Solved: unable to access anything other than ping from behind a cisco 1921 router

mmarosz1 · ‎02-24-2020

Hello,
I am new to this community, and I am beginning to study for the CCNA exams. I apologize in advance for any 'un-educated' or 'un-necessary' questions, but with that said, I was hoping I could gain some knowledge/guidance with this problem i am having.

:here is the setup:

I have a test network, and it has a cable modem connected to a netgear SOHO router/switch/wireless ap combo device.

I have my 'main pc', aka pc4, connected to the switch part of the netgear combo device, and it can access the internet (and anything else connected to the same switch) normally. the LAN side of the router part of the netgear combo device has an ip of 192.168.1.1.

Then, I purchased a cisco 1921 router, and I am trying to use it to make 2 separate networks in my test network.

I gave the cisco router's ge0/0 interface a static ip of 192.168.1.50, and I connected it to the switch part of the netgear combo device, .

Then, I gave the cisco router's ge0/1 interface a static ip of 10.10.10.1, and I connected it to a separate (unmanaged) switch.

Then, i connected a test pc, aka pc2, to this unmanaged switch.

:here is the question:

I cannot access the internet from pc2, and i dont know why.

I thought i needed to setup local static routes from pc4 and pc2, so i did that, but im not sure if that made any difference.

eg, from each pc, and from the router itself (i connected with the serial console port and putty), I can ping each pc and each interface in the router.
but, i can only ping by IP address, not by name.

eg, from pc2, if I ping pc4 by ip address, pc4 replies normally all 4 times.

eg, from pc2, if I ping pc4 by pc name, i get an error, "ping request could not find host pc4", this error only appears once after a pause.

eg, from pc2, if I ping "google.com", in the 4 ping requests that are sent, i get these 2 errors, "request timed out", and "reply from 10.10.10.1: destination host unreachable".

i have read that "destination host unreachable" means a router in the path of the ping to its destination does not have a stored route to the destination, and the router replies with "destination host unreachable".

but then i also read that "request timed out" means that the ping request never got a reply, which may mean that the routers in the path to the destination did have routes to the destination, and they forwarded the ping request, but then something else happened that caused the ping request to get dropped on its return trip.

so, i dont know how i could get both of those errors in the same ping command.

I am quite stumped as to what to do next, and any help would be greatly appreciated.

-michael

Richard Burts · ‎03-19-2020

Michael

Congratulations on the new job. I hope it works out well for you. Take your time thinking about the issues we have been discussing and when appropriate you can post again. For followup on these things you can continue this discussion. But at some point it might be good to start a new discussion. As discussions get longer it becomes more difficult to keep the context clear and in a new discussion there is more possibility that other participants might offer their comments. And if you do start a new discussion you can use the private message capability to send me a link to the new discussion so that I can be sure to engage in it.

It is quite common for the Internet Service Provider equipment to do address translation only for the subnet of the connected device. And quite common that the ISP device would not provide DNS resolution for your locally connected devices. So it is a normal practice that you would do address translation on your router for your other subnets. You can configure the router to act as a DNS server. And if you have only a few devices you want to resolve names for it could be appropriate to do that on the router. But as the local network gets larger and more complex it would be better to have DNS on some device other than your router.

HTH

Rick

View solution in original post

balaji.bandi · ‎02-24-2020

post the router config to review, and you need to have static entry for the 10.X network towards router.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

mmarosz1 · ‎02-25-2020

Hello Balaji and Richard,

Thank you very much for replying.

Pardon me if it is uncommon to not provide the details you asked me for.

here are the details as best as I can provide them.

I am going to split them into two replies, one with the router config regarding Balaji's question, and the other with the details regarding Richard's question[s]

Balaji, I was not certain when you asked to provide the "router config" if you mean the stuff you see when the router starts (eg when you are already connected to the router with putty when you start the router), or the output from the "show running-config" command.

so here are both of them, and as you can see they are separated by the...

router1# show running-config

...line which is about in the middle

::::::::::::::::::::::::::::::::::::::::::::::::::

System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2012 by cisco Systems, Inc.

