Solved: internet sharing from hq to branch office

msheraze1 · ‎01-29-2012

Dears,

I have to use the internet from my HQ to my branch office the connection between the HQ & branch is BGP & i m using an ISA server at HQ.

but the problem is that I am not able to browse while I can ping from My remote office to ISA server.

please help me to find out a solution.

Calin C. · ‎01-30-2012

Here we go

You can ping 4.5.6.7, as there is on the same router with 192.168.15.x, 192.168.1.x, so before NAT is coming to play. This tell us that the routing part seems to work fine.

Now it's about the NAT part and the ISA.

To see if the NAT is the guilty part, I would sugget to NAT the 129.168.16.0 to the 4.5.6.7 (so without ISA involvement).

If this is working, then you have an issue on the ISA

Let us know please if you can do this test.

Cheers,

Calin

View solution in original post

Calin C. · ‎01-30-2012

Hello Mohammad,

Please answer the following questions:

How do you connect the HQ to the Branch? VPN maybe?

How do you push routes from HQ to Branch? I understood over BGP, but full table or default route?

Do you use public IP range or private? In case of private check for proper NAT.

If you can ping and IP, but you cannot browse via domain name, check the DNS system. Other tests you can perform is to ping domain name or to check in the browser to surf via IP:

http://74.125.232.242 is google.com, just to try.

Let us know your answers to be able to help you.

HTH,

Calin

msheraze1 · ‎01-30-2012

dear Calin,

thanks for the answer, below are the configuration of my routres , both are cisco 1921 routers.

-------------HQ confihuration------------------------------------

interface g0/0.1123

description #LINk to ISP internet#

encapsulation dot1Q 1123

ip addre 4.5.6.7 255.255.255.252

ip nat outside

no shut

interface g0/1.2

description #link to lan for internet#

encapsulation dot1Q 2

ip address 192.168.1.1 255.255.255.0

ip nat inside

no shut

interface fa0/0/0

description Link for lan towards ISA#

sw ac vl 3

no sh

speed 100

dupl full

exit

interface vl 3

description #vlan for ISA#

ip address 192.168.15.1 255.255.255.0

no sh

end

conf t

ip nat pool MAR 4.5.6.7. 4.5.6.7 netmask 255.255.255.252

ip nat inside source list 7 pool MAR overload

ip nat inside source static 192.168.1.0 192.168.1.1

ip route 0.0.0.0 0.0.0.0 4.5.6.6

access-list 7 permit 192.168.1.0 0.0.0.255

int g0/0.494

descrip *** Link to L3VPN***

encapsulation dot1Q 494

ip address 6.7.8.9 255.255.255.252

no sh

exit

router bgp 12345

redistribute static

redistribute connected

neighbor a.b.c.d remote-as 56789

neighbor a.b.c.d activate

neighbor a.b.c.d version 4

no synchronization

no auto-summary

network 192.168.15.0

network 192.168.1.0

exit

interface fa0/0/0

description Link for lan for L3VPN#

sw ac vl 3

no sh

speed 100

dupl full

exit

interface vl 3

description #vlan for L3VPN#

ip address 192.168.15.1 255.255.255.0

no sh

end

----------remote office----------

int g0/0

no ip address

duplex full

speed 100

no shu

interface g0/0.455

description #LINk to ISP#

encapsulation dot1Q 455

ip addre w.x.y.z 255.255.255.252

no shut

router bgp 12345

redistribute static

redistribute connected

neighbor a.b.c.d remote-as 56789

neighbor a.b.c.d activate

neighbor a.b.c.d version 4

no synchronization

no auto-summary

network 192.168.16.0

exit

int g0/1

ip add 192.168.16.1 255.255.255.0

no shu

spee 100

dup full

ip dhcp pool xyz

network 192.168.16.0 255.255.255.0

default-router 192.168.15.213

dns-server 192.168.15.212

Latchum Naidu · ‎01-30-2012

Hi Mohammad,

Hope you have a MPLS connection between HQ and remote office.
And you have internet link at HQ.
Remote office need to come to HQ for internet.

