Cisco WAN :: 857 - How To Route Traffic Over Remote Location Internet
Nov 18, 2011
I have a customer which has a main location office and a remote one. Recently we interconnect their facilities using a local ISP service called Virtual Connectivity, which basically is a private network which can be accessed over aDSL or any other data circuit. They are using Cisco 888 routers to interconnect both sites.At the main site the customer also has an Internet circuit (with a Cisco 857 router)and he wants to remove the Internet circtuit from the remote site and provide them access over their main location Internet circuit.At the primary offices, we installed Cisco 2811 router as a gateway to route the Internet and remote network traffic over the required data circuit. Everything is working fine, but we can not access Internet from the remote location over the circuit installed a the main site. I understand this is a routing issue, since the traffic hits the main office network it does not knows how to reach the Internet. I am assuming this routing must be set into the main office Cisco 888 router (installed by the ISP to interconnect to their private cloud) in order to properly route it over the Internet circuit.Since I already have access over the Internet router and the gateway router at the main site, but not into the ISP router, is there any other way I can make this configurtion over the routers I already have access?
I have successfully setup the AnyConnect VPN (connecting to our ASA5510) and have split tunneling configured. My remote users can access inside LAN servers as well as the Internet from their remote location. What I would like to know is is it possible to change the split tunnel and not allow access to the Internet from the remote location but force the remote client to go through the VPN and out our internal edge firewall to the Internet? Basically I need my remote clients to access the Internet but I would like for their Internet traffic to go through the VPN and out our edge firewall. This will allow the same security as if they were sitting in the office.
I am working for a company based in Sydney Australia, the company recently open an office in London UK, therefore we are going to get leased lined based on MPLS.We were advised that Customer Edge router will be CISCO1941/K9. We want to our UK client to access our web-based applications via MPLS network instead of internet. The UK office is using BT Business ADSL with 5 Static IP address (please note the modem IP address is actually dynamic), we are going to get a Cisco 857/K9 router which will be used for the entry for the UK client to access the MPLS network. My question will be how do I configure the Cisco 857 router to allow one of the public ip to access the MPLS network. It appears that there are two options, and I am not sure if this is going to work or which one is working better. I have attached two diagrams for clarification of my case.
Option 1 Cisco WAN interface get Dynamic IP (PPPoA) from BT LAN Interface (4 Port) get the assigned 5 Static IP addresses One of the five IPs (217.xx.xx.169) will be assigned to the FE1 (Cisco 1941), any traffic to 217.xx.xx.169 will be routed to the WAN interface of Cisco 1941 to access Sydney service (located in Sydney LAN, mostly http and https traffic) One of the five IPs to 217.xx.xx.170 will be assigned to the WAN interface of Sonicwall Firewall Router which also serve as Internet Access Gateway for LAN users, All trafiic destined for Sydney LAN will be using FE0 (Cisco 1941) as gateway Option 2Cisco WAN interface get Dynamic IP (PPPoA) from BT LAN Interface (4 Port) will get 192.168.0.1, Cisco 857 router will be the default gateway for LAN users, using one to many NAT, also one to one NAT, One of the five IPs (217.xx.xx.169) will be forwarded to the FE0 (Cisco 1941), any traffic to 217.xx.xx.169 will be routed to the WAN interface of Cisco 1941 to access Sydney service (located in Sydney LAN, mostly http and https traffic)
My issue: I have installed a firewall within my network. Currently all my clients default gateway defaults to GW:192.168.1.1. I would like all my internet traffic to route to the firewall ip 192.168.1.30. My Primary switch ip is 192.168.1.10, which is a 3560G running 12.2(25)SEE2 IPBASE-M.
My main problem is, I do not have access to the gateway, so I am trying to route internet traffic from within my switch to the firewall. I have already tried Route-Map, but seems this version of the OS does not support. I have already tried Policy-Map, but same as above. I have also tried IP ROUT command, but it did not work either.
And remember, I would like to perform the routing from the switch, because I do not have access to the default gateway which is a router to perform forward internet traffic to the firewall.
i have a strange issue with an HSRP Setup. I have two (S1+S2) 3560 as Core/Distribution Layer. Inter-vlan routing are enabled on both Switches. S1 and S2 are connected with an ether channel over four fibre ports. S3 -S5 are the (L2) access layer.
Gi0/1 on S1 and S2 are L3 ports, connect to a Linux Firewall.
HSRP is enabled, S1 is the active router and the STP root bridge.
