Solved

Remote Site cannot access the internet

Posted on 2010-08-24
23
425 Views
Last Modified: 2012-05-10
I have 2 Sites connected by  point to point T1s. There is and 1841 at the remote and and 1841 with firewall at the main site. the firewall is connected directly to the internet. I can ping everything on the network from site to site and the users local to the firewall can go out to the internet but the users at the remote site cannot. I'm pinging from a laptop at the remote site to 4.2.2.2.

Here is the config at the main site:

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname MR-CF
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone EDT5EST -5
clock summer-time EDT5EST recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip telnet source-interface FastEthernet0/0
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool dhcp1
   network 192.168.2.0 255.255.255.0
   dns-server 66.73.20.40 206.141.193.55
   default-router 192.168.2.1
!
!
ip domain name yourdomain.com
ip dhcp-server 192.168.2.1
!
!
!
crypto pki trustpoint TP-self-signed-1844347365
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1844347365
 revocation-check none
 rsakeypair TP-self-signed-1844347365
!
!
crypto pki certificate chain TP-self-signed-1844347365
 certificate self-signed 01
  3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31383434 33343733 3635301E 170D3130 30383234 31343036
  35345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38343433
  34373336 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100DDAD FCAB4C46 CA124866 FA95BAA4 E9FCF40A 28A86D46 9ED20019 BFAE07FE
  97AEBAEC 89A3D6B6 D26A4840 7F3E02FE 50408779 10C8EE34 DB2869B9 0BF3BBD7
  01874317 3DC659E2 EC0A8918 3F11063A E0D314D5 DA3B8CF3 6A70F543 F271D068
  7C0F0D52 93612A32 14D25C48 0233D3AF 374F4C71 FBC57810 7AAF11A2 28831AC2
  D8CB0203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
  551D1104 18301682 144D522D 43462E79 6F757264 6F6D6169 6E2E636F 6D301F06
  03551D23 04183016 8014351D 5554F28A D42091CF DAC6D489 8F2FF8F9 3C75301D
  0603551D 0E041604 14351D55 54F28AD4 2091CFDA C6D4898F 2FF8F93C 75300D06
  092A8648 86F70D01 01040500 03818100 62A95B5F B9F7E377 AFCEB22E 9ACBC086
  E6AEA366 9A845B6C 44C96473 12647E9B 93D2C7B5 F9478BC4 6A9C3F45 DB85F6C3
  D33C750A 15275FA7 0307F21F B19D4A1D 3F81EB9F FE468C83 F2F28E48 5FC07421
  D5DD3BBE 415BB966 EF538D1E 02853D68 E0CF1911 B468B4D3 A37AD723 58486147
  8CEC195B 21CB8266 4A082CB8 8B0D271F
  quit
username admin privilege 15 secret 5 $1$rFyf$OZqeXXVLZAJgZEhcN8DSa1
!
!
!
!
!
interface Multilink1
 description Out to Remote$FW_INSIDE$
 bandwidth 3000
 ip address 192.168.50.2 255.255.255.0
 ip access-group 101 in
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 load-interval 30
 no cdp enable
 ppp chap hostname group1
 ppp multilink
 ppp multilink fragment disable
 ppp multilink group 1
 hold-queue 300 out
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_OUTSIDE$
 ip address xxx.xxx.xxx.xxx 255.255.255.224
 ip access-group 102 in
 ip access-group sdm_fastethernet0/0_out out
 ip verify unicast reverse-path
 ip inspect SDM_LOW out
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description $FW_INSIDE$
 ip address 192.168.2.1 255.255.255.0
 ip access-group 100 in
 ip access-group sdm_fastethernet0/1_out out
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0/0
 description T101
 bandwidth 1544
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation ppp
 no ip route-cache cef
 load-interval 30
 no fair-queue
 down-when-looped
 serial restart-delay 0
 service-module t1 cablelength short 110ft
 service-module t1 clock source internal
 service-module t1 timeslots 1-24
 ppp chap hostname group1
 ppp multilink
 ppp multilink group 1
!
interface Serial0/1/0
 description T102
 bandwidth 1544
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation ppp
 no ip route-cache cef
 load-interval 30
 no fair-queue
 down-when-looped
 serial restart-delay 0
 service-module t1 cablelength short 110ft
 service-module t1 clock source internal
 service-module t1 timeslots 1-24
 ppp chap hostname group1
 ppp multilink
 ppp multilink group 1
!
router eigrp 100
 network 192.168.2.0
 network 192.168.50.0
 auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0/0 overload
!
ip access-list extended sdm_fastethernet0/0_out
 remark SDM_ACL Category=1
 permit ip any any
ip access-list extended sdm_fastethernet0/1_out
 remark SDM_ACL Category=1
 permit ip any any
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark Auto generated by SDM for NTP (123) 129.6.15.29
access-list 102 permit udp host 129.6.15.29 eq ntp host xxx.xxx.xxx.xxx eq ntp
access-list 102 deny   ip 192.168.50.0 0.0.0.255 any
access-list 102 deny   ip 192.168.2.0 0.0.0.255 any
access-list 102 permit icmp any host xxx.xxx.xxx.xxx echo-reply
access-list 102 permit icmp any host xxx.xxx.xxx.xxx time-exceeded
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 access-class 23 in
 exec-timeout 0 0
 logging synchronous
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17178297
ntp server 129.6.15.29 version 2
end

Remote Site:

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname MR-CO
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
clock timezone EDT5EST -5
clock summer-time EDT5EST recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
ip telnet source-interface FastEthernet0/0
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
!
ip dhcp pool dhcp1
   network 192.168.1.0 255.255.255.0
   dns-server 192.168.2.1 4.2.2.2
   default-router 192.168.2.1
!
!
ip dhcp-server 192.168.1.1
!
username admin privilege 15 password 7 12090404011C03162E
!
!
!
interface Multilink1
 description Out to Remote
 bandwidth 3000
 ip address 192.168.50.1 255.255.255.0
 ip route-cache flow
 load-interval 30
 no cdp enable
 ppp chap hostname group1
 ppp multilink
 ppp multilink fragment disable
 ppp multilink group 1
 hold-queue 300 out
!
interface FastEthernet0/0
 description Inside
 ip address 192.168.1.1 255.255.255.0
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 ip address 192.168.0.2 255.255.255.0
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0/0
 description T101
 bandwidth 1544
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation ppp
 no ip route-cache cef
 load-interval 30
 no fair-queue
 down-when-looped
 serial restart-delay 0
 service-module t1 cablelength short 110ft
 service-module t1 clock source internal
 service-module t1 timeslots 1-24
 ppp chap hostname group1
 ppp multilink
 ppp multilink group 1
!
interface Serial0/1/0
 description T102
 bandwidth 1544
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation ppp
 no ip route-cache cef
 load-interval 30
 no fair-queue
 down-when-looped
 serial restart-delay 0
 service-module t1 cablelength short 110ft
 service-module t1 clock source internal
 service-module t1 timeslots 1-24
 ppp chap hostname group1
 ppp multilink
 ppp multilink group 1
!
router eigrp 100
 network 192.168.1.0
 network 192.168.50.0
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.2.1
ip route 192.168.1.0 255.255.255.0 192.168.50.2
ip route 192.168.2.0 255.255.255.0 Multilink1
!
ip http server
ip http authentication local
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 exec-timeout 0 0
 logging synchronous
 login local
!
scheduler allocate 20000 1000
ntp clock-period 17178955
ntp server 129.6.15.29 version 2
end

0
Comment
Question by:Christoff
  • 12
  • 8
  • 2
  • +1
23 Comments
 
LVL 2

Expert Comment

by:fs40490
Comment Utility
Have you attempted to change the default route on the remote site from 192.168.2.1 to multilink (basically replicating the route to 192.168.2.0 line that is working?  This should get the traffic to the correct path which will ultimately allow you to get out of the main site from the remote site.
0
 
LVL 2

Expert Comment

by:roarkinc
Comment Utility
are you sure you can ping computers at the main site from the remote site?
eg, 192.168.1.X can ping 192.168.2.X

can you post a tracert of that working?  
can you also post a tracert going to 192.168.50.2 and 4.2.2.2
0
 

Author Comment

by:Christoff
Comment Utility


C:\>tracert 4.2.2.2

Tracing route to 4.2.2.2 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.1.1
  2     4 ms     4 ms     4 ms  192.168.50.2
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.

C:\t>ping 192.168.2.164

Pinging 192.168.2.164 with 32 bytes of data:
Reply from 192.168.2.164: bytes=32 time=4ms TTL=126
Reply from 192.168.2.164: bytes=32 time=4ms TTL=126
Reply from 192.168.2.164: bytes=32 time=4ms TTL=126
Reply from 192.168.2.164: bytes=32 time=4ms TTL=126

Ping statistics for 192.168.2.164:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 4ms, Maximum = 4ms, Average = 4ms

C:\>ping 4.2.2.2

Pinging 4.2.2.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
0
 
LVL 2

Expert Comment

by:fs40490
Comment Utility
Have you tried to set the default route on the remote site to the IP of the multi link interface of the main office.  

The issue that I see is that you are pointing the default to an interface that the remote router does not actually route to in order to get to the internet.

