Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2019
Views
0
Helpful
9
Replies

No Internet at Branch Office

rcook
Level 1
Level 1

‎03-26-2012 04:08 AM - edited ‎03-04-2019 03:48 PM

Hi,

I am setting up a branch office over a leased line using Cisco 1760 Routers at both ends, I have used the old configmaker to get this working and the two offices can talk to each other but I cant get internet access at the branch office (internet is only available at the main office).

From the branch office I can ping any device at the main office which has the gateway 192.168.200.22, as my main firewall (192.168.200.20) is the gateway for most of my devices I have added a static route for 10.0.2.0/24 traffic to route back through 192.168.200.22 - this all works fine.

What's the best way to get internet access at the branch office, is it a simple case of adding an ip route 0.0.0.0 0.0.0.0 192.168.200.20 command on the branch office router?

My configs are below, any help would be appreciated as I haven't done much work on Cisco devices before.

Thanks

---MAIN OFFICE---------------------------------------------------------------------------------------

! ******************************************************************
! Main_Office.cfg - Cisco router configuration file
! Automatically created by Cisco ConfigMaker v2.6 Build 6
!   26 March 2012, 11:39:58 AM
!
! Hostname: Main_Office
! Model: 1760
! ******************************************************************
!
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service tcp-small-servers
no service udp-small-servers
!
hostname Main_Office
!
enable password ********
!
no ip name-server
!
ip subnet-zero
no ip domain-lookup
ip routing
!
interface FastEthernet 0/0
no shutdown
description connected to EthernetLAN
ip address 192.168.200.22 255.255.255.0
keepalive 10
!
interface Serial 0/0
no shutdown
description connected to Branch_Office
ip address 172.16.0.1 255.255.255.252
encapsulation hdlc
!
router rip
version 2
network 192.168.200.0
network 172.16.0.0
no auto-summary
!
!
ip classless
no ip http server
snmp-server community public RO
no snmp-server location
no snmp-server contact
!
line console 0
exec-timeout 0 0
password *********
login
!
line vty 0 4
password **********
login
!
end

---BRANCH OFFICE--------------------------------------------------------------------------------------------------------

! ******************************************************************
! Branch_Office.cfg - Cisco router configuration file
! Automatically created by Cisco ConfigMaker v2.6 Build 6
!   26 March 2012, 11:40:50 AM
!
! Hostname: Branch_Office
! Model: 1760
! ******************************************************************
!
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service tcp-small-servers
no service udp-small-servers
!
hostname Branch_Office

!
enable password **********

!
no ip name-server
!
ip subnet-zero
no ip domain-lookup
ip routing
!
interface FastEthernet 0/0
no shutdown
description connected to EthernetLAN_1
ip address 10.0.2.20 255.255.255.0
keepalive 10
!
interface Serial 0/0
no shutdown
description connected to Main_Office
ip address 172.16.0.2 255.255.255.252
encapsulation hdlc
!
router rip
version 2
network 10.0.0.0
network 172.16.0.0
no auto-summary
!
!
ip classless
no ip http server
snmp-server community public RO
no snmp-server location
no snmp-server contact
!
line console 0
exec-timeout 0 0
password **********
login
!
line vty 0 4
password ***********
login
!
end

Labels:
0 Helpful
9 Replies 9

John Blakley
VIP Alumni
VIP Alumni

‎03-26-2012 04:38 AM

Robert,

Without looking too far into this, your firewall will have to know how to get back to your branch office subnet. Since you can ping to your main office devices, I suspect that this is the problem. Can you check to make sure that your firewall has a route to 10.0.2.0/24? You'll need to point it to your local device that routes to your 10.0.2.0/24 internal. For example, if you have another router that has the route to the 10.0.2.0/24 subnet:

Branch router ----> Main Router ----> Firewall

Your firewall will have a static route stating something like:

10.0.2.0 255.255.255.0 ----> main router IP

The main router knows how to get to the branch router subnet (since you can ping main side devices.)

John

*Edit* You'll also need to verify that you're natting on the firewall for the 10.0.2.0/24 subnet if you haven't done that.

HTH, John *** Please rate all useful posts ***
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to John Blakley

‎03-26-2012 05:05 AM

Robert

I have looked at the configs that you posted and I do not see any particular problems. I do not see any default route at the Main Office. And since you say that Internet is available at the Main Office I assume that the Main Office router is probably learning the default route from the firewall.  I believe that the most likely cause of the problem is that the firewall is not doing address translation for the Branch Office addresses.

HTH

Rick

HTH

Rick
0 Helpful

Latchum Naidu
VIP Alumni
VIP Alumni
In response to Richard Burts

‎03-26-2012 05:31 AM

Hi Robert,

As mentioned above you must need to have default route configured in your main office pointing to your internet gateway (your firewall or provider router).

0.0.0.0 0.0.0.0 "firewall/provider router IP"

And again you need to have configured default route in your branch office router pointing to your main office router.

