Remote Site cannot access the internet
I have 2 Sites connected by point to point T1s. There is and 1841 at the remote and and 1841 with firewall at the main site. the firewall is connected directly to the internet. I can ping everything on the network from site to site and the users local to the firewall can go out to the internet but the users at the remote site cannot. I'm pinging from a laptop at the remote site to 4.2.2.2.
Here is the config at the main site:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname MR-CF
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone EDT5EST -5
clock summer-time EDT5EST recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip telnet source-interface FastEthernet0/0
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool dhcp1
network 192.168.2.0 255.255.255.0
dns-server 66.73.20.40 206.141.193.55
default-router 192.168.2.1
!
!
ip domain name yourdomain.com
ip dhcp-server 192.168.2.1
!
!
!
crypto pki trustpoint TP-self-signed-1844347365
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1844347365
!
!
crypto pki certificate chain TP-self-signed-1844347365
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383434 33343733 3635301E 170D3130 30383234 31343036
35345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38343433
34373336 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100DDAD FCAB4C46 CA124866 FA95BAA4 E9FCF40A 28A86D46 9ED20019 BFAE07FE
97AEBAEC 89A3D6B6 D26A4840 7F3E02FE 50408779 10C8EE34 DB2869B9 0BF3BBD7
01874317 3DC659E2 EC0A8918 3F11063A E0D314D5 DA3B8CF3 6A70F543 F271D068
7C0F0D52 93612A32 14D25C48 0233D3AF 374F4C71 FBC57810 7AAF11A2 28831AC2
D8CB0203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
551D1104 18301682 144D522D 43462E79 6F757264 6F6D6169 6E2E636F 6D301F06
03551D23 04183016 8014351D 5554F28A D42091CF DAC6D489 8F2FF8F9 3C75301D
0603551D 0E041604 14351D55 54F28AD4 2091CFDA C6D4898F 2FF8F93C 75300D06
092A8648 86F70D01 01040500 03818100 62A95B5F B9F7E377 AFCEB22E 9ACBC086
E6AEA366 9A845B6C 44C96473 12647E9B 93D2C7B5 F9478BC4 6A9C3F45 DB85F6C3
D33C750A 15275FA7 0307F21F B19D4A1D 3F81EB9F FE468C83 F2F28E48 5FC07421
D5DD3BBE 415BB966 EF538D1E 02853D68 E0CF1911 B468B4D3 A37AD723 58486147
8CEC195B 21CB8266 4A082CB8 8B0D271F
quit
username admin privilege 15 secret 5 $1$rFyf$OZqeXXVLZAJgZEhcN8
!
!
!
!
!
interface Multilink1
description Out to Remote$FW_INSIDE$
bandwidth 3000
ip address 192.168.50.2 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
ip route-cache flow
load-interval 30
no cdp enable
ppp chap hostname group1
ppp multilink
ppp multilink fragment disable
ppp multilink group 1
hold-queue 300 out
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$I
ip address xxx.xxx.xxx.xxx 255.255.255.224
ip access-group 102 in
ip access-group sdm_fastethernet0/0_out out
ip verify unicast reverse-path
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description $FW_INSIDE$
ip address 192.168.2.1 255.255.255.0
ip access-group 100 in
ip access-group sdm_fastethernet0/1_out out
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface Serial0/0/0
description T101
bandwidth 1544
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
no ip route-cache cef
load-interval 30
no fair-queue
down-when-looped
serial restart-delay 0
service-module t1 cablelength short 110ft
service-module t1 clock source internal
service-module t1 timeslots 1-24
ppp chap hostname group1
ppp multilink
ppp multilink group 1
!
interface Serial0/1/0
description T102
bandwidth 1544
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
no ip route-cache cef
load-interval 30
no fair-queue
down-when-looped
serial restart-delay 0
service-module t1 cablelength short 110ft
service-module t1 clock source internal
service-module t1 timeslots 1-24
ppp chap hostname group1
ppp multilink
ppp multilink group 1
!
