8 Replies Latest reply on Jan 2, 2015 11:12 AM by jayh

    Remote site Internet access over MPLS network running BGP

    blb New Member

      I recently switch carriers for my MPLS network, all went well except for one remote site that access the Internet through the the HQ site. The only difference is on my old carrier we were using static routes with the new carrier I am running bgp. I configured the Adtran Netvanta 3305 router with the following route 0.0.0.0 0.0.0.0 10.255.253.1 when I tracert to 8.8.8.8 (google) the packet gets to the 10.255.253.1 and died, however all my internal network packets are routing just fine. What am I missing here? Is it possible that the carrier is blocking the Internet traffic? I do not have this problem with the other remote sites because they have their own Internet connection.

        • Re: Remote site Internet access over MPLS network running BGP
          jayh Hall_of_Fame

          The most common causes of this are either that the NAT firewall on the other end doesn't have a rule to include your local networks of 192.168.81.0/24 and 192.168.91.0/24 in its rule set or it doesn't have a route to those subnets.  I'd start some troubleshooting on the other end.  Can the NAT firewall ping 192.168.81.1 ?  Does it have a rule to include that subnet in its outbound NAT?

           

          Does the NAT box at the remote side also participate in BGP?  If not you may need static routes on it to the BGP-speaking inside router for your local networks 192.168.81.0/24 and 192.168.91.0/24.

           

          Some cleanup...

           

          You don't need:

           

          ip route 192.168.81.0 255.255.255.0 192.168.81.1

          ip route 192.168.91.0 255.255.255.0 192.168.91.1


          Those are directly connected networks.

           

          Your BGP looks a little sketchy.  What does the BGP neighbor show?  Is BGP up?  You are using a private AS of 65000 on this side, is the remote side really AS 1?  (That's the old BBN/Level 3 AS).

           

          I would inject a default route from the neighbor on the other side rather than put a static default here.

           

          You have ip prefix-list Advertise defined but it isn't in use.

            • Re: Remote site Internet access over MPLS network running BGP
              blb New Member

              Hello jayh,

               

              Yes, I can ping all local network and pass traffic between them and the firewall does have a route to these subnets.

               

              All sites participate in  BGP.

               

               

              Yes, I am using Level3 and BGP is up and working, and I am passing internal traffic to all sites. Level3 provided the BGP information. Only the Internet traffic not passing to my main site.

              .  I tried it yesterday and it did not work.

               

              From: Bentley Brown

              Sent: Friday, September 27, 2013 2:35 PM

              To: 'jive-688052486-67n-2-8ib@adtran.hosted.jivesoftware.com'

              Subject: RE: - Remote site Internet access over MPLS network running BGP

                • Re: Remote site Internet access over MPLS network running BGP
                  jayh Hall_of_Fame

                  blb wrote:

                   

                  Yes, I can ping all local network and pass traffic between them and the firewall does have a route to these subnets.

                   

                  From the inside address of the NAT firewall to the Internet you can ping 192.168.81.1 ?  Does the NAT firewall participate in BGP?

                   

                  At the main site where the firewall is located, is your default route advertised by BGP towards the site that can't reach the Internet?  You will need this as otherwise the MPLS network won't know where to route traffic to the Internet.

                   

                  Syntax for injecting a default route into BGP varies by vendor.

                   

                  Adtran:

                  router bgp [as]

                  address-family ipv4

                     network 0.0.0.0 mask 0.0.0.0

                   

                  Cisco:

                  router bgp [as]

                    neighbor ww.xx.yy.zz default-originate

                   

                  The router must have a default route to 0.0.0.0/0 in its routing table, probably pointing to the firewall.

                   

                  Also verify, does the NAT firewall have a rule to NAT traffic from 192.168.81.0/24 out its public interface to the Internet?

                    • Re: Remote site Internet access over MPLS network running BGP
                      blb New Member

                      Thank you very much the statement below works, I now have Internet access from the remote site.

                       

                       

                      Adtran:

                       

                      router bgp

                       

                      address-family ipv4

                       

                         network 0.0.0.0 mask 0.0.0.0

                        • Re: Remote site Internet access over MPLS network running BGP
                          shiv1986 New Member

                          I recently switch carriers for my MPLS network, all went well except for one remote site that access the Internet through the the HQ site. The only difference is on my old carrier we were using static routes with the new carrier I am running bgp. I configured the cisco router with the following route 0.0.0.0 0.0.0.0 10.255.253.1 when I tracert to 8.8.8.8 (google) the packet gets to the 10.255.253.1 and died, however all my internal network packets are routing just fine. What am I missing here? Is it possible that the carrier is blocking the Internet traffic? I do not have this problem with the other remote sites because they have their own Internet connection.

                    • Re: Remote site Internet access over MPLS network running BGP
                      shiv1986 New Member

                      I recently switch carriers for my MPLS network, all went well except for one remote site that access the Internet through the the HQ site. The only difference is on my old carrier we were using static routes with the new carrier I am running bgp. I configured the cisco router with the following route 0.0.0.0 0.0.0.0 10.255.253.1 when I tracert to 8.8.8.8 (google) the packet gets to the 10.255.253.1 and died, however all my internal network packets are routing just fine. What am I missing here? Is it possible that the carrier is blocking the Internet traffic? I do not have this problem with the other remote sites because they have their own Internet connection.

                        • Re: Remote site Internet access over MPLS network running BGP
                          jayh Hall_of_Fame

                          This could be either a routing problem (remote has no default route), a routing problem at HQ (firewall doesn't know how to reach remote), or a firewall rule missing.

                           

                          When you log into the remote site that doesn't work, are you seeing a learned route to 0.0.0.0/0 via BGP?

                           

                          If not, then you will need to inject the default. See my previous answer marked correct as to the syntax for both Cisco and Adtran, for the HQ site.

                           

                          If the default route is properly reaching the remote site, look at the firewall at HQ and verify that there is a NAT rule set up for the remote subnet to reach the Internet.

                           

                          Also, if your firewall isn't participating in your IGP, you'll need to add a static route on the firewall to the remote subnet with a gateway of the internal IP of the MPLS router at HQ.