0.0.0.0 0.0.0.0 "main office router IP'


Please rate the helpfull posts.
Regards,
Naidu.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Latchum Naidu

‎03-26-2012 06:15 AM

Naidu

Certainly the Main Office needs to have a default route. But it is not necessary that it be a manually configured static default route. As I mention in my previous post, since the Main Office does have successful access to Internet then there must be a default route in its routing table already, and so there is no need for a manual static route at Main Office.

And if router RIP is running between the Main Office and the Branch Office, and if the Main Office does have a default route in its routing table, then it is likely that the Branch Office would already have the default route in its routing table. Perhaps Robert can clarify whether there is already a default route in the routing tabel or not.

HTH

Rick

HTH

Rick
0 Helpful

Latchum Naidu
VIP Alumni
VIP Alumni
In response to Richard Burts

‎03-26-2012 06:25 AM

Hi Rick,

I understood that the main office router is a DG for the whole LAN in the main office, sorry about this


Please rate the helpfull posts.
Regards,
Naidu.

0 Helpful

rcook
Level 1
Level 1
In response to Richard Burts

‎03-27-2012 08:59 AM

Thank you for the replies.

Just to clarify, the two Cisco routers are used just to link the main and branch office.

Firewall - 192.168.200.20

Main Office Router - 192.168.200.22

Branch Office Router - 10.0.2.20

The main office PC's have Internet access because the default gateway is 192.168.200.20, which is the firewall that connects to the ISP's router.

The main office can ping the branch office because a static route has been added to the firewall to route all 10.0.2.0/24 traffic to 192.168.200.22 (the Cisco 1760 router at the main office.

The branch office can ping any 192.168.200.0/24 address but anything else times out, for instance I can't ping 8.8.8.8 and if I tracert it, it doesnt get passed 10.0.2.20.

Unfortunately I cant access the site to look at the routing table just now.

On my next visit I plan to do the following, as suggested:

Main office - add the command ip route 0.0.0.0 0.0.0.0 192.168.200.20

Banch office - add the command ip route 0.0.0.0 0.0.0.0 192.168.200.22

Do you think this will work and allow the branch office Internet access?

Many thanks for the suggestions so far.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to rcook

‎03-27-2012 11:07 AM

Robert

I am not sure that the static default routes are needed. I strongly suggest that before you configure static default routes you should do show ip route on each of the routers and look for the presence of a route to 0.0.0.0. From your description that traceroute from the Branch gets to 192.168.200.20 I believe that this default route already exists. Only if it is not present in the routing table would you need to configure static default routes.

In posts early in this thread John and I have suggested that the problem might be related to doing (or not doing) address translation for the subnet at the Branch as the traffic goes out the firewall. I would suggest that you check the firewall and see if it is translating addresses for the Branch.

HTH

Rick

HTH

Rick
0 Helpful

elepon06
Level 1
Level 1
In response to John Blakley

‎03-27-2012 06:37 PM

Brach office:

Route 0.0.0.0 0.0.0.0 s0/0

Firewall main office:

Route 10.0.2.0/24 192.168.200.22 (main router)

Add a NAT for 10.0.02.0/24

Allow 10.0.1.2/24 to outside (add it to the same outside policy of the main office)

Sent from Cisco Technical Support App

0 Helpful

darren.g
Level 5
Level 5

‎03-27-2012 03:39 PM 

Robert Cook wrote:
Hi,
I am setting up a branch office over a leased line using Cisco 1760 Routers at both ends, I have used the old configmaker to get this working and the two offices can talk to each other but I cant get internet access at the branch office (internet is only available at the main office).
From the branch office I can ping any device at the main office which has the gateway 192.168.200.22, as my main firewall (192.168.200.20) is the gateway for most of my devices I have added a static route for 10.0.2.0/24 traffic to route back through 192.168.200.22 - this all works fine.
What's the best way to get internet access at the branch office, is it a simple case of adding an ip route 0.0.0.0 0.0.0.0 192.168.200.20 command on the branch office router?
My configs are below, any help would be appreciated as I haven't done much work on Cisco devices before.

Robert.

Have you done any basic diagnosis at the branch fofice?

What happens if you run "nslookup www.google.com" from a PC at the branch office (or dig www.google.com if they're *nix boxes)?

What happens if you run traceroute www.google.com from a PC in the branch office.

I can think of three obvious scenarios causing this issue, both of which have been mentioned by others.

1) Your branch office doesn't have a default route back to the main office router - which means it's just going to drop traffic going to anything except the two networks advertised by RIP from the main office (192.168.200.0 & 172.16.0.0)

2) Your "main" office router doesn't have a default gateway to send traffic to your firewall. I can't see a routing statement on this device which sends unknown traffic to your firewall (which you've mentioned is the default gateway for most of your devices at your head office), which means that even if the remote office DOES send default traffic back to the head office router, the head office router will drop it as it doesn;t know where to forward it to.

3) Your routing table is correct, but your firewall isn't providing NAT correctly for the IP subnet at the remote office.

Can you post the output of "show ip route" from both the remote office router and the main office router?

Cheers.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card