router eigrp 100
network 192.168.2.0
network 192.168.50.0
auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0/0 overload
!
ip access-list extended sdm_fastethernet0/0_out
remark SDM_ACL Category=1
permit ip any any
ip access-list extended sdm_fastethernet0/1_out
remark SDM_ACL Category=1
permit ip any any
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark Auto generated by SDM for NTP (123) 129.6.15.29
access-list 102 permit udp host 129.6.15.29 eq ntp host xxx.xxx.xxx.xxx eq ntp
access-list 102 deny ip 192.168.50.0 0.0.0.255 any
access-list 102 deny ip 192.168.2.0 0.0.0.255 any
access-list 102 permit icmp any host xxx.xxx.xxx.xxx echo-reply
access-list 102 permit icmp any host xxx.xxx.xxx.xxx time-exceeded
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 0 0
logging synchronous
transport input telnet ssh
line vty 5 15
access-class 23 in
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17178297
ntp server 129.6.15.29 version 2
end
Remote Site:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname MR-CO
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
clock timezone EDT5EST -5
clock summer-time EDT5EST recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
ip telnet source-interface FastEthernet0/0
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
!
ip dhcp pool dhcp1
network 192.168.1.0 255.255.255.0
dns-server 192.168.2.1 4.2.2.2
default-router 192.168.2.1
!
!
ip dhcp-server 192.168.1.1
!
username admin privilege 15 password 7 12090404011C03162E
!
!
!
interface Multilink1
description Out to Remote
bandwidth 3000
ip address 192.168.50.1 255.255.255.0
ip route-cache flow
load-interval 30
no cdp enable
ppp chap hostname group1
ppp multilink
ppp multilink fragment disable
ppp multilink group 1
hold-queue 300 out
!
interface FastEthernet0/0
description Inside
ip address 192.168.1.1 255.255.255.0
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
ip address 192.168.0.2 255.255.255.0
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface Serial0/0/0
description T101
bandwidth 1544
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
no ip route-cache cef
load-interval 30
no fair-queue
down-when-looped
serial restart-delay 0
service-module t1 cablelength short 110ft
service-module t1 clock source internal
service-module t1 timeslots 1-24
ppp chap hostname group1
ppp multilink
ppp multilink group 1
!
interface Serial0/1/0
description T102
bandwidth 1544
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
no ip route-cache cef
load-interval 30
no fair-queue
down-when-looped
serial restart-delay 0
service-module t1 cablelength short 110ft
service-module t1 clock source internal
service-module t1 timeslots 1-24
ppp chap hostname group1
ppp multilink
ppp multilink group 1
!
router eigrp 100
network 192.168.1.0
network 192.168.50.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.2.1
ip route 192.168.1.0 255.255.255.0 192.168.50.2
ip route 192.168.2.0 255.255.255.0 Multilink1
!
ip http server
ip http authentication local
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
login local
!
scheduler allocate 20000 1000
ntp clock-period 17178955
ntp server 129.6.15.29 version 2
end
Here is the config at the main site:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname MR-CF
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone EDT5EST -5
clock summer-time EDT5EST recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip telnet source-interface FastEthernet0/0
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool dhcp1
network 192.168.2.0 255.255.255.0
dns-server 66.73.20.40 206.141.193.55
default-router 192.168.2.1
!
!
ip domain name yourdomain.com
ip dhcp-server 192.168.2.1
!
!
!
crypto pki trustpoint TP-self-signed-1844347365
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1844347365
!