Total memory size = 512 MB
CISCO1921/K9 platform with 524288 Kbytes of main memory
Main memory is configured to 64 bit mode with ECC disabled

Readonly ROMMON initialized
program load complete, entry point: 0x80903000, size: 0x4c4a0
program load complete, entry point: 0x80903000, size: 0x4c4a0

IOS Image Load Test
___________________
Digitally Signed Release Software
program load complete, entry point: 0x81000000, size: 0x481ac1c
Self decompressing the image : ######################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################### [OK]

Smart Init is enabled
smart init is sizing iomem
TYPE MEMORY_REQ
Onboard devices &
buffer pools 0x01E8F000
-----------------------------------------------
TOTAL: 0x01E8F000

Rounded IOMEM up to: 32MB.
Using 6 percent iomem. [32MB/512MB]

Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706

Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.4(3)M3, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Fri 05-Jun-15 12:31 by prod_rel_team

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco CISCO1921/K9 (revision 1.0) with 491520K/32768K bytes of memory.
Processor board ID FGL2217921M
2 Gigabit Ethernet interfaces
1 terminal line
DRAM configuration is 64 bits wide with parity disabled.
255K bytes of non-volatile configuration memory.
245744K bytes of USB Flash usbflash0 (Read/Write)

Press RETURN to get started!

*Jan 2 00:00:02.395: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = c1900 Next reboot level = ipbasek9 and License = ipbasek9
*Feb 26 02:34:44.171: c3600_scp_set_dstaddr2_idb(184)add = 80 name is Embedded-Service-Engine0/0
*Feb 26 02:34:49.095: %CTS-6-ENV_DATA_START_STATE: Environment Data Download in start state
*Feb 26 02:34:55.103: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up
*Feb 26 02:34:55.103: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up
*Feb 26 02:34:56.103: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up
*Feb 26 02:34:56.103: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up
*Feb 26 02:35:00.223: %USBFLASH-5-CHANGE: usbflash0 has been inserted!
*Feb 26 02:35:02.523: %SYS-5-LOG_CONFIG_CHANGE: Buffer logging: level warnings, xml disabled, filtering disabled, size (51200)
*Feb 26 02:35:02.531: %SYS-6-CLOCKUPDATE: System clock has been updated from 02:35:02 UTC Wed Feb 26 2020 to 21:35:02 GMT Tue Feb 25 2020, configured from console by console.
*Feb 26 02:35:02.703: %SYS-5-CONFIG_I: Configured from memory by console
*Feb 26 02:35:04.671: %LINK-5-CHANGED: Interface Embedded-Service-Engine0/0, changed state to administratively down
*Feb 26 02:35:05.979: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.4(3)M3, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Fri 05-Jun-15 12:31 by prod_rel_team
*Feb 26 02:35:05.987: %SSH-5-ENABLED: SSH 1.99 has been enabled
*Feb 26 02:35:05.991: %LINEPROTO-5-UPDOWN: Line protocol on Interface Embedded-Service-Engine0/0, changed state to down
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS

Here are the Cisco IOS commands.

username <myuser> privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want
to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------

User Access Verification

Username: q
Password:
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------

router1#show running-config
Building configuration...

