how do i make the remote branch client access the internet using the main site internet leased line, i mean do i need to create access-list on the remote branch router or do i need to adjust the route.
remote router -----| main router -----| main switch -----| main pix firewall.
okay i will post the config's but like i said i just want a find a way so that any user in the remote branch can access the internet using the internet access in the main office. now there is one router in the remote office connecting to the main office over mpls cloud into the main office router, then to switch which is also connecting the the pix-firewall.
now i want to know a way, which i can do in the main office router to know the packets coming from remote office to forward them to pix to access the internet.
i have read and did some googling and i think if i do ip policy route-map it would do what i plan to do or i guess something else.
To be most simple setup and if you do not have any local routing done on remote site you can have a static route or default route set on remote site so that all traffic can be redirected to main building and then you can have PBR configured on main building router to send all traffic from your specific source coming from remote site to PIX.
Now if you also have some routing done on remote site router and you want that only internet traffic should hit the main building router then you need to have some source based routing which is PBR on remote site router also and there you can classify your traffic based on port number and ip address to send those traffic to main building router and then again another PBR to classify traffic coming from remote site to send it to PIX.
There can be other ways too...its just my suggestion.
Thx. for your info. Let me make some assumption. Please correct me if it is wrong.
1) The Internet access in Main office is the only way for main and remot site to access the Internet.
2) There is only one out-going path at remote office. i.e. via MPLS to main office
3) Between remote and main office, there may be dynamic routing protocol or static route.
According to above assunptions, I have below comments.
Due to the main office is the only path to access the Internet, there should be a default route in the main office router for the user to access outside if it is not belonging to internal subnet.
If remote office is using static route to connect to the MPLS and main office. I believe it is a default route too. So all traffic will flow to main office, either Internet or non-Internet traffic. So, there should be a static route at main office for the return path for the traffic back to remote office.
If there is dynamic routing protocol between main and remote office, you can redistribute the default route for Internet into the routing protocol, then the remote office will also learn this default route.
There should be no issue on routing. Or not require PBR. In case, there is multiple path or the remote office already learn the default route somewhere else then you may require the PBR to route the traffic based on the policy and not use the routing table. e.g. there is default route at remote office via another path, then you MAY require PBR. Or you have further investigate the routing table between remote and other peers, you may only require to modify the current default route (or default route learn from somewhere other than main office) to static route for specific path is fine.
What I concern the most important issue is the NAT & security rule of the firewall at main office, you have to include the address of remote for the NAT pool to allow remote office user to access Internet and open the access for remote office user.
after reading what you had wrote, i was able to work out on the problem and i did successfully the PBR on the remote router to forward the traffic for internet towards the pix, and while enabling the syslog i see that the outbound working okay but the inbound traffic on the same port e.g. 500 is being teardown tcp connection also i see message discard IP fragment ser with more then 1 element ??? on the pix i have route to this subnet
Thanks for the update and it is great that it works for you. What I believe the IP fragement issue may be some packets are marked w/ no-fragement, so it is discarded at some machine or the PIX (or any device) is configure w/ not accept the fragemented traffic, so it discarded it. Try to check thos config. and find it out.
For the PBR, yes, it is only for out-going to other port traffic, it means the traffic go to the port and examined by the PBR then forward to the corresponding port / address. Therefore, you cannot state in-coming traffic. Please clarify if I misunderstood your case.
What I mean we can only based on the local incoming traffic to policy route the traffic. We cannot specific other source address for policy route.
According to below link. The fragment chain means the longest IP fragment chain that constituted any one fragmented IP packet. An IP fragment chain is the number of fragments that make up the original packet. Therefore, if you have "fragment chain 1 outside", it means there is no fragment traffic allowed at outside interface. If there is fragmented traffic, you need to increase this value. It may be the reason why some packet cannot pass through. You also need to check the MTU size in your network to ensure there is blocking point to block the normal size packet w/ small size of MTU setting.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...