!
crypto pki certificate chain TP-self-signed-1844347365
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383434 33343733 3635301E 170D3130 30383234 31343036
35345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38343433
34373336 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100DDAD FCAB4C46 CA124866 FA95BAA4 E9FCF40A 28A86D46 9ED20019 BFAE07FE
97AEBAEC 89A3D6B6 D26A4840 7F3E02FE 50408779 10C8EE34 DB2869B9 0BF3BBD7
01874317 3DC659E2 EC0A8918 3F11063A E0D314D5 DA3B8CF3 6A70F543 F271D068
7C0F0D52 93612A32 14D25C48 0233D3AF 374F4C71 FBC57810 7AAF11A2 28831AC2
D8CB0203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
551D1104 18301682 144D522D 43462E79 6F757264 6F6D6169 6E2E636F 6D301F06
03551D23 04183016 8014351D 5554F28A D42091CF DAC6D489 8F2FF8F9 3C75301D
0603551D 0E041604 14351D55 54F28AD4 2091CFDA C6D4898F 2FF8F93C 75300D06
092A8648 86F70D01 01040500 03818100 62A95B5F B9F7E377 AFCEB22E 9ACBC086
E6AEA366 9A845B6C 44C96473 12647E9B 93D2C7B5 F9478BC4 6A9C3F45 DB85F6C3
D33C750A 15275FA7 0307F21F B19D4A1D 3F81EB9F FE468C83 F2F28E48 5FC07421
D5DD3BBE 415BB966 EF538D1E 02853D68 E0CF1911 B468B4D3 A37AD723 58486147
8CEC195B 21CB8266 4A082CB8 8B0D271F
quit
username admin privilege 15 secret 5 $1$rFyf$OZqeXXVLZAJgZEhcN8
!
!
!
!
!
interface Multilink1
description Out to Remote$FW_INSIDE$
bandwidth 3000
ip address 192.168.50.2 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
ip route-cache flow
load-interval 30
no cdp enable
ppp chap hostname group1
ppp multilink
ppp multilink fragment disable
ppp multilink group 1
hold-queue 300 out
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$I
ip address xxx.xxx.xxx.xxx 255.255.255.224
ip access-group 102 in
ip access-group sdm_fastethernet0/0_out out
ip verify unicast reverse-path
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description $FW_INSIDE$
ip address 192.168.2.1 255.255.255.0
ip access-group 100 in
ip access-group sdm_fastethernet0/1_out out
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface Serial0/0/0
description T101
bandwidth 1544
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
no ip route-cache cef
load-interval 30
no fair-queue
down-when-looped
serial restart-delay 0
service-module t1 cablelength short 110ft
service-module t1 clock source internal
service-module t1 timeslots 1-24
ppp chap hostname group1
ppp multilink
ppp multilink group 1
!
interface Serial0/1/0
description T102
bandwidth 1544
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
no ip route-cache cef
load-interval 30
no fair-queue
down-when-looped
serial restart-delay 0
service-module t1 cablelength short 110ft
service-module t1 clock source internal
service-module t1 timeslots 1-24
ppp chap hostname group1
ppp multilink
ppp multilink group 1
!
router eigrp 100
network 192.168.2.0
network 192.168.50.0
auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0/0 overload
!
ip access-list extended sdm_fastethernet0/0_out
remark SDM_ACL Category=1
permit ip any any
ip access-list extended sdm_fastethernet0/1_out
remark SDM_ACL Category=1
permit ip any any
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark Auto generated by SDM for NTP (123) 129.6.15.29
access-list 102 permit udp host 129.6.15.29 eq ntp host xxx.xxx.xxx.xxx eq ntp
access-list 102 deny ip 192.168.50.0 0.0.0.255 any
access-list 102 deny ip 192.168.2.0 0.0.0.255 any
access-list 102 permit icmp any host xxx.xxx.xxx.xxx echo-reply
access-list 102 permit icmp any host xxx.xxx.xxx.xxx time-exceeded
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 0 0
logging synchronous
transport input telnet ssh
line vty 5 15
access-class 23 in
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17178297
ntp server 129.6.15.29 version 2
end
Remote Site:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname MR-CO
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
clock timezone EDT5EST -5
clock summer-time EDT5EST recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
ip telnet source-interface FastEthernet0/0
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
!
ip dhcp pool dhcp1
network 192.168.1.0 255.255.255.0
dns-server 192.168.2.1 4.2.2.2
default-router 192.168.2.1
!
