Go Premium for a chance to win a PS4. Enter to Win


How do I share an internet connection across a WAN? (i.e. consolidated internet))

Posted on 2011-09-07
Medium Priority
Last Modified: 2012-05-12
Ok, I have four sites connected via a Wide Area Network.  
One site acts as the "hub" site, and the other three all connect to this site.  The cisco routers that terminate the ATM circuits are using eigrp to handle routing of traffic from one site to the other.
Here is the network info.

Main site is
Site 1 is
Site 2 is
Site 3 is

Edited to add*
The ATM Circuits are on the network
The Main site has 3 VC's

The Branch sites are:
Site 1:
Site 2:
Site 3

So the main site's interface ATM1/0.10 ( connects to site 2's interface ATM1/0.10 (
and so on for the other sites.

Right now each site has their own internet connection.  The WAN router is the default gateway for each site, and there is a static route pointing to the firewall for that site.
So the Main site router has the local IP address, and the Firewall for that site is
On the router the following command is given to route internet bound traffic to the firewall.
ip route
Each site is configured similarly.  
Recently we upgraded our bandwidth at the main site to a full DS3 with the intention of sharing this internet connection with the other sites.  

This is where I am running into some issues...

I have tried changing the static route on the other WAN routers to point to the main site firewall rather than each site's firewall, but this doesn't work.  
I tried setting the static route on the branch sites to point to the main site WAN router (using both the address as well as its ATM interface IP)
I also tried removing the static route to see if eigrp would actually route things for me.
None of these have worked.

I am not a router expert but I can't figure out why changing the static route doesn't work since the branch site routers "know" how to get to those other addresses (this was supposed to be configured by the provider when they installed the WAN, but the DS3 was delayed, so we setup the static routes as a temporary fix)

Also, I can post more information, including my current configs on the routers if that would help.
Question by:Dogberry1982
  • 4
  • 3
LVL 18

Expert Comment

ID: 36500556
This is no problem.  You just need to get rid of the default routes at each site pointing to the firewall, and have a default route pointing to the WAN link instead.  With aggregated addresses as you have done, you could do this all with static routes, or you could get fancy and run a dynamic protocol such as OSPF, advertising a default route from the hub out to the spokes.  If you choose to stick with static routes, make sure you have them going in both directions -- a static default at each site and statics at the hub pointing to the address blocks at the spoke sites.  

Author Comment

ID: 36500585
When you say I will need static routes going both directions, what do you mean?
That I should replace the current eigrp routing rules with static routes for the WAN traffic?

I actually tried replacing the default static route that points to the firewall with a static that points to the main site WAN router.  Are you saying I need to point it to the branch site WAN address? (in other words back at itself?)

Could you possibly give an example based on the network info I listed?

Thank you for your help.

Expert Comment

ID: 36501500
Please trace any public IP from remote location machine it should reach to .....

Have u done the changes on central firewall ?
Is there Natting done on central firewall if yes have u added the remote sites subnet to it ?

if packet is not reaching to do below
#no ip route firewallIP of remote location..
#ip route WAN-IP of remote location
#redistribute the centrall default-route in EIGRP process so that it is reached to remote locations.

Then check if the subnets of remote location are allowed in firewall.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.


Expert Comment

ID: 36501505
Also please sh ip route on all  remote location and paste it.

Author Comment

ID: 37378606
Ok, I setup a static route at the remote site that points to the wan router at the main site.
When I run tracert, it makes the first two hops, the remote site wan router which is the default gateway for the computer, and then the outside interface IP on the wan router at the main site, but then it stops there and times out.  
What this tells me is that the router at the remote site knows that it is supposed to send internet traffic to the wan router at the main site, but that the wan router at the main site doesn't know what to do with it.  

I assume this is due to the eigrp settings, which I didn't configure.  I don't want to disable eigrp, as this would impact the network to network traffic.  

Can anyone give me a clue as to what I would need to do to get eigrp to route the internet traffic from the remote site to the firewall at the main site?  


Accepted Solution

Sanjeevloke earned 2000 total points
ID: 37379042
can u ping LAN IP of each site from firewall ?
I feel some rules are blocking the reply back from firewall.

as per above reply i assume
trace o/p is as below
1) ----default gatewau
2) ....
3) * * *
4)* * *

if above is correct i dont think any issue with eigrp or routes
its FW issue u have put some rules to allow icmp/port 80,443,8080 etc ..

Author Comment

ID: 37382463
Your suspicion was correct.  I am unable to ping any of the remote site wan routers from the main site firewall, and I am unable to ping the main site firewall from any of the remote sites.  

Looking at my firewall config, it didn't have a route setup to the remote sites.  Thank you for your help.


Author Closing Comment

ID: 37382517
Thank you for helping me troubleshoot this.  I got so focused on the router config, that I completely forgot to check the firewall to make sure it had routes setup for the remote sites.  Once I added those, everything started working.  


Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question