Try this route setting on the remote site:

0.0.0.0 0.0.0.0 192.168.50.1
0
 
LVL 2

Expert Comment

by:fs40490
Comment Utility
Just to clarify that route statement would be:

ip route 0.0.0.0 0.0.0.0 192.168.50.1
0
 
LVL 2

Expert Comment

by:roarkinc
Comment Utility
the main router doesn't seem to have a route back to the remote site
i think adding this to the main router might do it

ip route 192.168.2.0 255.255.255.0 Multilink1
0
 

Author Comment

by:Christoff
Comment Utility
Yes I had that route in before and I just changed it back to that. I was just trying a couple of things. The traffic between sites flows smoothly. I can even ping the public ip address on the wan interface of the firewall but nothing beyond it. everything works between the lans and the main site users local to the firewall can get out to the internet but nothing at the far end can get beyond the main sites firewall.
0
 

Author Comment

by:Christoff
Comment Utility
Here are all of the ping results from the far end router:

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/36 ms
MR-CO#ping 192.168.50.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.50.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
MR-CO#ping 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
0
 

Author Comment

by:Christoff
Comment Utility
My laptop could not ping 4.2.2.2

I tried both 192.168.1.1 and 192.168.2.1 as the gateway on my NIC
0
 
LVL 2

Expert Comment

by:fs40490
Comment Utility
Christoff could you provide a sanatized version of the route tables for both sites?
0
 

Author Comment

by:Christoff
Comment Utility
Not sure what a sanitized route table is but here is a sho ip route from each router

Main Site:
Gateway of last resort is 12.168.xxx.xxx to network 0.0.0.0

C       12.168.48.96/27 is directly connected, FastEthernet0/0
     192.168.50.0/24 is variably subnetted, 2 subnets, 2 masks
C       192.168.50.0/24 is directly connected, Multilink1
C       192.168.50.1/32 is directly connected, Multilink1
S    192.168.1.0/24 [1/0] via 192.168.50.1
C    192.168.2.0/24 is directly connected, FastEthernet0/1
S*   0.0.0.0/0 [1/0] via 12.168.xxx.xxx

Remote Site:

Gateway of last resort is 192.168.50.2 to network 0.0.0.0

     192.168.50.0/24 is variably subnetted, 2 subnets, 2 masks
C       192.168.50.2/32 is directly connected, Multilink1
C       192.168.50.0/24 is directly connected, Multilink1
C    192.168.1.0/24 is directly connected, FastEthernet0/0
S    192.168.2.0/24 is directly connected, Multilink1
S*   0.0.0.0/0 [1/0] via 192.168.50.2
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 2

Expert Comment

by:fs40490
Comment Utility
Did you notice that both of your sites show that 192.168.2.0 is directly connected?  Is there anything on the Remote that is using 192.168.2.0 address space?

0
 

Author Comment

by:Christoff
Comment Utility
No there is not
0
 

Author Comment

by:Christoff
Comment Utility
Remote site connects to 192.168.2.0/24 through Multilink1 and the Main site is connected to 192.168.2.0/24 because the interface is addressed with it.
0
 

Author Comment

by:Christoff
Comment Utility
What gets me is that the remote router can ping the internet but the workstations cannot
0
 
LVL 2

Expert Comment

by:fs40490
Comment Utility
Do you need to have a dynamic routing protocol running on the network at this time?  It appears that you would be able to do all of the routing necessary in your environment with static routes (unless there are other routers not shown in the configurations).  With that you can troubleshoot the initial static configuration then add in the dymanic later to ensure that there is not a  conflict.

0
 

Author Comment

by:Christoff
Comment Utility
I do not have to use EIGRP thought it might be nice to use
0
 

Author Comment

by:Christoff
Comment Utility
I disabled it
0
 
LVL 2

Accepted Solution

by:
fs40490 earned 500 total points
Comment Utility
Main Site configuration:

ip route 0.0.0.0 0.0.0.0 (next hop to ISP)
ip route 192.168.1.0 255.255.255.0 192.168.50.1
ip route 192.168.0.0 255.255.255.0 192.168.50.1

Remote configuration:

ip route 0.0.0.0 0.0.0.0 192.168.50.2
ip route 192.168.2.0 255.255.255.0 192.168.50.2

0
 
LVL 1

Expert Comment

by:namoom
Comment Utility
This route should NOT be in the remote host
ip route 192.168.1.0 255.255.255.0 192.168.50.2
0
 

Author Closing Comment

by:Christoff
Comment Utility
Cleaning up the routes helped
0
 

Author Comment

by:Christoff
Comment Utility
The problem was with NAT I didn't build the ACL that would permit the .1 network to go out to the public.

ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source list 2 interface FastEthernet0/0 overload
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
0
 
LVL 2

Expert Comment

by:fs40490
Comment Utility
I am glad that you got everything working.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now