!
ip dhcp-server 192.168.1.1
!
username admin privilege 15 password 7 12090404011C03162E
!
!
!
interface Multilink1
description Out to Remote
bandwidth 3000
ip address 192.168.50.1 255.255.255.0
ip route-cache flow
load-interval 30
no cdp enable
ppp chap hostname group1
ppp multilink
ppp multilink fragment disable
ppp multilink group 1
hold-queue 300 out
!
interface FastEthernet0/0
description Inside
ip address 192.168.1.1 255.255.255.0
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
ip address 192.168.0.2 255.255.255.0
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface Serial0/0/0
description T101
bandwidth 1544
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
no ip route-cache cef
load-interval 30
no fair-queue
down-when-looped
serial restart-delay 0
service-module t1 cablelength short 110ft
service-module t1 clock source internal
service-module t1 timeslots 1-24
ppp chap hostname group1
ppp multilink
ppp multilink group 1
!
interface Serial0/1/0
description T102
bandwidth 1544
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
no ip route-cache cef
load-interval 30
no fair-queue
down-when-looped
serial restart-delay 0
service-module t1 cablelength short 110ft
service-module t1 clock source internal
service-module t1 timeslots 1-24
ppp chap hostname group1
ppp multilink
ppp multilink group 1
!
router eigrp 100
network 192.168.1.0
network 192.168.50.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.2.1
ip route 192.168.1.0 255.255.255.0 192.168.50.2
ip route 192.168.2.0 255.255.255.0 Multilink1
!
ip http server
ip http authentication local
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
login local
!
scheduler allocate 20000 1000
ntp clock-period 17178955
ntp server 129.6.15.29 version 2
end
fs40490
Have you attempted to change the default route on the remote site from 192.168.2.1 to multilink (basically replicating the route to 192.168.2.0 line that is working? This should get the traffic to the correct path which will ultimately allow you to get out of the main site from the remote site.
are you sure you can ping computers at the main site from the remote site?
eg, 192.168.1.X can ping 192.168.2.X
can you post a tracert of that working?
can you also post a tracert going to 192.168.50.2 and 4.2.2.2
eg, 192.168.1.X can ping 192.168.2.X
can you post a tracert of that working?
can you also post a tracert going to 192.168.50.2 and 4.2.2.2
ASKER
C:\>tracert 4.2.2.2
Tracing route to 4.2.2.2 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.1.1
2 4 ms 4 ms 4 ms 192.168.50.2
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
C:\t>ping 192.168.2.164
Pinging 192.168.2.164 with 32 bytes of data:
Reply from 192.168.2.164: bytes=32 time=4ms TTL=126
Reply from 192.168.2.164: bytes=32 time=4ms TTL=126
Reply from 192.168.2.164: bytes=32 time=4ms TTL=126
Reply from 192.168.2.164: bytes=32 time=4ms TTL=126
Ping statistics for 192.168.2.164:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 4ms, Maximum = 4ms, Average = 4ms
C:\>ping 4.2.2.2
Pinging 4.2.2.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Have you tried to set the default route on the remote site to the IP of the multi link interface of the main office.
The issue that I see is that you are pointing the default to an interface that the remote router does not actually route to in order to get to the internet.
Try this route setting on the remote site:
0.0.0.0 0.0.0.0 192.168.50.1
The issue that I see is that you are pointing the default to an interface that the remote router does not actually route to in order to get to the internet.
