Branch can't get to internet, can't ping anything but ethern

td · Guest

Ok,
What am i missing?
I've got a new MPLS connection up and running.
I can ping the branch site from my main site just fine.
I can not ping ANYTHING past the main site ethernet port via
the branch router. Can someone please help me out!!!

Heres so configs
Main:

interface FastEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$$ETH-LAN$
ip address 192.168.1.251 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 63.239.127.226 255.255.255.252
ip access-group 189 in
service-module t1 timeslots 1-12
!
router rip
version 2
passive-interface FastEthernet0/0
passive-interface Serial0/0/0
network 63.0.0.0
network 192.168.1.0
neighbor 192.168.2.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.250
ip route 192.168.2.0 255.255.255.0 63.239.127.225
!

Branch router:

!
interface Serial0
ip address 72.165.109.6 255.255.255.252
ip helper-address 192.168.1.205
no ip directed-broadcast
fair-queue 64 256 0
service-module t1 timeslots 1-6
no cdp enable
!
interface FastEthernet0
description connected to LAN
ip address 192.168.2.254 255.255.255.0
no ip directed-broadcast
full-duplex
no cdp enable
!
router rip
version 2
network 192.168.2.0
neighbor 192.168.1.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
!
no cdp run

Guest

td ha escrito:

td · Guest

I assume I'm missing something.
I thought the ip route 192.168.2.0 255.255.255.0 63.239.127.225 route
on the mainsite router
would get all that traffic directed back to the remote router, but it
doesn't seem like it.

Its like the mainsite router isn't actually routing any of the remote
branch router traffic, as from
the branch i can't get on the internet.

Guest

I'm not sure how MPLS fits in here, but I'll give you my insight
anyways and you can decide if it's useful...

You said in your first post that you were able to ping the main site
ethernet interface from the branch site, right? So that means your
static route is working fine.

The problem is with whatever downsetream device you are trying to ping
*behind* the main site router (firewall, internal switch/router,
server, etc. - if you have a firewall make sure that it is not blocking
traffic). Does that downstream device have a route for the branch
subnet, with the main site ethernet as the next hop? The device needs
to know that to go back to the branch site it has to go through the
main site router.

It looks to me that you're not advertising that static route you have
set up on the main site router over your Fast Eth interface. BTW, who's
taking care of NAT in this scenario?

James

td · Guest

No firewall in play here.

James Schnack · Guest

That's strange... if you can ping all that you say you can ping from
the branch router, and you add:

ip route 192.168.2.0 255.255.255.0 192.168.1.251 (which is probably
what you added)

in your Internet router, you should definately be able to ping from the
branch site...

Only things I can think as possible source of problems:

1) You are not sourcing your ping with your Fast Eth address at the
branch site. Are you doing "ping 192.168.1.250 source Fast 0/0/0" (or
"ping 192.168.1.250 source 192.168.2.254") ?

2) There's some higher precedence route for that subnet in your
Internet router. What do you get when you do "sh ip route 192.168.2.0"
in your Internet router?

Let me know.

James

td · Guest

I'm definatley sourcing from 192.168.2.254...
The only route to 192.168.2.0 was the static set
to 192.168.1.251.
I considered some old route stuck somewhere because
we've got junky old Motorolas that are being replaced.

from 192.168.1.250 I can ping 192.168.1.251 but can't
ping its WAN (63.239.127.226) or anything beyond on the
way to 192.168.2.x.

I think something is turned on that router that I just don'tknow
about...
Heres more of the config. Its a newer router 2800 series and the IOS
has more capacity
than I'm used to!!!

!
!
interface FastEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$$ETH-LAN$
ip address 192.168.1.251 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 63.239.127.226 255.255.255.252
service-module t1 timeslots 1-12
!
router rip
version 2
passive-interface FastEthernet0/0
passive-interface Serial0/0/0
network 63.0.0.0
network 192.168.1.0
neighbor 72.165.109.4
neighbor 192.168.2.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.250
ip route 10.1.10.0 255.255.255.0 192.168.1.254
ip route 72.165.109.4 255.255.255.252 63.239.127.225
ip route 192.168.2.0 255.255.255.0 72.165.109.5
!
ip http server
ip http authentication local
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
control-plane

James Schnack · Guest

Very strange indeed... only thing I can think of now is doing some
sniffing on the main site LAN (I use a Linux box and tcpdump). That way
you'll be able see if the ping packets are making it to the wire when
pinging your internet router and the internet router is not sending
them back, or if they are not making it to the wire at all.

Something strange in the last config you posted... how did the router
allow you to set the static route "ip route 192.168.2.0 255.255.255.0
72.165.109.5", if the next hop address (72.165.109.5) is not part of
any directly connected subnet??? I would think the router would reject
such a command...

J.

td · Guest

Ok,
Got it figured out.
The 0.0.0.0 0.0.0.0 route was pointed to my internet router
(192.168.1.250)
Since it didn't know about the MPLS addresses (the 72.165.109.5 &
63.239.127.226 networks)
it didn't know how to get back....

Dumb, I know.

Also, once I got that figured out, I found out that for the remote site
to get out on the internet
I need to NAT an address, I didn't have to do this with my old frame
relay circuit. Why do I have
to do that now?

James Schnack · Guest

Glad you solved it.

Will your remote site Internet-bound traffic be accessing the Internet
through the remote site router, or will it traverse the MPLS network to
the main site and access the Internet from there? If you do the latter,
you may get away without the need to do any special NAT for this site,
plus you will be able to exercise more control on that traffic. Just
have the remote site follow the same path as your main site Internet
users...

If you want the remote site users to access the Internet "locally" then
you will definately need NAT done by the remote site router.

J.