Branch can't get to internet, can't ping anything but ethernet at main site.

Discussion in 'Cisco' started by td, Apr 22, 2006.

  1. td

    td Guest

    Ok,
    What am i missing?
    I've got a new MPLS connection up and running.
    I can ping the branch site from my main site just fine.
    I can not ping ANYTHING past the main site ethernet port via
    the branch router. Can someone please help me out!!!

    Heres so configs
    Main:

    interface FastEthernet0/0
    description $ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$$ETH-LAN$
    ip address 192.168.1.251 255.255.255.0
    duplex auto
    speed auto
    !
    interface Serial0/0/0
    ip address 63.239.127.226 255.255.255.252
    ip access-group 189 in
    service-module t1 timeslots 1-12
    !
    router rip
    version 2
    passive-interface FastEthernet0/0
    passive-interface Serial0/0/0
    network 63.0.0.0
    network 192.168.1.0
    neighbor 192.168.2.0
    no auto-summary
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 192.168.1.250
    ip route 192.168.2.0 255.255.255.0 63.239.127.225
    !

    Branch router:

    !
    interface Serial0
    ip address 72.165.109.6 255.255.255.252
    ip helper-address 192.168.1.205
    no ip directed-broadcast
    fair-queue 64 256 0
    service-module t1 timeslots 1-6
    no cdp enable
    !
    interface FastEthernet0
    description connected to LAN
    ip address 192.168.2.254 255.255.255.0
    no ip directed-broadcast
    full-duplex
    no cdp enable
    !
    router rip
    version 2
    network 192.168.2.0
    neighbor 192.168.1.0
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Serial0
    no ip http server
    !
    no cdp run
     
    td, Apr 22, 2006
    #1
    1. Advertising

  2. td

    Guest

    td ha escrito:

    > Ok,
    > What am i missing?
    > I've got a new MPLS connection up and running.
    > I can ping the branch site from my main site just fine.
    > I can not ping ANYTHING past the main site ethernet port via
    > the branch router. Can someone please help me out!!!
    >


    To me it sounds like whatever you are pinging behind the main site
    router does not have a route to the new branch site to be able to
    return the ICMP replies...
    HTH,
    James
     
    , Apr 22, 2006
    #2
    1. Advertising

  3. td

    td Guest

    I assume I'm missing something.
    I thought the ip route 192.168.2.0 255.255.255.0 63.239.127.225 route
    on the mainsite router
    would get all that traffic directed back to the remote router, but it
    doesn't seem like it.

    Its like the mainsite router isn't actually routing any of the remote
    branch router traffic, as from
    the branch i can't get on the internet.
     
    td, Apr 22, 2006
    #3
  4. td

    Guest

    I'm not sure how MPLS fits in here, but I'll give you my insight
    anyways and you can decide if it's useful...

    You said in your first post that you were able to ping the main site
    ethernet interface from the branch site, right? So that means your
    static route is working fine.

    The problem is with whatever downsetream device you are trying to ping
    *behind* the main site router (firewall, internal switch/router,
    server, etc. - if you have a firewall make sure that it is not blocking
    traffic). Does that downstream device have a route for the branch
    subnet, with the main site ethernet as the next hop? The device needs
    to know that to go back to the branch site it has to go through the
    main site router.

    It looks to me that you're not advertising that static route you have
    set up on the main site router over your Fast Eth interface. BTW, who's
    taking care of NAT in this scenario?

    James
     
    , Apr 22, 2006
    #4
  5. td

    td Guest

    No firewall in play here.

    >From 192.168.2.254 (internal address of branch router, I can ping

    72.165.109.6
    72.165.109.5
    63.239.127.225
    63.239.127.226
    192.168.1.251

    It dies if I attempt to ping 192.168.1.250 (my internet router)
    I've even put a specific route on the internet router that 192.168.2.0
    traffic goes to 192.168.1.251

    I'm at a loss, why can't I ping or get to anything off the local
    192.168.1 subnet
    from 192.168.2.x??

    Also, NAT is working fine on my internet router, would I need NAT on my
    MPLS network as well?? If so, I really need some help.
     
    td, Apr 22, 2006
    #5
  6. That's strange... if you can ping all that you say you can ping from
    the branch router, and you add:

    ip route 192.168.2.0 255.255.255.0 192.168.1.251 (which is probably
    what you added)

    in your Internet router, you should definately be able to ping from the
    branch site...