Try this route setting on the remote site:
0.0.0.0 0.0.0.0 192.168.50.1
Just to clarify that route statement would be:
ip route 0.0.0.0 0.0.0.0 192.168.50.1
ip route 0.0.0.0 0.0.0.0 192.168.50.1
the main router doesn't seem to have a route back to the remote site
i think adding this to the main router might do it
ip route 192.168.2.0 255.255.255.0 Multilink1
i think adding this to the main router might do it
ip route 192.168.2.0 255.255.255.0 Multilink1
ASKER
Yes I had that route in before and I just changed it back to that. I was just trying a couple of things. The traffic between sites flows smoothly. I can even ping the public ip address on the wan interface of the firewall but nothing beyond it. everything works between the lans and the main site users local to the firewall can get out to the internet but nothing at the far end can get beyond the main sites firewall.
ASKER
Here are all of the ping results from the far end router:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/36 ms
MR-CO#ping 192.168.50.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.50.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
MR-CO#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/36 ms
MR-CO#ping 192.168.50.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.50.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
MR-CO#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
ASKER
My laptop could not ping 4.2.2.2
I tried both 192.168.1.1 and 192.168.2.1 as the gateway on my NIC
I tried both 192.168.1.1 and 192.168.2.1 as the gateway on my NIC
Christoff could you provide a sanatized version of the route tables for both sites?
ASKER
Not sure what a sanitized route table is but here is a sho ip route from each router
Main Site:
Gateway of last resort is 12.168.xxx.xxx to network 0.0.0.0
C 12.168.48.96/27 is directly connected, FastEthernet0/0
192.168.50.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.50.0/24 is directly connected, Multilink1
C 192.168.50.1/32 is directly connected, Multilink1
S 192.168.1.0/24 [1/0] via 192.168.50.1
C 192.168.2.0/24 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 12.168.xxx.xxx
Remote Site:
Gateway of last resort is 192.168.50.2 to network 0.0.0.0
192.168.50.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.50.2/32 is directly connected, Multilink1
C 192.168.50.0/24 is directly connected, Multilink1
C 192.168.1.0/24 is directly connected, FastEthernet0/0
S 192.168.2.0/24 is directly connected, Multilink1
S* 0.0.0.0/0 [1/0] via 192.168.50.2
Main Site:
Gateway of last resort is 12.168.xxx.xxx to network 0.0.0.0
C 12.168.48.96/27 is directly connected, FastEthernet0/0
192.168.50.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.50.0/24 is directly connected, Multilink1
C 192.168.50.1/32 is directly connected, Multilink1
S 192.168.1.0/24 [1/0] via 192.168.50.1
C 192.168.2.0/24 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 12.168.xxx.xxx
Remote Site:
Gateway of last resort is 192.168.50.2 to network 0.0.0.0
192.168.50.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.50.2/32 is directly connected, Multilink1
C 192.168.50.0/24 is directly connected, Multilink1
C 192.168.1.0/24 is directly connected, FastEthernet0/0
S 192.168.2.0/24 is directly connected, Multilink1
S* 0.0.0.0/0 [1/0] via 192.168.50.2
Did you notice that both of your sites show that 192.168.2.0 is directly connected? Is there anything on the Remote that is using 192.168.2.0 address space?
ASKER
No there is not
ASKER
Remote site connects to 192.168.2.0/24 through Multilink1 and the Main site is connected to 192.168.2.0/24 because the interface is addressed with it.
ASKER
What gets me is that the remote router can ping the internet but the workstations cannot
Do you need to have a dynamic routing protocol running on the network at this time? It appears that you would be able to do all of the routing necessary in your environment with static routes (unless there are other routers not shown in the configurations). With that you can troubleshoot the initial static configuration then add in the dymanic later to ensure that there is not a conflict.
ASKER
I do not have to use EIGRP thought it might be nice to use
ASKER
I disabled it
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This route should NOT be in the remote host
ip route 192.168.1.0 255.255.255.0 192.168.50.2
ip route 192.168.1.0 255.255.255.0 192.168.50.2
ASKER
Cleaning up the routes helped
ASKER
The problem was with NAT I didn't build the ACL that would permit the .1 network to go out to the public.
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source list 2 interface FastEthernet0/0 overload
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source list 2 interface FastEthernet0/0 overload
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
I am glad that you got everything working.