Branch can't get to internet, can't ping anything but ethernet at main site.

td ha escrito:

To me it sounds like whatever you are pinging behind the main site router does not have a route to the new branch site to be able to return the ICMP replies... HTH, James

I assume I'm missing something. I thought the ip route 192.168.2.0 255.255.255.0 63.239.127.225 route on the mainsite router would get all that traffic directed back to the remote router, but it doesn't seem like it.

Its like the mainsite router isn't actually routing any of the remote branch router traffic, as from the branch i can't get on the internet.

I'm not sure how MPLS fits in here, but I'll give you my insight anyways and you can decide if it's useful...

You said in your first post that you were able to ping the main site ethernet interface from the branch site, right? So that means your static route is working fine.

The problem is with whatever downsetream device you are trying to ping

*behind* the main site router (firewall, internal switch/router, server, etc. - if you have a firewall make sure that it is not blocking traffic). Does that downstream device have a route for the branch subnet, with the main site ethernet as the next hop? The device needs to know that to go back to the branch site it has to go through the main site router.

It looks to me that you're not advertising that static route you have set up on the main site router over your Fast Eth interface. BTW, who's taking care of NAT in this scenario?

James

No firewall in play here.

72.165.109.5 63.239.127.225 63.239.127.226 192.168.1.251

It dies if I attempt to ping 192.168.1.250 (my internet router) I've even put a specific route on the internet router that 192.168.2.0 traffic goes to 192.168.1.251

I'm at a loss, why can't I ping or get to anything off the local

192.168.1 subnet from 192.168.2.x??

Also, NAT is working fine on my internet router, would I need NAT on my MPLS network as well?? If so, I really need some help.

That's strange... if you can ping all that you say you can ping from the branch router, and you add:

ip route 192.168.2.0 255.255.255.0 192.168.1.251 (which is probably what you added)

in your Internet router, you should definately be able to ping from the branch site...

Only things I can think as possible source of problems:

1) You are not sourcing your ping with your Fast Eth address at the branch site. Are you doing "ping 192.168.1.250 source Fast 0/0/0" (or "ping 192.168.1.250 source 192.168.2.254") ?

2) There's some higher precedence route for that subnet in your Internet router. What do you get when you do "sh ip route 192.168.2.0" in your Internet router?

Let me know.

James

I'm definatley sourcing from 192.168.2.254... The only route to 192.168.2.0 was the static set to 192.168.1.251. I considered some old route stuck somewhere because we've got junky old Motorolas that are being replaced.

from 192.168.1.250 I can ping 192.168.1.251 but can't ping its WAN (63.239.127.226) or anything beyond on the way to 192.168.2.x.

I think something is turned on that router that I just don'tknow about... Heres more of the config. Its a newer router 2800 series and the IOS has more capacity than I'm used to!!!

! ! interface FastEthernet0/0 description $ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$$ETH-LAN$ ip address 192.168.1.251 255.255.255.0 duplex auto speed auto ! interface Serial0/0/0 ip address 63.239.127.226 255.255.255.252 service-module t1 timeslots 1-12 ! router rip version 2 passive-interface FastEthernet0/0 passive-interface Serial0/0/0 network 63.0.0.0 network 192.168.1.0 neighbor 72.165.109.4 neighbor 192.168.2.0 no auto-summary ! ip classless ip route 0.0.0.0 0.0.0.0 192.168.1.250 ip route 10.1.10.0 255.255.255.0 192.168.1.254 ip route 72.165.109.4 255.255.255.252 63.239.127.225 ip route 192.168.2.0 255.255.255.0 72.165.109.5 ! ip http server ip http authentication local ip http timeout-policy idle 5 life 86400 requests 10000 ! ! control-plane

Very strange indeed... only thing I can think of now is doing some sniffing on the main site LAN (I use a Linux box and tcpdump). That way you'll be able see if the ping packets are making it to the wire when pinging your internet router and the internet router is not sending them back, or if they are not making it to the wire at all.

Something strange in the last config you posted... how did the router allow you to set the static route "ip route 192.168.2.0 255.255.255.0

72.165.109.5", if the next hop address (72.165.109.5) is not part of any directly connected subnet??? I would think the router would reject such a command...

J.

Ok, Got it figured out. The 0.0.0.0 0.0.0.0 route was pointed to my internet router (192.168.1.250) Since it didn't know about the MPLS addresses (the 72.165.109.5 &

63.239.127.226 networks) it didn't know how to get back....

Dumb, I know.

Also, once I got that figured out, I found out that for the remote site to get out on the internet I need to NAT an address, I didn't have to do this with my old frame relay circuit. Why do I have to do that now?

Glad you solved it.

Will your remote site Internet-bound traffic be accessing the Internet through the remote site router, or will it traverse the MPLS network to the main site and access the Internet from there? If you do the latter, you may get away without the need to do any special NAT for this site, plus you will be able to exercise more control on that traffic. Just have the remote site follow the same path as your main site Internet users...

If you want the remote site users to access the Internet "locally" then you will definately need NAT done by the remote site router.

J.