As per your attached config.
I have not find any default route pointing at your remote office router.
Can you please add the default route at remote office router and check.

ip route 0.0.0.0 0.0.0.0 192.168.1.1

Please rate all the helpfull posts.
Regards,
Naidu.

msheraze1 · ‎01-30-2012

thanks Naidu,

it this route will be pointing to the HQ main interface while i want the internet to be shared from ISA(int vlan3).

BTW I tried nothing hapend.

thanks.

Calin C. · ‎01-30-2012

OK, after a quick look, here is what I found out:

- on branch, according to your BGP configuration you get routes for 192.168.1.0 and 192.168.15.0, but no default route (or specific routes). You have to ask yourself the question, when a host on the branch would like to send a packet to the internet, where will it send it? What is the next hop? Next hop is it's gateway in the network 192.168.16.0. The packet arrvies to router. And then? The router does not know where to send the packet? It need at least a last resort route (default route) static or pushed through BGP from the HQ router

- I see that you nat 192.168.1.0, but I don't see anything regarding 192.168.16.0 or 192.168.15.0 (if this subnet need to reach internet); I don't know the role of your ISA server. Doest the internet traffic has to pass through it for control or something?

- the DHCP configuration is wrong; The gateway has to be from the same range (e.g. 192.168.16.0, has to have the gateway in 192.168.16.x, not 192.168.15.x)

- If you want than the traffic to pass on the ISA, then on the HQ router you need to route the traffic to 192.168.15.x and then somehow to NAT there or to forward back to the router and nat the 192.168.15.x

Solution (1st step without ISA interception)

- push default route in BGP from HQ to Branch

router bgp xxxx

neighbor a.b.c.d default-originate

- nat the 192.168.16.0 on the HQ router

- modify the DHCP on the Branch to send the gw 192.168.16.1

Let me know if like this you get Internet access on the branch hosts.

Calin

Latchum Naidu · ‎01-30-2012

Hi Mohammad,

What is the connection between HQ and remote office?
As said above the remote office router need to have a default route pointing to your HQ router to send all the unknown (internet) traffic.
So you need to originate the default roeute at branch router pointing to your HQ router.

For yoru information....
I have this same kind of setup for one of my customer it is lik, they have MPLS connectivity across branches and one HQ they have internet and all branches come to HQ for internet. What I did is as long as branches communicate with HQ router through MPLS, I just add default route in branch routers pointing to one of the HP router interface (it could be vlan... gateway).. This is how the setup.

Please rate all the helpfull posts.
Regards,
Naidu.

msheraze1 · ‎01-30-2012

Hi Naidu,

the connection is bgp.

msheraze1 · ‎01-30-2012

HI Calin,

all the traffic originating from 192.168.15.xx should passthrough ISA the ISA will send to 192.168.1.1 then out to the internet.

I added the default orginate &

nat the 192.168.16.0 on the HQ router by

ip nat inside source static network 192.168.16.0 192.168.15.0 255.255.255.0

- modify the DHCP on the Branch to send the gw 192.168.16.1

midified the DHCP but still no luck.

thanks

Latchum Naidu · ‎01-30-2012

Hi Mohammad,

I meant what is the media between HQ and branch is it MPLS or something?
The BGP is a routing protocol you are using over MPLS or something.

Please rate all the helpfull posts.
Regards,
Naidu.

msheraze1 · ‎01-30-2012

Hi Naidu,

this is from ISP, physicaly some MicroWave links, i dont know what ISP is using.(most prbably MPLS).

regards,

Calin C. · ‎01-30-2012

From any branch host:

ping 192.168.16.1

ok?

ping 192.168.15.1

ok?

ping 192.168.15.x <- ISA IP

ok?

ping 192.168.1.1

ok?

ping 4.5.6.7 <- Public IP

ok?

We have to break down the path into segments to see where the issue is.

Cheers,

Calin

msheraze1 · ‎01-30-2012

HI Calin,

the ping are ok from everywhere but I cant able to browse or ping

72.30.2.43(yahoo).

strange...

thanks

Calin C. · ‎01-30-2012

OK, so you can confirm that you reach the outside Internet interface (4.5.6.7), correct?

What about 4.5.6.6?

It's very important to see if you pass the ISA or not.

Calin

msheraze1 · ‎01-30-2012

HI,

no success to 4.5.6.6

regards,