Current configuration : 5452 bytes
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router1
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 $1$yY34$yyXLY/suppuEusq3d7hTs.
enable password 22
!
no aaa new-model
clock timezone GMT -5 0
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.128
default-router 10.10.10.1
lease 0 2
!
!
!
ip domain name yourdomain.com
ip name-server 192.168.1.1
ip name-server 192.168.1.100
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-1801969825
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1801969825
revocation-check none
rsakeypair TP-self-signed-1801969825
!
!
crypto pki certificate chain TP-self-signed-1801969825
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383031 39363938 3235301E 170D3138 30343234 31363232
30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38303139
36393832 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
810084B7 02BA01D8 6D1AD033 6D97A382 29F88F83 AD830DA0 FAB29F1C 7E2E0AC7
37CA9826 35A600F0 3031622E E3C4698F 33F84748 3F99CEE0 47098CE5 4A9AB4FE
8101A050 A32FF583 2999DEAC E70183BE 8F0D3F89 8CD03F3F 77E17186 FE1B1A15
AC893999 C657DD3F FE1A1182 D1920EE0 A5A0E482 AB17EFC8 D6D3E6A3 47CD82A4
83D10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1475D443 08E1D141 483DE73B 264BD53C 0872F7DB 76301D06
03551D0E 04160414 75D44308 E1D14148 3DE73B26 4BD53C08 72F7DB76 300D0609
2A864886 F70D0101 05050003 81810084 44781F37 39C517A5 2A091E35 34275504
A98C7C67 13A6B048 18099424 CD31B613 65D0E711 C3AF7005 BF5CF583 5E5C0DCB
B8A29752 CF1D4560 4DDED09D A001843E 72B83E9B 7063FD00 22B2B2F5 1D2E7800
0BCB0DE6 19596418 81F80C66 3561F076 8FA9AEF9 C774E94F AAEB12E5 E8E44BD2
A3F65D33 CEDD6E87 7ECD0D11 632431
quit
license udi pid CISCO1921/K9 sn FGL2217921M
!
!
username username privilege 15 secret 5 $1$YWxN$UHwecJPTcRRqbBrZc0ONu.
username radmin1 privilege 15 secret 5 $1$iBVn$GV.xMuDzS/Q3nu6kWR6GE.
username q privilege 15 secret 5 $1$xas9$L/cj5QVPtPCM7bElP3qxd.
!
redundancy
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 192.168.1.50 255.255.255.0
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
ip address 10.10.10.1 255.255.255.128
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip default-network 192.168.1.0
ip default-network 0.0.0.0
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
!
access-list 23 permit 10.10.10.0 0.0.0.127
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS

Here are the Cisco IOS commands.

username <myuser> privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want
to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
exec-timeout 0 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
password 11
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
password 11
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

router1#

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Richard Burts · ‎02-25-2020

michael

There are many things that we do not know about your network and that impacts our ability to give good advice. I agree that seeing the config of the router might provide some helpful information and is a good place to start. I have a few other questions that I hope you can answer:

- you mention the switch part of the provider netgear combo device and the LAN side of the router part. I am not clear if both parts are in the same network or different networks. When you connect pc4 on the switch part what IP address and mask does it get?

- you created network 10.10.10.0 on the Cisco router. Does the netgear know about this network? Does the netgear have a route for that network with the Cisco router as the next hop?

- is there any network address translation configured for the 10.10.10.0 network? It might be done on the Cisco router or it might be done on the netgear.

- when you connect pc4 to the switch part of the netgear am I correct in assuming that it is getting its address from the netgear using DHCP?

- when you connect pc2 to the unmanaged switch is it getting its address via DHCP or is it manually configured?

- does pc2 learn a DNS server via DHCP or does it have a manually configured DNS server, or is it possible that pc2 does not have a DNS server in its configuration?

Based on the little bit that we know so far I am guessing that the problem with pc2 accessing the Internet is either or both of these two things:

- netgear does not have a route for 10.10.10.0

- there is no network address translation for 10.10.10.0

And I am guessing that either pc2 does not have a DNS server in its config or that the DNS server that is in its config is not reachable (basically because of the problem accessing the Internet)

HTH

Rick

mmarosz1 · ‎02-25-2020

Hello Balaji and Richard,

Thank you very much for replying.

Pardon me if it is uncommon to not provide the details you asked me for.

here are the details as best as I can provide them.

I am going to split them into two replies, one with the router config regarding Balaji's question, and this one with the details Richard asked about.

Richard, here is a potentially better description/picture of my test lan

::::::::::::::::::

cable isp ->

co-ax port on cable modem (netgear cm-1000).

ethernet port on cable modem ->

wan port of netgear combo device (netgear n-750 gateway router/switch/wifi soho combo device).

switch port 1 of netgear combo device ->

pc4 (which is running win10 pro).

switch port 2 of netgear combo device ->

interface ge0/0 of the cisco 1921 router.

interface ge0/1 of the cisco 1921 router ->

switch port 1 of 2nd unmanaged switch.

switch port 2 of 2nd unmanaged switch ->

pc2 (which is running win10 pro).