But, my monitoring via cacti show me, that the Gi0/1 on S2 is active, too! But it should not be active? Only if S1 fails, should S2 the active switch.A client from the access ports on S3 - 5 gets traffic from the Internet via Gi0/1 from S2. Gi0/1 on S1 is active too, but will send mostly traffic to the Internet. Why is S2 active and why route it traffic from the Internet to the client?
I'm essentially looking to extend an existing network in a primary warehouse for our company across a parking lot to a secondary warehouse with no network drops. I need to keep the ability to assign addresses in the existing scheme over to two computers in the secondary warehouse.
I have a existing wireless setup of 4400 WLC with some AP's connected remotely,now i am migrating the whole setup to the new WLC 5500. All the AP has been registered to the new WLC 5500 except the remote location AP's.As there was no option of giving IP address in GUI of the controller in 4400 WLC, i have changed the controller name and restarted the AP, but even though it is going back to the old controller.
My boss is asking me to write a batch file or use a utility to monitor the uptime of 16 different ISP accounts that we use across several stores. Most stores have several ISP accounts setup as failover, so they're not always active on our network but the ISP should still be up. He would like this to run from one of our servers. He is suggesting the 'gateway' for the ISP however I am not sure how to find this IP. The tracert utility returns IP addresses which are different than the gateway address in our router settings so I am wary to use those IPs.Which IPs would I ping to monitor the uptime and where would be the best place to find them?
While trying to connect to WiFi at remote sites APs, the connection is getting time out.User are getting error as 'Unable to connect to <WiFi-SSID>' The APs at corporate office are functioning properly and user are able to connect to the APs.
Main Site allows communication from Remote Site via VPN to Windows ServerMain Site also has a secondary subnet that communicates ONLY through internet but NOT to the Windows Server.Sonicwall 192.168.168.x is main siteRemote Site is 192.168.0.x connecting to Main Site to access shared folders on serverSecondary subnet at Main Site is 192.168.0.x using Windows XP PC's. They are accessing a linux server at 192.168.0.215 which Main Site has no access to.VPN remote ip's are 192.168.0.x - they can successfully access the Windows Server at 192.168.168.100 BUT NOT 192.168.0.215.GOAL: Want to connect Remote Site to Secondary subnetWilling to make router changes or whatever is necessary to get Remote Site to access Secondary Subnet with the only exception that the Secondary Subnet REMAINS.VPN DHCP is turned off but willing to turn it on.Willing to make the Linux Server 'discoverable' on the Windows Server. Don't know linux at all but another co-worker set it up and can make changes.
On one of our branch locations ASA, I have a L2L VPN setup we are adding wireless to this remote location, and the AP's will talk back to the controller at HQ. The AP's are on the downstream L3 switch, and they have been placed on the mgmt network. It's definitely not ideal to have these AP's on the mgmt network, but for now that is how it is setup.
From HQ (163.122.x.x) I can ping and reach the ASA (10.200.2.1, and the downstream L3 switch 10.200.2.100, but when I ping one of the AP's, I get timeouts and and the following error on the ASA:%ASA-3-305005: No translation group found for icmp src outside:10.205.216.73 dst mgmt:10.200.2.152 (type 8, code 0)
It appears it's a NAT issue on the ASA, but I'm confused on what I need to change. Why can I ping the ASA and the switch from HQ, but not the AP's which reside on the same mgmt network? I don't really need it to NAT, just to pass the connections. I currently only have the following two NAT statements in the configure
I have a 2821 router with two T1 WICs and have the need to route FTP down one T1 and all other TCP traffic down another T1. All traffic is going to the same remote IP address. The remote sites are in different states, and I assume that the remote subnet is being bridged between the states. It's kind of a weird set up, but it's not my design.
Anyway, can I use a route map to split off FTP traffic to host A and send it down one T1 and have the rest of the IP traffic to host A go down the other T1? I also need to be able to have all traffic use one T1 in case the other T1 goes down.
My first thought was to static all IP down T1-1, then route map FTP traffic down T1-2, then have a floating static for all IP traffic down T1-2 with a higher metric. But something would have to track the T1 interfaces and I'm not sure if route maps or static routes can do that. Any thoughts on this?
I have a router that supports wireless network. I have 2 desktop computers that connect through LAN, 3 Laptops that connect using WiFi. Lot of them use utorrent. I want to block it. They use it to download movies. I have warned them of consequences but they simply dont listen. I dont know how to implement QoS in my router. Mine is UTStarCom.
