have a network in a remote location connected via BGP. There normal network traffic is working fine but I can't get internet traffic to respond over the bgp network.

I was trying to traceroute an internet site with no luck. After reading, I've added the statement 'Network 0.0.0.0' to my local router bgp entry. This allows the far end to traceroute to my local router but the packets are dropping here on the outside interface.

I'm at a loss what is needed next. Hoping for quick response today. Below is config section of the two routers.

Far end 7206
router bgp 65001
no synchronization
bgp log-neighbor-changes
network 10.160.128.0 mask 255.255.255.0
network 10.160.129.0 mask 255.255.255.0
redistribute connected
redistribute eigrp 1
neighbor 12.112.236.233 remote-as 7018
neighbor 12.112.236.233 weight 65535
distribute-list 10 out
no auto-summary
!
ip forward-protocol nd
ip flow-export source GigabitEthernet0/1
ip flow-export version 5
ip flow-export destination 10.160.8.206 2055
!
no ip http server
no ip http secure-server
!
!
!
ip access-list extended mpls_out
access-list 10 permit 10.160.15.86
access-list 10 permit 10.160.136.0 0.0.0.255
access-list 10 permit 10.160.128.0 0.0.0.255
access-list 10 permit 10.160.129.0 0.0.0.255
access-list 10 permit 10.160.15.84 0.0.0.8
access-list 10 deny any

#sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "bgp 65001", distance 20, metric 0, candidate default path
Tag 7018, type external
Redistributing via eigrp 1
Advertised by eigrp 1 metric 4500 10 255 1 1500
Last update from 12.112.236.233 00:43:00 ago
Routing Descriptor Blocks:
* 12.112.236.233, from 12.112.236.233, 00:43:00 ago
      Route metric is 0, traffic share count is 1
      AS Hops 2
      Route tag 7018

Near end 7206 - inside interface is on network 10.160.8.0 with firewall
router bgp 65001
no synchronization
bgp log-neighbor-changes
network 0.0.0.0
redistribute eigrp 1
neighbor 12.84.94.161 remote-as 7018
neighbor 12.84.94.161 weight 65535
distribute-list 10 out
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.160.8.5
no ip http server
no ip http secure-server
!
ip flow-export source GigabitEthernet0/1
ip flow-export version 5
ip flow-export destination 10.160.8.206 2055
!
!
logging alarm informational
access-list 10 deny   10.160.15.86
access-list 10 deny   10.160.136.0 0.0.0.255
access-list 10 deny   10.160.128.0 0.0.0.255
access-list 10 deny   10.160.129.0 0.0.0.255
access-list 10 permit any

sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "static", distance 1, metric 0, candidate default path
Redistributing via eigrp 1
Advertised by eigrp 1
bgp 65001
Routing Descriptor Blocks:
* 10.160.8.5
Route metric is 0, traffic share count is 1

Giuseppe Larosa · ‎03-04-2010

Hello Catahola,

your remote site is using RFC1918 ip addresses (10.160.x.y)

at near site connected to the internet the FW needs to NAT ip addresses belonging to these ip addresses to IP addresses of your public block in order to sent out packets to the internet and what is more important to receive answers back.

None, unless misconfigured, answers back to a private ip address over the public internet.

So your issue is not a BGP issue but you probably need to update NAT configuration of your firewall.

Unless far end site has its own internet access.

The firewall needs also static routes to know how to route traffic to remote site IP subnets in addition to NAT

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎03-04-2010