Re: remote offices have no internet access - Page 2

fretburner · ‎02-03-2009

Hello,

I have a bit of a problem. Up until today, we had RIP running on our PTP and frame routers. I migrated to EIGRP and internally everything looks fine, and all devices can contact each other. The only issue I have is a few of our remote offices can not access the internet.

The office affected are the ones directly connected to our main router. The main site has no issues with internet either.

Packets just seem to get to the main router and get dropped.

Here is the main routers config. Some has been edited to fit the post.

interface FastEthernet0/0

description connected to EthernetLAN_1

ip address 192.168.0.254 255.255.255.0

ip policy route-map WWW_Traffic

speed auto

full-duplex

no cdp enable

!

interface Serial0/0

description connection to village

ip address 192.168.108.2 255.255.255.0

no ip mroute-cache

!

interface Serial0/1

description connection to east

ip address 192.168.102.2 255.255.255.0

no ip mroute-cache

fair-queue

!

interface Serial0/1.4

!

interface Serial1/0

description connection to warehouse

ip address 192.168.104.2 255.255.255.0

!

interface Serial1/1

no ip address

encapsulation frame-relay

no fair-queue

frame-relay lmi-type ansi

!

interface Serial1/1.1 point-to-point

ip address 192.168.205.2 255.255.255.0

!

interface Serial1/1.2 point-to-point

description connection to East Hampton

ip address 192.168.105.2 255.255.255.0

frame-relay interface-dlci 17

!

interface Serial1/1.3 point-to-point

description connetcion to watermill

ip address 192.168.103.2 255.255.255.0

frame-relay interface-dlci 18

!

interface Serial1/1.4 point-to-point

description connetcion to tutto

ip address 192.168.110.2 255.255.255.0

frame-relay interface-dlci 19

!

interface Serial1/1.5 point-to-point

description connetcion to tutto

ip address 192.168.110.4 255.255.255.0

shutdown

frame-relay interface-dlci 20

!

router eigrp 10

network 192.168.0.0

network 192.168.102.0

network 192.168.103.0

network 192.168.105.0

network 192.168.108.0

network 192.168.110.0

auto-summary

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.0.1

no ip http server

!

access-list 199 permit tcp any any eq www

access-list 199 permit tcp any any eq 443

access-list 199 permit udp any any eq domain

dialer-list 1 protocol ip permit

!

route-map WWW_Traffic permit 10

match ip address 199

set ip next-hop 192.168.0.15

!

route-map WWW_Traffic permit 20

!

end

Headquarters#

lamav · ‎02-03-2009

Fret:

Assuming these remote sites have no Internet connectivity, whether IP or name addresses are used, you would have to finish verifying the routing.

The spoke defaults to the core, and the core has a policy (which I recommend you put back in place for now so as not to create any new issues) that forwards Internet traffic to the 0.15 FW.

Does that FW have a route back to the source network behind the spoke?

If you're routing has been verified in BOTH directions, hop-by-hop, check to see if there are any ACLs that are blocking traffic to the source subnet behind the spoke.

Yudong Wu · ‎02-03-2009

Victor made a good point here. If your firewall was using RIP to learn the internal network, they won't know how to reach the internal network after routing protocol is changed to EIGRP.

fretburner · ‎02-03-2009

You were right about the firewall using RIP. For the time being I added static routes to thre firewall. and can ping the network fine from both firewalls.

One thing I did notice is that any of the routers directly connected to the main router can not ping 192.168.0.1 at all. I even added static routes to test this, but still can not get to the firewall. The other networks that can get out outside, can ping that firewall just fine.