I have configured a remote access VPN on my Firewall ASA5510. Everything worked fine and I can successfully connect through the VPN. The problem is I cannot ping or connect to any of my internal network resources. I tried to add a new NAT route from outside to my internal servers using the defined pool but due to a new ASA version there are many changed I see in the NAT routes
I currently have a site to site VPN running connecting a branch office and the Main office using a ASA5510 and ASA 5505. currently PC's at the branch can access the network in the main office using interface 0/1, but we have added another ip range using interface 0/2 and I can't seem to route the traffic to both interfaces. I currently have 0/1 as inside 192.168.10.1 which works, and have added 0/2 as Inside2 192.168.20.1. I know I am forgetting something, any commands to route incoming VPN traffic so PC's at the branch office can connect to both IP ranges?
I want to route gre traffic through an ACE20, but it doesn't seem to work. The only thing I configured was an ACL with gre enabled, but the ACE20 seems to drop the gre packtes. The gre traffic is entering via the vlan 561 interface and should be send out via the vlan 472 interface. Source 10.94.32.212, destination 10.94.132.39. The tunnel control traffic on port tcp/1723 is working fine. In the service-policies is nothing configured for the gre traffic.
I have a two RV042 VPN Router, I successfully connected the IPSEC tunnel. I cannot route Traffic in the tunnel. See the diagram.
MAIN Network 10.252.x.x --------------> FIREWALL a.a.a.1 INTERNET RV042a WANa <<------------------------------->> WANb RV042b a.a.a.2 b.b.b.b
In this manner the network of b.b.b.b wil connect to the Main Network 10.252.x.x, unfortunately I can't pass traffic to RV042b going to RV042a. Everytime I trace the route, the traffic goes outside the Internet not to RV042a.
I'm station overseas and it's really hard to access certain websites and servie like Netflix or ESPN. What I had created was GRE tunnel from my Home "A" to my current location "B" and route my traffic from point A to B using 2 cisco 1700 routers ( and It was working great) but now I can't use GRE nomore. I still have PIX and ASA on both sides and I was trying to do that over VPN tunnel but I can't ping VPN tunnel gateway( basicly what was next hoop in GRE) on the other end ( which is the main problem why I can't route traffic to remote site). I was wondering if I can still do the same thing over VPN tunnel that I did with GRE tunnel.
I am trying to configure dual ISP on my ASA5505.I have everything configured and working when eth0/0 is connected, but when I disconnect it, it doesn't route any traffic.The static route for the primary isp is removed and the static route to the backup isp shows up, but no traffic goes in or out. I should note that I'm doing this as a proof of concept so eth0/0 is connected to a router and eth0/1 is connected to another router. [code]
We have 7 remote offices and 10 tower locations that utilize IPsec tunnels back to our HQ. We now want to force all traffic including web surfing through the tunnels. What would be the easiest way to acomplish this? I have tried utilizing the crypto map policy to do this, but was unable to acomplish this.
Each of our office locationss utilize a Cisco 2811 router and the tower locations utilize a Cisco 881.
I am using OPEN VPN in order to connect to a Canadian VPN server.I want ALL internet traffic to ONLY use the VPN connection and no traffic shall pass through my local ISP under any circumstance.In the event the VPN disconnects, I DO NOT want any internet traffic automatically sent via my LOCAL ISP connection. Can I simply disable my LAN network adapter in windows AFTER the vpn is connected? (since vpn uses its own TAP adapter?)
I have a media player wired to my dir-655. I have a wrt300 on the same network to use for vpn. I live in Canada, and to use Netflix etc, from the US, I need to use the vpn.Is it possible to have the media player routed through the wrt300, rather than discovering all the IP addresses for Netflix etc and routing each one?
All of my remote sites use various routers to route all of their traffic via IPsec. However, I have one WRVS4400N w/firmware 22.214.171.124 configured with a working tunnel. My issue is I need to set the Remote Group to 0.0.0.0 0.0.0.0 so all traffic is forced via IPsec tunnel and not out the local gateway. When I do the error, Remote Security Group and Local Security Group cannot be in the same network. However, it works with Cisco/Linksys RV042.
Just picked up a ISA550 and have been playing around with it a bit but seem to be having some trouble. I have two LAN subnets in my small business with approx 10 hosts per subnet. I'd like to use the ISA550 to route between them (and to the internet) but can't seem to figure out how. Is it just as simple as creating two VLANS? Can the ISA550 route VLAN traffic?With my old RV042G, I had the option to setup multiple subnets inside the setup menu but I don't see any such area with the 550.
We have a VPN setup and here's the configuration on the Cisco ASA 5505: [code] The problem is that i'm able to ping the otherside of the tunnel i.e. 192.168.23.14 from the dmz IP 172.16.1.2 but i'm unable to ping from the hosts behind the ASA.Also the other side is able to ping 172.16.1.2 IP but no IP's behind the ASA.