Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations biv343 on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Remote office can’t access the Internet via the main office router 3

Status
Not open for further replies.

msworld

MIS
Jun 28, 2005
534
US
There are 3 routers in the main office. OX router (outside x.x.x.x and inside 192.168.0.250) connects the Internet. Cisco 1841 192.168.0.81 and USR 8200 192.168.0.95 connect to a switch. Both 192.168.0.x and 192.168.2.x subnets can access the Internet without any issues.

Cisco 1841 192.168.100.1 in the main office also connects to Cisco 1841 192.168.100.2 in a remote office. The remote office 192.168.1.x can access the main office without problems, but no Internet. The computers in the remote office even can’t ping the OX router 192.168.0.250. Tracert 4.2.2.1 stop 192.168.100.1.

The main office 1841 has these routing command

ip route 0.0.0.0 0.0.0.0 192.168.0.250

ip route 192.168.1.0 255.255.255.0 192.168.100.2

The remote office 1841 has these routing command

ip route 0.0.0.0 0.0.0.0 192.168.100.1

ip route 192.168.0.0 255.255.255.0 192.168.100.1

Ay ideas why the remote office can’t access the Internet?

The drawing can be found here


Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, VPN & Remote Access on
 
Check the routes on the OX router. Specifically verify it has a route for 192.168.1.0 255.255.255.0 via 192.168.0.81
 
Thank you for the quick reply. That may be the problem that the OX router may not route back to the Cisco router. I thought that but not sure. First of all, we can’t manage the OX router and only the ISP manages the router. The ISP wants to limit the Internet to just one subnet 192.168.0.x. So I can’t tell that for sure. I have another question. Why does the USR router work without OX router without knowing how to come back to 192.168.2.x subnet?

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, VPN & Remote Access on
 
It could be that the USR router may be using a default route (i.e. it could be routing all unknown routes via a LAN gateway - probably the 1841)

OR

it has a route for 192.168.x.x so anything with a 192.168.x.x address is routed via the LAN - again via the 1841.
 
Since we can't manage the USR router, we must configure the NAT on the main office Cisco 1841. How do you do that using SDM in this case?

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, VPN & Remote Access on
 
I thought I might fix thi sissue by adding NAT, but not. Still the same problem that 192.168.1.x and Cisco router on the remote office (192.168.1.91/192.168.100.2) can’t pass the XO router even I tried the following commands. Can some one take look the configuration (see below)?

I tried these:
interface FastEthernet0/1
ip address 192.168.0.81 255.255.255.0
ip nat outside

interface Serial0/0/0
ip address 192.168.100.1 255.255.255.0
ip nat inside

access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface FastEthernet0/1 overload

And tried these:

conf t
int fat0/1
ip nat outside
int s0/0/0
ip nat inside
exit
access-list 99 permit any
ip nat inside source list 99 fa0/1 overload
end

Here are the code:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$40lL$Jy2/yuIKx9wL3RrgzpzyH.
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip dhcp use vrf connected
!
!
no ip bootp server
!
username ccmd privilege 15 secret 5 $1$s9Yv$6buU8kcAE6XxF5lBnfzmk1
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address 192.168.0.81 255.255.255.0
ip access-group sdm_fastethernet0/1_in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface Serial0/0/0
ip address 192.168.100.1 255.255.255.0
ip access-group sdm_serial0/0/0_in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.250
ip route 192.168.1.0 255.255.255.0 192.168.100.2
!
ip http server
ip http authentication local
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source static network 192.168.100.1 192.168.0.81 /32
!
ip access-list extended sdm_fastethernet0/1_in
remark SDM_ACL Category=1
permit ip any any
ip access-list extended sdm_serial0/0/0_in
remark SDM_ACL Category=1
permit ip any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.100.0 0.0.0.255
access-list 99 remark SDM_ACL Category=16
access-list 99 permit any
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
password 7 08314D5D1A0E0A05164B5C
login local
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
scheduler allocate 4000 1000
end


Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, VPN & Remote Access on
 
Hello
I had similar problem and I resolved it that i remove ip address from interfaces of routers with connect remote and main office.


ISP router
|
|
Outside ip
PIX Firewall in main office (nat)
192.168.0.1
|
Lan 192.168.0.0
|
192.168.0.3
Secondary Router C1600 in main office
unnumbered interface
|
|
unnumbered interface
Router C1600 in remote Office
192.168.2.1
|
LAN 192.168.2.0

When I have IP address (192.168.100.1 and 192.168.100.2 on Cisco 1600's) users in remote office only have access to LAN
in main office with unnumbered interface users can access to Internet too.
Regards
Mac
 
macfoxx,

I have the same exact setup as you. We have two routers in place now (they have internet access with these two routers) and I am trying to replace them with two Cisco 1760 routers each with a WIC 1DSU TI for the serial interface. The remote office routes to the main office for all services, network and internet. All intenal network works fine. They can receive mail via our Exchange server located at the main office. They can view our web server internally. They cannot reach the internet though. Here is the config for both routers. South=remote, North=Main:

Remote Office Router:

version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname South
!
logging buffered 4096 debugging
!
clock timezone UTC -6
clock summer-time UTC recurring
ip subnet-zero
no ip domain lookup

interface FastEthernet0/0
description connected to EthernetLAN_1
ip address 10.0.253.1 255.255.255.0
no keepalive
speed auto
!
interface Serial0/0
description connected to North
ip unnumbered FastEthernet0/0
encapsulation ppp
ip tcp header-compression iphc-format
service-module t1 remote-alarm-enable
ip rtp header-compression iphc-format
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.51
ip http server
ip http authentication local


Main Office Router:

version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname North
!
logging buffered 4096 debugging
enable secret 5 $1$OM2K$OYYgIKo3hvXLN8fMqqONv0
enable password u4g7e84t
!
ip subnet-zero

interface FastEthernet0/0
ip address 10.0.0.51 255.255.248.0
speed auto
!
interface Serial0/0
ip unnumbered FastEthernet0/0
encapsulation ppp
ip tcp header-compression iphc-format
fair-queue
service-module t1 clock source internal
service-module t1 timeslots 1-24
ip rtp header-compression iphc-format
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip route 10.0.253.0 255.255.255.0 10.0.0.51
ip http server
ip http authentication local

We also have a PIX for our firewall. I have a route entered there as well. I don't have a lot of experience with routers so any help would be appreciated.

Ray
 
I would suggest the following route changes.

remote
no ip route 0.0.0.0 0.0.0.0 10.0.0.51
ip route 0.0.0.0 0.0.0.0 serial0/0

main office
no ip route 10.0.253.0 255.255.255.0 10.0.0.51
ip route 10.0.253.0 255.255.255.0 serial0/0

Right now you in the main office router traffic destined for remote is pointed at the lan interface for the main store.
 
Everything from them pix should just point to the main router at it will then distribute the traffic based on its address.
 
The above two replies are addressed to RayMac............
 
Hi RayMac
I agree with Joamon make this modification on your routers also check your route on PIX it's must be something like that:
route inside 10.0.253.0 255.255.255.0 10.0.0.51 1
Regards
 
The client decided to switch to other ISP and I can't do any settings.

Everyone's inputs are very helpful. Thank you.

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, VPN & Remote Access on
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top