Re: WAN Internet access

mtracy88 · ‎03-17-2003

I have just brought up additional sites that connect to my main site where my Internet router (cisco 2611) and PIX 506e reside. The new sites connect to the main site via a cisco 1760. Everything at the main site uses the PIX address as the default gateway. I need to give these new sites access to the main site and the Internet via my existing router and firewall and allow access to those sites from the main site, what is the best way to do this? What configuration changes need to be made to the router(s)?

Thanks,

Mark

rwiesmann · ‎03-18-2003

Hi Mark

What is you routing strategy in you network?

Do you work with static routing?

Or do you have a routing protocol in place? Which one?

Ciao

Roger

mtracy88 · ‎03-18-2003

Hi Roger,

Thanks for replying. I'm using EIGRP on all the routers. I think that I solved my problem but I'd still like your input. I added 'ip route 0.0.0.0 0.0.0.0 {Internet router ip address}' to the 1760 and changed my default gateway at the main site to the address of the 1760. After doing that I can get to all the other sites from the main site and still access the Internet from the main site as well. I'll be testing from the remote sites later today. My only concern now is that everything hits the 1760 before it gets routed to the 2611. Is there a better way of doing this?

Thanks,

Mark

rwiesmann · ‎03-18-2003

Hi Mark

You could change the default gateway again to the 2611 and implement a static route for the remote sites on the 2611 which points to the 1760. As i understand are the 1760 and the 2611 on the same subnet? So this way it would hit first the 2611.

But i think the 1760 should be able to handle this, especially if you enabel "ip redirect". This tells the host to use a different gateway.

Roger

mtracy88 · ‎03-18-2003

Hi Roger,

Both routers are on the same subnet. If I change the gateway back to the 2611 all my traffic will get sent through my PIX 506e, I have very little experience with the PIX and I'm not sure how/if that would affect things. I've never used the "ip redirect" command so I'll check that out and give it a try. I really appreciate your help.

Thanks,

Mark

rwiesmann · ‎03-18-2003

Hi Mark

Ussually the ip redirect is enabled by default. You can verify it with the command "sh ip int eth0/0".

2611#sh ip int eth 0/1

Ethernet0/1 is up, line protocol is up

Internet address is 194.22.13.188/26

Broadcast address is 255.255.255.255

determined by nolatile memory

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Multicast reserved groups joined: 224.0.0.9

Outgoing access list is not set

Inbound access list is not set

Proxy ARP is enabled

Security level is default

Split horizon is enabled

ICMP redirects are always sent

ICMP unreachables are always sent

ICMP mask replies are never sent

IP fast switching is enabled

IP fast switching on the same interface is enabled

IP Flow switching is enabled

IP CEF switching is enabled

IP CEF Flow Fast switching turbo vector

IP multicast fast switching is enabled

IP multicast distributed fast switching is disabled

IP route-cache flags are Fast, Flow, CEF

Router Discovery is disabled

IP output packet accounting is disabled

IP access violation accounting is disabled

TCP/IP header compression is disabled

RTP/IP header compression is disabled

Probe proxy name replies are disabled

Policy routing is disabled

Network address translation is disabled

WCCP Redirect outbound is disabled

WCCP Redirect exclude is disabled

BGP Policy Mapping is disabled

So just leave the setup as you have it now.

Roger