Internet access from remote site 1

[visionthing]

I have a corporate and remote site and each has their own router. The corporate router has a T1 to the internet and a frame relay to the remote site. The corporate can access the I-net and the remote can access the corporate site and visa-versa. The remote site cannot access the internet via the corporate router. Here are the routes:

This is allowing access to the I-net and is allowing corp out to the I-net
ip route 0.0.0.0 0.0.0.0 68.x.x.157

This is allowing access from the frame to the corporate firewall and is working
ip route 192.168.6.0 255.255.255.0 192.168.1.1

Is there something that I'm missing as to why the remote site cannot get to the internet?

 

[JOAMON]

Might try
ip route 0.0.0.0 0.0.0.0 192.168.1.1

 

[visionthing]

That's another default route, right? If I already have one pointing to the x.x.x.157 hop, won't this mess up that route and then the 192.168.1.x network won't get to the I-net? I thought that if I have a preferred route and then the default route that traffic destined for the I-net from the 192.168.6.0 network would then use the default route since the preferred route will not get them to the I-net destination.

 

[JOAMON]

Could you post the config without and passwords or other private info?

 

[JOAMON]

Please also post remote config.

 

[visionthing]

Thanks for your replys. They don't know the pw to the remote router, so I can't see what's going on there. If this config looks ok, I might have to make a trip to the remote side.

But here's the config to the router in question:

version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xxxxx
!
enable secret 5 $1$Hf/7$K6Pnvs3uduYUlBs55DULS.
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
!
!
!
interface FastEthernet0/0
description connects to inside firewall (outside68.x.x.82 > inside192.168.1.1)
ip address 68.x.x.81 255.255.255.248
speed auto
full-duplex
!
interface Serial0/0
description frame relay connection
ip address 192.168.6.1 255.255.255.0
encapsulation frame-relay
no ip split-horizon eigrp 200
no fair-queue

frame-relay map ip 192.168.6.12 130 broadcast

frame-relay interface-dlci 120

!
interface Serial0/1
description OUT TO INTERNET
ip address 68.x.x.158 255.255.255.252
ip load-sharing per-packet
fair-queue
service-module t1 clock source internal
service-module t1 timeslots 1-24
!
router eigrp 200
network 192.168.1.0
network 192.168.6.0
auto-summary
eigrp log-neighbor-changes
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/1 68.x.x.157
ip route 192.168.6.0 255.255.255.0 192.168.1.1
ip http server
ip pim bidir-enable
!
!
line con 0
line aux 0
password 7 06130E225A401A
login
modem Dialin
modem autoconfigure type usr_courier
transport input all
speed 115200
flowcontrol hardware
line vty 0 4
password 7 020B054F1F151B2E424B
login
!
end

 

[JOAMON]

What type of firewall device are you using?

 

[visionthing]

Watchguard firebox

 

[JOAMON]

I am going to think out load a minute.
Your corporate Lan sits behind a firewall...I assume that it is doing nat for internet traffic...your firewall device then connects to your T1 edge router....this router connects to a T1 internet connection and also connects to your remote LAN....I think that the problem may be that your remote office is trying to go to the internet from outside of the corporate firewall/nat device. Your remote office should connect to corporate and be behind the firewall and not exposed on your edge router. I don't really think it's a good idea to have a private LAN exposed on a edge router like this.

 

[visionthing]

Yes, I believe that you have the topology correct. The router has 2 serial connections (1-T1 and 1-FR) and also 1 ethernet connection (providing the connection to the firewall). The remote site connects via the FR and because of the route statement has access to the corp network. The corp network gets to the internet via the T1 connection.

Are you saying that if I get rid of the 2 route statements and just use "ip route 0.0.0.0 0.0.0.0 192.168.1.1" that it would then route ALL of the FR traffic into the firewall and that would then allow the remote site internet access back out? Do I not need the route statement in pointing to the next hop?

 

[JOAMON]

Forget my original reply...I did not understand the topology correctly.
Is there a firewall device at the remote site or just the router?

 

[JOAMON]

I think what I am getting at is that you might need another router so that the romote office can be connected behind the corporate firewall. It is kind of vulnerable the way it is right now and if the remote gets hacked then they also have a clear path to corporate. Also XXXX out your service passwords in any future posts as they easily cracked.

 

[visionthing]

The remote site is behind a firewall.

The way this used to be set up goes like this:

Inet router > firewall > corp network & router (connecting to the firewall)

Going with a different ISP, they got rid of the Inet router in front of the firewall, added a T1 (in addition to the FR) and moved the FW behind the router. Now, there's the FR coming in to give the remote site access to the corp network (via the firewall) and a T1 going out providing Inet access.

 

[visionthing]

My turn to think out loud-

I'm thinking that the problem is with the firewall and here's why:

1- The firewall is NAT'ing CORPS internal addresses.

2- CORPS is accessing the Inet. . . no problems.

3- REMOTE is accessing CORPS firewall and CORPS servers.

In order for REMOTE to get out to Inet through CORPS firewall, the firewall has to NAT the REMOTE internal address range.

 

[JOAMON]

That is what I think your problem is.....no nat for remote to internet. Try and do a traceroute and see were it dies. What is the topology of the remote site?

 

[visionthing]

Can't do a trace from the remote because the site is far away and no one there would know how to interpret it. I guess they could printscreen it and email it.

The info I'm getting now is that the remote site is behind a 2600 and of course . . . no one knows the PW.

I only came in to add the T1 to the router and get traffic flowing in/out. I've done that, as the FR is getting to Corp for it's resources. Now they want to say that the router is at fault because the Remote site cannot get to the internet. I'm saying that it's the Watchguard.

 

[JOAMON]

If I understand you the only device at the remote site is a 2600 that connects to corporate via FR connection....

I think you need to go over there and take a look and see. Will need to do password recovery on their router. If you start trying things on the watchgaurd side without knowing the config on the remote end you may disrupt site to site communications.

 

[visionthing]

Thanks again for your input!

To me it's sounding pretty simple. Since the Remote side has a connection to the firewall, the firewall should handle the Remote as an "inside" network. If the firewall is setup to NAT this 2nd "inside" network, it should pass traffic that is destined for its "outside" interface out.

What Watchguard is wanting me to do is to add some kind of route statement to the edge router to route any traffic other than that destined for the Corp network out. Since I have a default route (ip route 0.0.0.0 0.0.0.0 Serial0/1 68.x.x.157 - letting Inet bound traffic out)and a static route (ip route 192.168.6.0 255.255.255.0 192.168.1.1 - letting Remote in)I can't do anything else with a static route, without sending all traffic out S0/1

 

[JOAMON]

The remote side does have a connection to the firewall but it is coming in through the outside interface and then needs to be routed back out.

If I were you I would buy a 1720 and change the entire topology.

I would use the 1720 at corporate as the t1 router. This then connects to the watchguard. Watchguard connects to corporate router which has the FR connection to the remote site. This way both LAN segments are behind the corporate firewall making configuration easier and much more secure.

 

[visionthing]

I can do like you suggested, but with the following changes.

They already have a 2600 that's not doing anything.

If I use the 2600 for the FR connection that then connects to the Watchguard OPT port. Then use the Corp router (3600) for the T1 and connect it to the Watchguard outside int. I need the 3600 because there's going to be another T1 added to it and load balance and I'd rather use the 3600 for it. This way, as you said, both networks are directly behind the firewall.