    Only things I can think as possible source of problems:

    1) You are not sourcing your ping with your Fast Eth address at the
    branch site. Are you doing "ping 192.168.1.250 source Fast 0/0/0" (or
    "ping 192.168.1.250 source 192.168.2.254") ?

    2) There's some higher precedence route for that subnet in your
    Internet router. What do you get when you do "sh ip route 192.168.2.0"
    in your Internet router?

    Let me know.

    James
     
    James Schnack, Apr 22, 2006
    #6
  7. td

    td Guest

    I'm definatley sourcing from 192.168.2.254...
    The only route to 192.168.2.0 was the static set
    to 192.168.1.251.
    I considered some old route stuck somewhere because
    we've got junky old Motorolas that are being replaced.

    from 192.168.1.250 I can ping 192.168.1.251 but can't
    ping its WAN (63.239.127.226) or anything beyond on the
    way to 192.168.2.x.

    I think something is turned on that router that I just don'tknow
    about...
    Heres more of the config. Its a newer router 2800 series and the IOS
    has more capacity
    than I'm used to!!!


    !
    !
    interface FastEthernet0/0
    description $ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$$ETH-LAN$
    ip address 192.168.1.251 255.255.255.0
    duplex auto
    speed auto
    !
    interface Serial0/0/0
    ip address 63.239.127.226 255.255.255.252
    service-module t1 timeslots 1-12
    !
    router rip
    version 2
    passive-interface FastEthernet0/0
    passive-interface Serial0/0/0
    network 63.0.0.0
    network 192.168.1.0
    neighbor 72.165.109.4
    neighbor 192.168.2.0
    no auto-summary
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 192.168.1.250
    ip route 10.1.10.0 255.255.255.0 192.168.1.254
    ip route 72.165.109.4 255.255.255.252 63.239.127.225
    ip route 192.168.2.0 255.255.255.0 72.165.109.5
    !
    ip http server
    ip http authentication local
    ip http timeout-policy idle 5 life 86400 requests 10000
    !
    !
    control-plane
     
    td, Apr 22, 2006
    #7
  8. Very strange indeed... only thing I can think of now is doing some
    sniffing on the main site LAN (I use a Linux box and tcpdump). That way
    you'll be able see if the ping packets are making it to the wire when
    pinging your internet router and the internet router is not sending
    them back, or if they are not making it to the wire at all.

    Something strange in the last config you posted... how did the router
    allow you to set the static route "ip route 192.168.2.0 255.255.255.0
    72.165.109.5", if the next hop address (72.165.109.5) is not part of
    any directly connected subnet??? I would think the router would reject
    such a command...

    J.
     
    James Schnack, Apr 23, 2006
    #8
  9. td

    td Guest

    Ok,
    Got it figured out.
    The 0.0.0.0 0.0.0.0 route was pointed to my internet router
    (192.168.1.250)
    Since it didn't know about the MPLS addresses (the 72.165.109.5 &
    63.239.127.226 networks)
    it didn't know how to get back....

    Dumb, I know.

    Also, once I got that figured out, I found out that for the remote site
    to get out on the internet
    I need to NAT an address, I didn't have to do this with my old frame
    relay circuit. Why do I have
    to do that now?
     
    td, Apr 23, 2006
    #9
  10. Glad you solved it.

    Will your remote site Internet-bound traffic be accessing the Internet
    through the remote site router, or will it traverse the MPLS network to
    the main site and access the Internet from there? If you do the latter,
    you may get away without the need to do any special NAT for this site,
    plus you will be able to exercise more control on that traffic. Just
    have the remote site follow the same path as your main site Internet
    users...

    If you want the remote site users to access the Internet "locally" then
    you will definately need NAT done by the remote site router.

    J.
     
    James Schnack, Apr 24, 2006
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Peter
    Replies:
    2
    Views:
    1,072
  2. rob
    Replies:
    8
    Views:
    4,693
    Wayne
    Jul 9, 2005
  3. Scott Townsend
    Replies:
    2
    Views:
    2,330
    Scott Townsend
    Feb 21, 2006
  4. ShoutyMcNasty
    Replies:
    3
    Views:
    706
    Walter Roberson
    Nov 22, 2006
  5. ronnieshih
    Replies:
    1
    Views:
    2,713
    Brian V
    Nov 28, 2006
Loading...

Share This Page