::::::::::::::::::

-cable modem: I have not done any configuration to the cable modem, and i don’t think there is anything I can change, but I did call the cable company (long ago) so they would 'allow' it on their network, and it gets me on the internet from pc4 normally.

::::::::::::::::::

-netgear n-750: this is one of those "all in one" devices where (as far as I understand it) there is a 'router part', and the router part has a wan port that connects to the ethernet port on the cable modem, and you have no control over the ip address/network the wan port of the netgear n-750 router gets from the cable isp.

But the 'lan side' of the router part (if that is an accurate way to refer to it) does offer you some control over it.

It is all built in to the device, so you cannot plug or unplug it from the built in switch part, but you do still have some control over it.

eg, i set it to be (which was the default value) on the 192.168.1.0, 255.255.255.0 network, and its address is 192.168.1.1.

the 'lan side' of the netgear router is also a dhcp server, and a dns server, so the dhcp and dns server address for that network is also 192.168.1.1.

the dhcp server is on, but it has a small range, and I don’t use the dhcp server for pc4 or the cisco router's ge0/0 port. Instead I am giving those devices static ip addresses.

the netgear router part is also a NAT router, if that the correct way to use that term (network address translation), and it performs the NAT routing for anything that is plugged into its switch part.

I have ipv6 turned off at the moment.

the netgear router has a wan/gui interface.

it has a static routes page, and in it I put these values (they seem to be similar to the "route add" command in windows).

I could not find any other place that was related to adding routes.

destination ip address (but I think that should say ''destination network'): 10.10.10.0

ip subnet mask: 255.255.255.128 (I chose this because the cisco router has these default values for it's ge0/0 port, I have not looked at those settings more yet, but if I change this, I cannot log into the cisco routers web gui from pc2).

gateway ip address: 128.168.1.50

metric: 10

::::::::::::::::::

pc4 has a static ip 192.168.1.21, subnet mask 255.255.255.0, pri dns 192.168.1.100, sec dns 192.168.1.1

192.168.1.100 is the static address of a win2016 server I have that is not part of this test network and it is not turned on at the moment, but its address is still part of pc4 and pc2's ip settings.

::::::::::::::::::

the cisco router has a static route page in its web interface too, but at this time, it has no saved static routes.

I had added a route in this, but it did not fix the problem, so I deleted it.

::::::::::::::::::

as far as NAT running on the cisco router goes, I think it has the ability, but it is turned off.

eg, I am able to log into the web gui for the cisco router from pc2 with the chrome browser, and I looked at the interfaces tab in the web gui, and there was a NAT checkbox on the ipv4 section, and it was not selected/on.

::::::::::::::::::

the cisco router has a dhcp option, and I setup a dhcp 'pool of addresses' for the 10.10.10.0 network.
the cisco dhcp server address is 10.10.10.1, and it is giving this to pc2:

ip address 10.10.10.2, subnet mask 10.10.10.128, default gateway 10.10.10.1, pri dns 192.168.1.100, sec dns 192.168.1.1

::::::::::::::::::

I hope this answers the questions you asked, and that it is not too wordy, I definitely tried to be concise.

-michael

(p.s. ..thank you again)

Richard Burts · ‎02-26-2020

michael

Thank you for the additional information. Based on this I believe that the netgear router should have a route for the 10.10.10.0 network. And if that is the case then I would expect that pc2 should be able to ping the netgear router by IP address. Does that work?

If we believe that routing should be working then the explanation for why pc2 can not access Internet resources should be network address translation. I understand that the netgear router does address translation. I believe that it is likely that it is doing address translation for the 192.168.1.0 network and not doing address translation for the 10.10.10.0 network. If the netgear router allows you to configure additional networks for address translation then this wold be the easy solution. If the netgear does not allow you to add 10.10.10.0 then you should be able to configure your cisco router to translate for 10.10.10.0. The result would be that Cisco does a translation of 10.10.10.0 using its 192.168.1.50 address and then netgear would translate it again using its public IP address. This is a bit more complex than having netgear do the translation for 10.10.10.0 but it should work.

