Router Configuration Assistance

Posted on 2008-11-19
Last Modified: 2012-05-05
I have a client I need to make a change to their router setup and trying to figure the best way around this.  

Basically, the company currently has two locations connected to each other by a standard T1 line.    The remote location also has a DSL router setup from AT and T.    The client wants to set it up so that internet traffic ONLY goes out the DSL router and all other traffic goes out the T1 to the other office.   The router has 2 ethernet ports.  The access layer switch is plugged into one of the ports and the other is currently open and can be configured.   The DSL router is plugged into the switch as part of the Clients attempt to do it himself.  

 I was leaning toward setting up the 2nd Ethernet port with a different subnet and hooking the DSL up to that port.   That segment would be a private network and the nat would most likely take place on DSL router, since it is a dynamic IP.   Then I was thinking access lists on the DSL ethernet permiting ports 80, 443 and 21 and denying all other traffic going out and ACLs on the T1 port denying port 80, 443 and 21 while permitting all other traffic applied both in and out.  I then have two default routes pointing to both the DSL Ethernet port and the Serial port.

Wanted to get opinions of this solution and if anyone has set up something similiar and what they did?  Or if anyone else has a different suggestion.
Question by:FrontlineTech
    LVL 28

    Expert Comment

    Basically I think you are on the right track. What I don't understand is, does each site have a single router doing both T1 and DSL, or 2 routers? What kind of router? Set up the default route to the internet and specific routes to the other office.

    As far as DSL access lists, you should be very strict inbound from the DSL. But you probably don't need an access list on the T1 unless there's a reason you don't trust the other office.

    Author Comment

    The main office has a seperate T1 to the internet.   There is a point to point T1 connecting the main office to the remote office.  We do not want ANY internet traffic for the Remote office to go over the T1... instead we want the internet traffic to go out the DSL.  Meanwhile, the remote users will still access servers and file shares over the T1 back at the main office.

    So the parameters are:

    1) Remote site Internet can ONLY go out DSL
    2) Any other remote site traffic goes ONLY through the T1.  

    The DSL router is a Cayman ROuter/Modem combo provided by AT and T

    The DSL router has a Built in Firewall and will take care of most of the security.

    Looking a little further I am thinking of using Policy Route Maps with extended access lists.  So the Route map matches the address from the lan using Port 80 and directs it to the DSL router... Meanwhile, any traffic from the LAN that is NOT using Port 80 is sent out the T1.
    LVL 28

    Expert Comment

    You're making it too complicated, standard routing will do the trick for you. How does the inter-office T1 connect at the remote site?
    LVL 6

    Accepted Solution

    greetings FrontlineTech.  Here's one solution in detail

    At the remote site, set all the workstations default gateway to the remote T1 router.  You can leave the Remote T1 router Ethernet and the DSL router on the same subnet.
    In the T1 router at the remote, set up two routes:  one default route to the Internet, which points to the DSL router Ethernet port, and one route that points to the T1 interface at the "other" office.
    In the Internet router at the Main office, configure a route that sends all the traffic back to the remote office to the Ethernet interface in the T1 router.
    In the Main office, on the T1 router, configure a route that sends traffic bound for the remote office to the serial interface of the remote office.

    On a Cisco router, it would look like this:
    Given Remote subnet at (/24 is shorthand notation for a subnet mask of
    Given Remote router Ethernet at
    Given Remote DSL router at
    Given Remote Serial at
    Given Main T1 Serial at
    Given Main subnet at
    Given Main T1 Ethernet at
    Substitute the IP addresses with your correct numbers

    Remote T1 router config-add two static routes:
    ip route  !sends all traffic by default to the DSL Remote router)
    ip route  !sends all the Main office traffic over the T1)
    (if the Main office has multiple subnets, then put in a static route to for each of those subnets, too)

    Main T1 router config-add one static route
    ip route !routes return Remote traffic to the Remote serial intfc

    Main Internet router config-add one static route
    ip route !routes return Remote traffic to the Main T1 router

    This is a configuration that most network engineers would understand if they saw it on 3 routers.

    A policy route would be a valid idea too, but since you haven't tried basic static routes yet, I'd suggest you give this a try first.  Also, remember, that even with policy route in the Remote T1 router, you would still need to route the packets destined for the Remote office back from the Main office, because if you don't, the packets returning from the Internet will be dropped (null0).

    The way to test your configuration is to do traceroutes both to the main office and the internet from a workstaion at the Remote that has it's default gateway reconfigured, and see which interfaces the traceroutes hit on the way out.  (tracert in a Windows cmd window)

    Good luck!  If you need remote assistance, ping me offlist.
    LVL 6

    Expert Comment

    I forgot one route on the Main T1 router - my apologies
    ip route !where is the Main Internet router Ethernet interface

    Author Closing Comment

    I used aspects of this, but he put int he best effort.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
    Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now