Problem solve Get help with specific problems with your technologies, process and projects.

Sharing a single Internet connection from multiple satellite offices

Many of us encounter situations where a company has one or more satellite offices connected by point to point T-1...

Frame Relay or ATM (or even VPN, although this would be a slightly different variation discussed later). For reasons of cost or, more likely, security and control, it is desirable to have only one Internet connection to manage. Routing through a Frame Relay with a Cisco Router at the satellite to a Cisco Router at the home office to a separate Router/Modem attached to the Internet seems quite tricky. Just the right routes, ports and authentication is required. Frankly, I've yet to make this work. Although both sites technically have Internet access, it may still be desirable to route through the home office for purposes of monitoring and control.

I have searched and so far, have been unable to find a very clear explanation for how to do this. If you've already covered it, I apologize, and would like to see the article.
Many organizations prefer to handle their Internet connectivity through a central site. Though it may not be as efficient, it does permit much closer control, and better overall security.

It is not that hard to set this up. Several options are possible, depending on the configuration of your network. For the purposes of discussion, let's suppose that you have three LANs: H, at the hub site where the Internet connection is; A, at remote site A; and B at remote site B. You also have three routers: RH, the main router at the hub; RA and RB at the respective remote sites. Router RH has three interfaces: an Ethernet interface for the local LAN, LAN H, a WAN interface for the Internet connection; and a Frame Relay interface for the frame relay link. The remote routers, RA and RB, have two interfaces each: one for each local LAN, and the other connected to the main site router through the frame relay connections. All traffic passing from site to site must pass through a pair of routers. It is important that the subnet addressing for all three LANs in this scenario be distinct: for example,, and Again, these are just examples; the important thing to note is that they are private IP addresses, and that there is no overlap between them.

Now the routing can be set up. The primary router, RH, is going to handle the default routing for LAN H, and the Internet routing for the remote subnets. (For simplicity, we will assume static routing in all routers.) It will have a routing entry for the local subnet, LAN H, through its Ethernet interface. It will have an entry for each of LAN A and LAN B that will be via the remote routers RA and RB through the frame relay interface. It will have a default route that is through the Internet WAN interface to whatever nexthop address is correct. In addition, RH will be set up to do port NAT (Internet connection sharing) on the Internet interface, to ensure that all traffic to the Internet will appear as though it is coming from a single IP address.

Each of the routers, RA and RB, then have a default route through the frame relay connection to RH, and a route for their local subnets. No other routes are required.

Let's look at what happens to a packet originating on LAN A, destined for an Internet address. The packet is sent to the default gateway for LAN A, that is, router RA. Router RA forwards the packet to router RH, who in turn forwards it to its gateway router for the Internet, performing a PNAT on the outbound packet. The return traffic from the Internet site arrives back at the Internet interface of router RH. From the protocol/port on the packet, the PNAT is undone, and the packet is re-addressed to the sending machine on LAN A. Router RH then routes this packet through the frame link to router RA, who forwards it to the destination machine on LAN A.

This was last published in September 2003

Dig Deeper on Network Management Software, Tools and Utilities