Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

Routing

how do i make the remote branch client access the internet using the main site internet leased line, i mean do i need to create access-list on the remote branch router or do i need to adjust the route.

remote router -----| main router -----| main switch -----| main pix firewall.

8 REPLIES
Silver

Re: Routing

Without sufficient information, we cannot recommedation any suggestion to you. e.g. current config. ? What ACL or routing config. in the network ?

Bronze

Re: Routing

okay i will post the config's but like i said i just want a find a way so that any user in the remote branch can access the internet using the internet access in the main office. now there is one router in the remote office connecting to the main office over mpls cloud into the main office router, then to switch which is also connecting the the pix-firewall.

now i want to know a way, which i can do in the main office router to know the packets coming from remote office to forward them to pix to access the internet.

i have read and did some googling and i think if i do ip policy route-map it would do what i plan to do or i guess something else.

Cisco Employee

Re: Routing

Hi Friend,

To be most simple setup and if you do not have any local routing done on remote site you can have a static route or default route set on remote site so that all traffic can be redirected to main building and then you can have PBR configured on main building router to send all traffic from your specific source coming from remote site to PIX.

Now if you also have some routing done on remote site router and you want that only internet traffic should hit the main building router then you need to have some source based routing which is PBR on remote site router also and there you can classify your traffic based on port number and ip address to send those traffic to main building router and then again another PBR to classify traffic coming from remote site to send it to PIX.

There can be other ways too...its just my suggestion.

Regards,

Ankur

Silver

Re: Routing

Thx. for your info. Let me make some assumption. Please correct me if it is wrong.

1) The Internet access in Main office is the only way for main and remot site to access the Internet.

2) There is only one out-going path at remote office. i.e. via MPLS to main office

3) Between remote and main office, there may be dynamic routing protocol or static route.

According to above assunptions, I have below comments.

Due to the main office is the only path to access the Internet, there should be a default route in the main office router for the user to access outside if it is not belonging to internal subnet.

If remote office is using static route to connect to the MPLS and main office. I believe it is a default route too. So all traffic will flow to main office, either Internet or non-Internet traffic. So, there should be a static route at main office for the return path for the traffic back to remote office.

If there is dynamic routing protocol between main and remote office, you can redistribute the default route for Internet into the routing protocol, then the remote office will also learn this default route.

There should be no issue on routing. Or not require PBR. In case, there is multiple path or the remote office already learn the default route somewhere else then you may require the PBR to route the traffic based on the policy and not use the routing table. e.g. there is default route at remote office via another path, then you MAY require PBR. Or you have further investigate the routing table between remote and other peers, you may only require to modify the current default route (or default route learn from somewhere other than main office) to static route for specific path is fine.

What I concern the most important issue is the NAT & security rule of the firewall at main office, you have to include the address of remote for the NAT pool to allow remote office user to access Internet and open the access for remote office user.

Hope this helps.

Bronze

Re: Routing

hi jackyoung,

thx, yes your assumptions were correct.

after reading what you had wrote, i was able to work out on the problem and i did successfully the PBR on the remote router to forward the traffic for internet towards the pix, and while enabling the syslog i see that the outbound working okay but the inbound traffic on the same port e.g. 500 is being teardown tcp connection also i see message discard IP fragment ser with more then 1 element ??? on the pix i have route to this subnet

Silver

Re: Routing

Thanks for the update and it is great that it works for you. What I believe the IP fragement issue may be some packets are marked w/ no-fragement, so it is discarded at some machine or the PIX (or any device) is configure w/ not accept the fragemented traffic, so it discarded it. Try to check thos config. and find it out.

For the PBR, yes, it is only for out-going to other port traffic, it means the traffic go to the port and examined by the PBR then forward to the corresponding port / address. Therefore, you cannot state in-coming traffic. Please clarify if I misunderstood your case.

Hope this helps.

Bronze

Re: Routing

hi jackyoung,

could you more clarify you statement as what you meant from it?

"Therefore, you cannot state in-coming traffic. Please clarify if I misunderstood your case. "

and for the fragemented traffic i have this in my config "fragment chain 1 outside" i tried doing googling but cant seems to understand if it has any relation to my problem or not. please help

Silver

Re: Routing

What I mean we can only based on the local incoming traffic to policy route the traffic. We cannot specific other source address for policy route.

According to below link. The fragment chain means the longest IP fragment chain that constituted any one fragmented IP packet. An IP fragment chain is the number of fragments that make up the original packet. Therefore, if you have "fragment chain 1 outside", it means there is no fragment traffic allowed at outside interface. If there is fragmented traffic, you need to increase this value. It may be the reason why some packet cannot pass through. You also need to check the MTU size in your network to ensure there is blocking point to block the normal size packet w/ small size of MTU setting.

http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a008029c872.html

http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_note09186a008057b914.html

Hope this helps.

257
Views
5
Helpful
8
Replies
CreatePlease login to create content