Hi Friends,
I am trying to design a HQ- Branch setup. My HQ is NC location where my ISP_Internet router is terminating.
PP_Location is connected to NC via MPLS_BGP.
PC1 IP: 172.16.250.5/24 able to ping PC2 IP: 172.16.240.5/24
Learning all the IP segments on each side via BGP..
Problem here: The problem here is i am unable to access the internet from PP_Location.
On the PP_ISR, if i add a static route towards BGP Peer, then everything works fine, but if i do a
"Redistribute Static" in my BGP Config on the NC_ISR, the internet from PP is not working.
Hope i was clear in my explanation.
Please find the attached config. files for reference.
Thanks a lot for your patience in advance.
PP_ISR:
PP_ISR#sh run
Building configuration...
Current configuration : 1923 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service dhcp
!
hostname PP_ISR
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
!
!
ip cef
no ip domain lookup
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
vtp file nvram:vlan.dat
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface FastEthernet0/0
description *** Unused for Layer2 EtherSwitch ***
ip address 1.1.1.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 10.243.0.1 255.255.255.0
speed 100
full-duplex
!
interface FastEthernet2/0
no ip address
shutdown
duplex auto
speed auto
!
router bgp 2
no synchronization
bgp log-neighbor-changes
network 10.243.0.0 mask 255.255.255.0
network 172.16.250.0 mask 255.255.255.0
neighbor 1.1.1.1 remote-as 1
no auto-summary
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 1.1.1.0 255.255.255.252 1.1.1.1
ip route 172.16.250.0 255.255.255.0 10.243.0.2
!
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner exec ^C
***************************************************************
This is a normal Router with a SW module inside (NM-16ESW)
It has been preconfigured with hard coded speed and duplex
To create vlans use the command "vlan database" from exec mode
After creating all desired vlans use "exit" to apply the config
To view existing vlans use the command "show vlan-switch brief"
Warning: You are using an old IOS image for this router.
Please update the IOS to enable the "macro" command!
***************************************************************
^C
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
PP_ISR#$
NC_ISR:
NC_MPLS#sh run
Building configuration...
Current configuration : 1960 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service dhcp
!
hostname NC_MPLS
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
!
!
ip cef
no ip domain lookup
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
vtp file nvram:vlan.dat
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface FastEthernet0/0
description *** Unused for Layer2 EtherSwitch ***
ip address 10.242.0.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 1.1.1.1 255.255.255.252
speed 100
full-duplex
!
interface FastEthernet2/0
ip address 75.146.125.17 255.255.255.252
duplex auto
speed auto
!
router bgp 1
no synchronization
bgp log-neighbor-changes
network 10.242.0.0 mask 255.255.255.0
network 172.16.240.0 mask 255.255.255.0
redistribute static
neighbor 1.1.1.2 remote-as 2
no auto-summary
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 75.146.125.18
ip route 172.16.240.0 255.255.255.0 10.242.0.2
!
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner exec ^C
***************************************************************
This is a normal Router with a SW module inside (NM-16ESW)
It has been preconfigured with hard coded speed and duplex
To create vlans use the command "vlan database" from exec mode
After creating all desired vlans use "exit" to apply the config
To view existing vlans use the command "show vlan-switch brief"
Warning: You are using an old IOS image for this router.
Please update the IOS to enable the "macro" command!
***************************************************************
^C
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
NC_MPLS#
Accepted Solutions
Hi Georg,
Thanks a lot. It worked. Yeyeyeye....!!
Thank you so much. I am a newbee to routing. Please dont mind.
And i do have another question. sorry for troubling you.
I am planning to build a S2S tunnel from the NC_ISR towards a Fortigate behind the ISP router.
PC2: 172.16.240.5/24 - works fine via the tunnel. Tunnel comes up. Pings PC3: 172.16.24.5/24
PC1: 172.16.250.5/24 - doesnt work via the tunnel.. ( Pings Pc3: 172.16.24.5/24 but not via the VPN tunnel)
Could you please let me know if am missing any routing or something. I am unable to figure it out.
Trace route from pc2:
Traceroute from PC1:
NC_ISR Config:
NC_ISR#sh run
Building configuration...
Current configuration : 2480 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service dhcp
!
hostname NC_ISR
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
!
!
ip cef
no ip domain lookup
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
vtp file nvram:vlan.dat
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 1
authentication pre-share
group 5
crypto isakmp key JellyB3lly address 11.0.0.2
!
!
crypto ipsec transform-set ISR-TRANSFORM esp-des esp-md5-hmac
!
crypto map Test_S2S 1 ipsec-isakmp
set peer 11.0.0.2
set transform-set ISR-TRANSFORM
match address ACL-ISR
!
!
!
!
interface FastEthernet0/0
description *** Unused for Layer2 EtherSwitch ***
ip address 10.242.0.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 1.1.1.1 255.255.255.252
speed 100
full-duplex
!
interface FastEthernet2/0
ip address 75.146.125.17 255.255.255.252
duplex auto
speed auto
crypto map Test_S2S
!
router bgp 1
no synchronization
bgp log-neighbor-changes
network 10.242.0.0 mask 255.255.255.0
network 172.16.240.0 mask 255.255.255.0
redistribute static
neighbor 1.1.1.2 remote-as 2
neighbor 1.1.1.2 default-originate
default-information originate
no auto-summary
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 75.146.125.18
ip route 172.16.240.0 255.255.255.0 10.242.0.2
!
!
!
ip access-list extended ACL-ISR
permit ip 172.16.240.0 0.0.0.255 172.16.24.0 0.0.0.255
permit ip 172.16.250.0 0.0.0.255 172.16.24.0 0.0.0.255
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner exec ^C
***************************************************************
This is a normal Router with a SW module inside (NM-16ESW)
It has been preconfigured with hard coded speed and duplex
To create vlans use the command "vlan database" from exec mode
After creating all desired vlans use "exit" to apply the config
To view existing vlans use the command "show vlan-switch brief"
Warning: You are using an old IOS image for this router.
Please update the IOS to enable the "macro" command!
***************************************************************
^C
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
NC_ISR#
PP_ISR Configuration:
PP_ISR#sh run
Building configuration...
Current configuration : 2266 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service dhcp
!
hostname PP_ISR
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
!
!
ip cef
no ip domain lookup
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
vtp file nvram:vlan.dat
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface FastEthernet0/0
description *** Unused for Layer2 EtherSwitch ***
ip address 1.1.1.2 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 10.243.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet2/0
no ip address
shutdown
duplex auto
speed auto
!
router bgp 2
no synchronization
bgp log-neighbor-changes
network 10.243.0.0 mask 255.255.255.0
network 172.16.250.0 mask 255.255.255.0
neighbor 1.1.1.1 remote-as 1
no auto-summary
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 172.16.250.0 255.255.255.0 10.243.0.2
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static udp 10.243.0.2 4500 interface FastEthernet0/0 4500
ip nat inside source static udp 10.243.0.2 500 interface FastEthernet0/0 500
!
access-list 1 permit 172.16.0.0 0.0.255.255
access-list 1 permit 10.0.0.0 0.255.255.255
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner exec ^C
***************************************************************
This is a normal Router with a SW module inside (NM-16ESW)
It has been preconfigured with hard coded speed and duplex
To create vlans use the command "vlan database" from exec mode
After creating all desired vlans use "exit" to apply the config
To view existing vlans use the command "show vlan-switch brief"
Warning: You are using an old IOS image for this router.
Please update the IOS to enable the "macro" command!
***************************************************************
^C
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
PP_ISR#
ISP_Fortigate:
