• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 252
  • Last Modified:

How do I share an internet connection across a WAN? (i.e. consolidated internet))

Ok, I have four sites connected via a Wide Area Network.  
One site acts as the "hub" site, and the other three all connect to this site.  The cisco routers that terminate the ATM circuits are using eigrp to handle routing of traffic from one site to the other.
Here is the network info.

Main site is
Site 1 is
Site 2 is
Site 3 is

Edited to add*
The ATM Circuits are on the network
The Main site has 3 VC's

The Branch sites are:
Site 1:
Site 2:
Site 3

So the main site's interface ATM1/0.10 ( connects to site 2's interface ATM1/0.10 (
and so on for the other sites.

Right now each site has their own internet connection.  The WAN router is the default gateway for each site, and there is a static route pointing to the firewall for that site.
So the Main site router has the local IP address, and the Firewall for that site is
On the router the following command is given to route internet bound traffic to the firewall.
ip route
Each site is configured similarly.  
Recently we upgraded our bandwidth at the main site to a full DS3 with the intention of sharing this internet connection with the other sites.  

This is where I am running into some issues...

I have tried changing the static route on the other WAN routers to point to the main site firewall rather than each site's firewall, but this doesn't work.  
I tried setting the static route on the branch sites to point to the main site WAN router (using both the address as well as its ATM interface IP)
I also tried removing the static route to see if eigrp would actually route things for me.
None of these have worked.

I am not a router expert but I can't figure out why changing the static route doesn't work since the branch site routers "know" how to get to those other addresses (this was supposed to be configured by the provider when they installed the WAN, but the DS3 was delayed, so we setup the static routes as a temporary fix)

Also, I can post more information, including my current configs on the routers if that would help.
  • 4
  • 3
1 Solution
jmeggersSr. Network and Security EngineerCommented:
This is no problem.  You just need to get rid of the default routes at each site pointing to the firewall, and have a default route pointing to the WAN link instead.  With aggregated addresses as you have done, you could do this all with static routes, or you could get fancy and run a dynamic protocol such as OSPF, advertising a default route from the hub out to the spokes.  If you choose to stick with static routes, make sure you have them going in both directions -- a static default at each site and statics at the hub pointing to the address blocks at the spoke sites.  
Dogberry1982Author Commented:
When you say I will need static routes going both directions, what do you mean?
That I should replace the current eigrp routing rules with static routes for the WAN traffic?

I actually tried replacing the default static route that points to the firewall with a static that points to the main site WAN router.  Are you saying I need to point it to the branch site WAN address? (in other words back at itself?)

Could you possibly give an example based on the network info I listed?

Thank you for your help.
Please trace any public IP from remote location machine it should reach to .....

Have u done the changes on central firewall ?
Is there Natting done on central firewall if yes have u added the remote sites subnet to it ?

if packet is not reaching to do below
#no ip route firewallIP of remote location..
#ip route WAN-IP of remote location
#redistribute the centrall default-route in EIGRP process so that it is reached to remote locations.

Then check if the subnets of remote location are allowed in firewall.
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

Also please sh ip route on all  remote location and paste it.
Dogberry1982Author Commented:
Ok, I setup a static route at the remote site that points to the wan router at the main site.
When I run tracert, it makes the first two hops, the remote site wan router which is the default gateway for the computer, and then the outside interface IP on the wan router at the main site, but then it stops there and times out.  
What this tells me is that the router at the remote site knows that it is supposed to send internet traffic to the wan router at the main site, but that the wan router at the main site doesn't know what to do with it.  

I assume this is due to the eigrp settings, which I didn't configure.  I don't want to disable eigrp, as this would impact the network to network traffic.  

Can anyone give me a clue as to what I would need to do to get eigrp to route the internet traffic from the remote site to the firewall at the main site?  

can u ping LAN IP of each site from firewall ?
I feel some rules are blocking the reply back from firewall.

as per above reply i assume
trace o/p is as below
1) ----default gatewau
2) ....
3) * * *
4)* * *

if above is correct i dont think any issue with eigrp or routes
its FW issue u have put some rules to allow icmp/port 80,443,8080 etc ..
Dogberry1982Author Commented:
Your suspicion was correct.  I am unable to ping any of the remote site wan routers from the main site firewall, and I am unable to ping the main site firewall from any of the remote sites.  

Looking at my firewall config, it didn't have a route setup to the remote sites.  Thank you for your help.

Dogberry1982Author Commented:
Thank you for helping me troubleshoot this.  I got so focused on the router config, that I completely forgot to check the firewall to make sure it had routes setup for the remote sites.  Once I added those, everything started working.  


Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now