I recently switch carriers for my MPLS network, all went well except for one remote site that access the Internet through the the HQ site. The only difference is on my old carrier we were using static routes with the new carrier I am running bgp. I configured the Adtran Netvanta 3305 router with the following route 0.0.0.0 0.0.0.0 10.255.253.1 when I tracert to 8.8.8.8 (google) the packet gets to the 10.255.253.1 and died, however all my internal network packets are routing just fine. What am I missing here? Is it possible that the carrier is blocking the Internet traffic? I do not have this problem with the other remote sites because they have their own Internet connection.
blb wrote:
Yes, I can ping all local network and pass traffic between them and the firewall does have a route to these subnets.
From the inside address of the NAT firewall to the Internet you can ping 192.168.81.1 ? Does the NAT firewall participate in BGP?
At the main site where the firewall is located, is your default route advertised by BGP towards the site that can't reach the Internet? You will need this as otherwise the MPLS network won't know where to route traffic to the Internet.
Syntax for injecting a default route into BGP varies by vendor.
Adtran:
router bgp [as]
address-family ipv4
network 0.0.0.0 mask 0.0.0.0
Cisco:
router bgp [as]
neighbor ww.xx.yy.zz default-originate
The router must have a default route to 0.0.0.0/0 in its routing table, probably pointing to the firewall.
Also verify, does the NAT firewall have a rule to NAT traffic from 192.168.81.0/24 out its public interface to the Internet?
The most common causes of this are either that the NAT firewall on the other end doesn't have a rule to include your local networks of 192.168.81.0/24 and 192.168.91.0/24 in its rule set or it doesn't have a route to those subnets. I'd start some troubleshooting on the other end. Can the NAT firewall ping 192.168.81.1 ? Does it have a rule to include that subnet in its outbound NAT?
Does the NAT box at the remote side also participate in BGP? If not you may need static routes on it to the BGP-speaking inside router for your local networks 192.168.81.0/24 and 192.168.91.0/24.
Some cleanup...
You don't need:
ip route 192.168.81.0 255.255.255.0 192.168.81.1
ip route 192.168.91.0 255.255.255.0 192.168.91.1
Those are directly connected networks.
Your BGP looks a little sketchy. What does the BGP neighbor show? Is BGP up? You are using a private AS of 65000 on this side, is the remote side really AS 1? (That's the old BBN/Level 3 AS).
I would inject a default route from the neighbor on the other side rather than put a static default here.
You have ip prefix-list Advertise defined but it isn't in use.
Hello jayh,
Hello jayh,
Yes, I can ping all local network and pass traffic between them and the firewall does have a route to these subnets.
All sites participate in BGP.
Yes, I am using Level3 and BGP is up and working, and I am passing internal traffic to all sites. Level3 provided the BGP information. Only the Internet traffic not passing to my main site.
. I tried it yesterday and it did not work.
From: Bentley Brown
Sent: Friday, September 27, 2013 2:35 PM
To: 'jive-688052486-67n-2-8ib@adtran.hosted.jivesoftware.com'
Subject: RE: - Remote site Internet access over MPLS network running BGP
blb wrote:
Yes, I can ping all local network and pass traffic between them and the firewall does have a route to these subnets.
From the inside address of the NAT firewall to the Internet you can ping 192.168.81.1 ? Does the NAT firewall participate in BGP?
At the main site where the firewall is located, is your default route advertised by BGP towards the site that can't reach the Internet? You will need this as otherwise the MPLS network won't know where to route traffic to the Internet.
Syntax for injecting a default route into BGP varies by vendor.
Adtran:
router bgp [as]
address-family ipv4
network 0.0.0.0 mask 0.0.0.0
Cisco:
router bgp [as]
neighbor ww.xx.yy.zz default-originate
The router must have a default route to 0.0.0.0/0 in its routing table, probably pointing to the firewall.
Also verify, does the NAT firewall have a rule to NAT traffic from 192.168.81.0/24 out its public interface to the Internet?
I recently switch carriers for my MPLS network, all went well except for one remote site that access the Internet through the the HQ site. The only difference is on my old carrier we were using static routes with the new carrier I am running bgp. I configured the cisco router with the following route 0.0.0.0 0.0.0.0 10.255.253.1 when I tracert to 8.8.8.8 (google) the packet gets to the 10.255.253.1 and died, however all my internal network packets are routing just fine. What am I missing here? Is it possible that the carrier is blocking the Internet traffic? I do not have this problem with the other remote sites because they have their own Internet connection.
I recently switch carriers for my MPLS network, all went well except for one remote site that access the Internet through the the HQ site. The only difference is on my old carrier we were using static routes with the new carrier I am running bgp. I configured the cisco router with the following route 0.0.0.0 0.0.0.0 10.255.253.1 when I tracert to 8.8.8.8 (google) the packet gets to the 10.255.253.1 and died, however all my internal network packets are routing just fine. What am I missing here? Is it possible that the carrier is blocking the Internet traffic? I do not have this problem with the other remote sites because they have their own Internet connection.
This could be either a routing problem (remote has no default route), a routing problem at HQ (firewall doesn't know how to reach remote), or a firewall rule missing.
When you log into the remote site that doesn't work, are you seeing a learned route to 0.0.0.0/0 via BGP?
If not, then you will need to inject the default. See my previous answer marked correct as to the syntax for both Cisco and Adtran, for the HQ site.
If the default route is properly reaching the remote site, look at the firewall at HQ and verify that there is a NAT rule set up for the remote subnet to reach the Internet.
Also, if your firewall isn't participating in your IGP, you'll need to add a static route on the firewall to the remote subnet with a gateway of the internal IP of the MPLS router at HQ.