topic Re: Internet Access from remote Branch in Routing and SD-WAN

Internet Access from remote Branch

optimusprime90 — Sun, 04 Jun 2023 06:47:30 GMT

Hi Dears,

We have remote branch connected to HQ via MPLS and IPSEC-GRE tunnel is configured on cisco routers on both ends. Both branches have separate DIAS internet links. Now I am looking to let one vlan subnet from HQ to use internet from remote branch internet connection, and stop this vlan to use local HQ internet connection.

Re: Internet Access from remote Branch

Kasun Bandara — Sun, 04 Jun 2023 07:15:21 GMT

@optimusprime90 if so you need to do route HQ vlan's internet traffic towards remote branch via tunnel and send our to internet via remote branch internet line. this is about routing and NATting

Re: Internet Access from remote Branch

optimusprime90 — Sun, 04 Jun 2023 07:20:50 GMT

I Understand this is about routing and nating , can i get help about config setup please, and i do not want to route complete HQ internet traffic, I need to route only one subnet (one vlan)

Re: Internet Access from remote Branch

MHM Cisco World — Sun, 11 Jun 2023 07:22:30 GMT

Re: Internet Access from remote Branch

paul driver — Sun, 04 Jun 2023 07:59:20 GMT

Hello
This can most probably be accomplished with some traffic engineering however you dont mention what dynamic routing protocols (if any) you are using,

Re: Internet Access from remote Branch

Kasun Bandara — Sun, 04 Jun 2023 09:21:13 GMT

@optimusprime90 to give more specific support, please share the routing method you are using now (dynamic,static) and some details. then small network diagram to get an idea about traffic path and devices in between networks.

Re: Internet Access from remote Branch

optimusprime90 — Sun, 04 Jun 2023 12:32:20 GMT

Hi,
Tunnel is set using static route, below is the topology example where we want to route that specific HQ subnet via branch internet.

Re: Internet Access from remote Branch

Joseph W. Doherty — Tue, 20 Jun 2023 09:21:21 GMT

Why do you wish to do this? Reason I ask, it might be some what complex to accomplish, easy to inadvertently cause unexpected and undesired

surprises

in the future, and perhaps there's another easier/better way to accomplish your goal.

Re: Internet Access from remote Branch

optimusprime90 — Sun, 04 Jun 2023 14:09:35 GMT

one dept in HQ has work at some specific weblinks and those weblinks are not reachable via HQ internet due to some internal issues with ISP and website owners, that's why we want to redirect traffic of that department to our branch so they can work smoothly.

Re: Internet Access from remote Branch

Joseph W. Doherty — Sun, 04 Jun 2023 15:00:50 GMT

Well, ideally, you would resolve the issue(s) with your HQ ISP and/or problematic websites owners.

But, assuming you need to do something right now, where is NAT/PAT performed at HQ and branch? How many special Internet website IPs is this a problem for?

Any additional routers insider FWs at both sites, especially for VLAN at HQ that needs this treatment?

Re: Internet Access from remote Branch

MHM Cisco World — Sun, 11 Jun 2023 07:22:39 GMT

Re: Internet Access from remote Branch

optimusprime90 — Mon, 05 Jun 2023 06:27:36 GMT

NAT is configured on Our internet Router at remote branch and at Cisco IPSEC router at HQ.
currently we need to access to One website only.

Re: Internet Access from remote Branch

Wizard4777 — Tue, 20 Jun 2023 09:29:35 GMT

set the

default route

for that subnet to the interface or ip pointing to the remote branch, then use pbr to fine tune

Re: Internet Access from remote Branch

Wizard4777 — Mon, 05 Jun 2023 06:33:45 GMT

you do port forwarding on the remote router

Re: Internet Access from remote Branch

Joseph W. Doherty — Mon, 05 Jun 2023 13:21:51 GMT

As I don't know all your routing topology's specifics, I can only suggest a conceptional approach.

At HQ, add a static route, for the one problematic web site, on the IPSec router, to the internal facing interface IP on the branch Internet router. This assumes, whether traffic gets to branch via MPLS path or tunnel, branch routing will get that outbound traffic to the branch Internet router. It also assumes return traffic will be sent back to HQ (via branch).

Re: Internet Access from remote Branch

optimusprime90 — Thu, 08 Jun 2023 09:46:18 GMT

I did this static route, but it did not work.

Re: Internet Access from remote Branch

Joseph W. Doherty — Thu, 08 Jun 2023 10:53:51 GMT

Unfortunately, without "seeing" all the configurations, including the static route you added, cannot suggest why it doesn't work.

Have you tried something like a traceroute from the special HQ VLAN to the special web site to "see" the path being used?

Re: Internet Access from remote Branch

optimusprime90 — Tue, 20 Jun 2023 09:25:27 GMT

Yes i did tracrt from source machine, its reaching gateway and just dropping there, however from gateway which is firewll it should go to ipsec router.
i am copying static routes and tunnel config which we have currently.

ip nat inside source list 10 interface Vlan300 overload
ip route 0.0.0.0 0.0.0.0 x.x.x.x --> public internet IP of HQ
ip route x.x.x.x 255.255.255.252 y.y.y.y (x is mpls ip of remote branch and y is mpls IP of HQ)

IPSEC Tunnel:

interface Tunnel400
ip address 172.16.80.12 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication xxxxxx
ip nhrp map multicast dynamic
ip nhrp network-id 400
ip tcp adjust-mss 1360
ip ospf network broadcast
ip ospf priority 255
keepalive 3 3
tunnel source Vlan400
tunnel mode gre multipoint
tunnel key 400
tunnel protection ipsec profile MAT-PRO

Re: Internet Access from remote Branch

MHM Cisco World — Sun, 11 Jun 2023 07:22:09 GMT

Re: Internet Access from remote Branch

Joseph W. Doherty — Tue, 20 Jun 2023 09:27:35 GMT

". . . its reaching gateway and just dropping there, however from gateway which is firewll . . ."

FW will allow traceroute replies?

As to your route statement, where you want it to go, from HQ's IPSec router, is to the inside interface of the branch Internet router. Basically, once it gets to the branch, you want it to follow branch's default to the Internet. When traffic returns to the branch, you want it to come back to the HQ.

What's also important, is how the branch is configured with routing and branch FW rules. Keep in mind, the HQ traffic we're directing to the Internet, via the branch, branch setup may not be configured to support it.

Again, conceptionally, this should work, but much depends on your overall configurations.

Basically, what I've suggested is a subset of what the others were suggesting, i.e. redirecting HQ special subnet

default route

to the branch. That too could work, but since you noted it's only one web site, couldn't see why you should need to send all that special HQ VLAN's Internet traffic via the branch.