Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Internet traffic over bgp

I have a network in a remote location connected via BGP.  There normal network traffic is working fine but I can't get internet traffic to respond over the bgp network.

I was trying to traceroute an internet site with no luck.  After reading, I've added the statement 'Network 0.0.0.0' to my local router bgp entry.  This allows the far end to traceroute to my local router but the packets are dropping here on the outside interface.

I'm at a loss what is needed next.  Hoping for quick response today. Below is config section of the two routers.

Far end 7206
router bgp 65001
no synchronization
bgp log-neighbor-changes
network 10.160.128.0 mask 255.255.255.0
network 10.160.129.0 mask 255.255.255.0
redistribute connected
redistribute eigrp 1
neighbor 12.112.236.233 remote-as 7018
neighbor 12.112.236.233 weight 65535
distribute-list 10 out
no auto-summary
!
ip forward-protocol nd
ip flow-export source GigabitEthernet0/1
ip flow-export version 5
ip flow-export destination 10.160.8.206 2055
!
no ip http server
no ip http secure-server
!
!
!
ip access-list extended mpls_out
access-list 10 permit 10.160.15.86
access-list 10 permit 10.160.136.0 0.0.0.255
access-list 10 permit 10.160.128.0 0.0.0.255
access-list 10 permit 10.160.129.0 0.0.0.255
access-list 10 permit 10.160.15.84 0.0.0.8
access-list 10 deny   any

#sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
  Known via "bgp 65001", distance 20, metric 0, candidate default path
  Tag 7018, type external
  Redistributing via eigrp 1
  Advertised by eigrp 1 metric 4500 10 255 1 1500
  Last update from 12.112.236.233 00:43:00 ago
  Routing Descriptor Blocks:
  * 12.112.236.233, from 12.112.236.233, 00:43:00 ago
      Route metric is 0, traffic share count is 1
      AS Hops 2
      Route tag 7018

Near end 7206 - inside interface is on network 10.160.8.0 with firewall
router bgp 65001
no synchronization
bgp log-neighbor-changes
network 0.0.0.0
redistribute eigrp 1
neighbor 12.84.94.161 remote-as 7018
neighbor 12.84.94.161 weight 65535
distribute-list 10 out
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.160.8.5
no ip http server
no ip http secure-server
!
ip flow-export source GigabitEthernet0/1
ip flow-export version 5
ip flow-export destination 10.160.8.206 2055
!
!
logging alarm informational
access-list 10 deny   10.160.15.86
access-list 10 deny   10.160.136.0 0.0.0.255
access-list 10 deny   10.160.128.0 0.0.0.255
access-list 10 deny   10.160.129.0 0.0.0.255
access-list 10 permit any

sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
  Known via "static", distance 1, metric 0, candidate default path
  Redistributing via eigrp 1
  Advertised by eigrp 1
                bgp 65001
  Routing Descriptor Blocks:
  * 10.160.8.5
      Route metric is 0, traffic share count is 1

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Internet traffic over bgp

Hello Catahola,

your remote site is using RFC1918 ip addresses (10.160.x.y)

at near site connected to the internet the FW needs to NAT ip addresses belonging to these ip addresses to IP addresses of your public block in order to sent out packets to the internet and what is more important to receive answers back.

None, unless misconfigured, answers back to a private ip address over the public internet.

So your issue is not a BGP issue but you probably need to update NAT configuration of your firewall.

Unless far end site has its own internet access.

The firewall needs also static routes to know how to route traffic to remote site IP subnets in addition to NAT

Hope to help

Giuseppe

2 REPLIES
Hall of Fame Super Silver

Re: Internet traffic over bgp

Hello Catahola,

your remote site is using RFC1918 ip addresses (10.160.x.y)

at near site connected to the internet the FW needs to NAT ip addresses belonging to these ip addresses to IP addresses of your public block in order to sent out packets to the internet and what is more important to receive answers back.

None, unless misconfigured, answers back to a private ip address over the public internet.

So your issue is not a BGP issue but you probably need to update NAT configuration of your firewall.

Unless far end site has its own internet access.

The firewall needs also static routes to know how to route traffic to remote site IP subnets in addition to NAT

Hope to help

Giuseppe

New Member

Re: Internet traffic over bgp

Giuseppe,

Thanks for the input.  Firewall was part of the problem.  All is fixed now.

738
Views
0
Helpful
2
Replies