As far as being able to ping by name, if I understand your explanation the pc have 2 DNS server addresses, of which one is shut down and the other would be the netgear router. I would assume that the netgear would have DNS entries for public resources such as www.cisco.com etc but doubt that it would have DNS entries for pc2 or pc4. In which case not being able to ping pc to pc by name is expected.

HTH

Rick

mmarosz1 · ‎02-26-2020

Hello Rick,

like wow, thank you for replying, a forum like this is invaluable.

::::::::::::::::::::::::::::::

regarding you reply's 1st paragraph.

yes, pc2 (which has an ip address of 10.10.10.2) can ping the netgear router by ip address (which has an ip address of 192.168.1.1).

And yes, if I disable the static route I made in the netgear router for the 10.10.10.0 network, then the pings fail.

::::::::::::::::::::::::::::::

regarding you reply's 2nd paragraph.

NAT.

I don’t think I understand fully what you are saying when you say the netgear router is doing NAT for the 192.168.1.0 network, but not for the 10.10.10.0 network, but I may be a step closer to understanding it.

The way I thought it worked (and im thinking I was way off?!) was that once a packet from one network, eg 10.10.10.0, was 'routed' to another network, eg 192.168.1.0, then that packet was now 'considered to be from' the 192.168.1.0 network.

But now I think I see that the packet part (including the ip address) does not change when it is 'routed' to the 192.168.1.0 network.

Instead, it is the mac addresses in the frame part that changes.

So when a packet from the 10.10.10.0 network gets to the 192.168.1.1 interface, and the 192.168.1.1 interface's mac address matches, the 192.168.1.1's interface strips off the frame and looks at the packet, and the packet (even though it is 'on' the 192.168.1.0 network) still has an ip address from the 10.10.10.0 network.

Then, NAT sees the 10.10.10.0 network and says "I'm not going to do NAT for that network because I only do NAT for the 192.168.1.0 network", and then it fails (which must mean it drops the packet).

I could not find any option in the netgear router to 'allow' NAT for the 10.10.10.0 network.

In the netgear router's web gui, in the advanced, setup, wan setup tab, there is one NAT option that says this, "NAT filtering, disable SIP ALG, secured or open", but I don’t think that would add the 10.10.10.0 network to NAT.

So, I don’t think the netgear router has the ability to do NAT for anything other than the 192.168.1.0 network.

So, as you were saying, if I can get the cisco router to do NAT for the 10.10.10.0 network, then it would turn 10.10.10.0 packets into 192.168.1.0 packets, and then when those 'NATed packets' reached the 192.168.1.1 interface (aka the netgear router), the netgear router would say, "ok, ill do NAT for that".

So, I think I am confusing what 'routing' means with what 'NAT' actually means.

So, if that is the case, then I need to find where/how to enable and configure NAT on the cisco router.

Do you know how to do that on the cisco 1921 router?

The only place I can find any mention of NAT is when I log into the cisco router's web gui, and go to the interfaces tab, select the edit option for each interface, open the IPv4 section, and there is a checkbox that says "enable NAT".

I put a check in that checkbox to enable NAT for the 10.10.10.1 interface, then I clicked ok, and then the web gui said "applying", but when it finished, I opened the IPv4 section again, and the "enable NAT" checkbox was no longer checked.

And now there is another row/interface on the web gui's interface tab called "NVI0", and it does not have an edit option (and i cannot delete it).

And pc2 still cannot get on the internet or ping pc4 by name.

So, I am not sure if there is something else I must do.

I looked elsewhere in the Cisco forums, and I found a post titled "Configuring NAT on a Cisco 1921 Router" that mentioned what seemed to be complex CLI stuff about making ACLs for each interface and other steps...(i did not try to do any of that yet), is that the way to enable NAT?

