How do I share an internet connection across a WAN? (i.e. consolidated internet))

Ok, I have four sites connected via a Wide Area Network.  
One site acts as the "hub" site, and the other three all connect to this site.  The cisco routers that terminate the ATM circuits are using eigrp to handle routing of traffic from one site to the other.
Here is the network info.

Main site is 172.16.0.0/20
Site 1 is 172.16.32.0/20
Site 2 is 172.16.48.0/20
Site 3 is  172.16.64.0/20

Edited to add*
The ATM Circuits are on the 192.168.254.0/30 network
The Main site has 3 VC's
192.168.254.1
192.168.254.5
192.168.254.9

The Branch sites are:
Site 1: 192.168.254.4
Site 2: 192.168.254.2
Site 3 192.168.254.8

So the main site's interface ATM1/0.10 (192.168.254.1) connects to site 2's interface ATM1/0.10 (192.168.254.2)
and so on for the other sites.

Right now each site has their own internet connection.  The WAN router is the default gateway for each site, and there is a static route pointing to the firewall for that site.
So the Main site router has the local IP address 172.16.1.1, and the Firewall for that site is 172.16.1.5.
On the router the following command is given to route internet bound traffic to the firewall.
ip route 0.0.0.0 0.0.0.0 172.16.1.5
Each site is configured similarly.  
Recently we upgraded our bandwidth at the main site to a full DS3 with the intention of sharing this internet connection with the other sites.  

This is where I am running into some issues...

I have tried changing the static route on the other WAN routers to point to the main site firewall rather than each site's firewall, but this doesn't work.  
I tried setting the static route on the branch sites to point to the main site WAN router (using both the 172.16.1.1 address as well as its ATM interface IP)
I also tried removing the static route to see if eigrp would actually route things for me.
None of these have worked.

I am not a router expert but I can't figure out why changing the static route doesn't work since the branch site routers "know" how to get to those other addresses (this was supposed to be configured by the provider when they installed the WAN, but the DS3 was delayed, so we setup the static routes as a temporary fix)


Also, I can post more information, including my current configs on the routers if that would help.
Dogberry1982Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
SanjeevlokeConnect With a Mentor Commented:
can u ping LAN IP of each site from firewall ?
I feel some rules are blocking the reply back from firewall.

as per above reply i assume
trace o/p is as below
1) 172.16.32.1 ----default gatewau
2) 192.168.254.1 ....
3) * * *
4)* * *

if above is correct i dont think any issue with eigrp or routes
its FW issue u have put some rules to allow icmp/port 80,443,8080 etc ..
0
 
jmeggersSr. Network and Security EngineerCommented:
This is no problem.  You just need to get rid of the default routes at each site pointing to the firewall, and have a default route pointing to the WAN link instead.  With aggregated addresses as you have done, you could do this all with static routes, or you could get fancy and run a dynamic protocol such as OSPF, advertising a default route from the hub out to the spokes.  If you choose to stick with static routes, make sure you have them going in both directions -- a static default at each site and statics at the hub pointing to the address blocks at the spoke sites.  
0
 
Dogberry1982Author Commented:
When you say I will need static routes going both directions, what do you mean?
That I should replace the current eigrp routing rules with static routes for the WAN traffic?

I actually tried replacing the default static route that points to the firewall with a static that points to the main site WAN router.  Are you saying I need to point it to the branch site WAN address? (in other words back at itself?)

Could you possibly give an example based on the network info I listed?

Thank you for your help.
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
SanjeevlokeCommented:
Please trace any public IP from remote location machine it should reach to 172.16.1.5 .....

Have u done the changes on central firewall ?
Is there Natting done on central firewall if yes have u added the remote sites subnet to it ?

if packet is not reaching to 172.16.1.5 do below
#no ip route 0.0.0.0 0.0.0.0 firewallIP of remote location..
#ip route 0.0.0.0 0.0.0.0 WAN-IP of remote location
or
#redistribute the centrall default-route in EIGRP process so that it is reached to remote locations.

Then check if the subnets of remote location are allowed in firewall.
0
 
SanjeevlokeCommented:
Also please sh ip route 0.0.0.0 on all  remote location and paste it.
0
 
Dogberry1982Author Commented:
Ok, I setup a static route at the remote site that points 0.0.0.0 0.0.0.0 to the wan router at the main site.
When I run tracert, it makes the first two hops, the remote site wan router which is the default gateway for the computer, and then the outside interface IP on the wan router at the main site, but then it stops there and times out.  
What this tells me is that the router at the remote site knows that it is supposed to send internet traffic to the wan router at the main site, but that the wan router at the main site doesn't know what to do with it.  

I assume this is due to the eigrp settings, which I didn't configure.  I don't want to disable eigrp, as this would impact the network to network traffic.  

Can anyone give me a clue as to what I would need to do to get eigrp to route the internet traffic from the remote site to the firewall at the main site?  

Thanks
0
 
Dogberry1982Author Commented:
Your suspicion was correct.  I am unable to ping any of the remote site wan routers from the main site firewall, and I am unable to ping the main site firewall from any of the remote sites.  

Looking at my firewall config, it didn't have a route setup to the remote sites.  Thank you for your help.

Mason
0
 
Dogberry1982Author Commented:
Thank you for helping me troubleshoot this.  I got so focused on the router config, that I completely forgot to check the firewall to make sure it had routes setup for the remote sites.  Once I added those, everything started working.  

Mason
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.