::::::::::::::::::::::::::::::

regarding you reply's 3rd paragraph.

the way the dns server on the netgear router does not have dns entries for pc4 and pc2 is a new concept to me, and I am not sure I understand that yet.

::::::::::::::::::::::::::::::

Again, thank you (incredibly) for your help and insight.

-Michael

Richard Burts · ‎02-27-2020

Michael

Congratulations on getting a better understanding about the concepts of routing and address translation. Your discussion of your evolving understanding is pretty much right on target. When an IP packets is sent to a destination the source IP address and destination IP address remain the same while the mac addresses get changed at each hop. Routing is involved in determining how to forward the packet toward its destination, while address translation is used when we need to change some of the IP addresses (frequently the source IP address when the packet is going from a private network to a public network - as is your case).

If you can not find a way to do address translation for 10.10.10.0 on the netgear then we need to do it on the Cisco. I do not have much expertise on the gui for the 1921 and can not offer advice on how to use it to set up address translation. But I am quite familiar with doing address translation using command line. And perhaps I can suggest an approach that you will not find so complex.

- on the interface for 10.10.10.1 add the command

ip nat inside

- on the interface for 192.168.1.50 add the command

ip nat outside

- configure a standard access list that will permit the 10.10.10.0 network

access-list 10 permit 10.10.10.0 0.0.0.127

- use this command to enable address translation

ip nat inside source list 10 interface g0/0

This will match the traffic coming from the 10.10.10.0 network and will translate its addresses to use the address of 192.168.1.50.

HTH

Rick

mmarosz1 · ‎02-27-2020

Hello Rick,
it is awesome to hear from someone who is knowledgeable and experienced that my new understanding is accurate.

Also, when you say "..while the mac addresses get changed at each hop", it makes it even more clear (especially when thinking about when the physical layer transmission signal stuff changes, like in wan connections).

Thank you, too, for showing me the CLI commands to accomplish this.

I definitely do not want to think about the CLI options as being too complex.

I tried the commands, but pc2 is still unable to access the internet, or ping anything on the internet.

can I show you what I entered?

to make sure I told you about these settings correctly, here they are again:

the router's gigabitethernet0/0 is 192.168.1.50 (this is the one connected to the netgear router)

the router's gigabitethernet0/1 is 10.10.10.1 (this is the one that is connected to pc2)

this is how I entered these commands:

I connected to the router with putty
I entered "config terminal", then "interface gigabitethernet0/1", and this brought me to the (config-if) prompt
then I entered "ip nat inside", and the prompt reappeared with no errors
then I entered "ctrl+z" to exit the (config-if)# prompt and go back to the (config)# prompt
I entered "config terminal", then "interface gigabitethernet0/0", and this brought me to the (config-if) prompt
then I entered "ip nat outside", and the prompt reappeared with no errors
then I entered "ctrl+z" to exit the (config-if)# prompt and go back to the (config)# prompt
then, while still at the (config) prompt, I entered "access-list 10 permit 10.10.10.0 0.0.0.127"
then, while still at the (config) prompt, I entered "ip nat inside source list 10 interface gigabitethernet0/0"
then I tried to access the internet from pc2, but I still get the "this site cant be reached, www.cisco.com took too long to respond" error

so, I entered all the commands again, this time with the word "no" in front of them, and that seemed to turn off anythign that I had turned on.

I could not do that for the "access-list" command from the cli, so for now until I learn more about the CLI commands, I opened the web gui, and there was an ACL tab, and that tab had the access list that I just created, and it let me delete it by clicking a delete button.

then I tried all the commands again, but pc2 still cannot access the internet.

can you think of anything else I can check, eg to make sure I did what you asked to do correctly, or if the settings I entered took effect correctly?

i entered "show ip interface brief", and this was the output:

router1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Embedded-Service-Engine0/0 unassigned YES NVRAM administratively down down
GigabitEthernet0/0 192.168.1.50 YES NVRAM up up
GigabitEthernet0/1 10.10.10.1 YES NVRAM up up
NVI0 192.168.1.50 YES unset up up

thank you (yet) again,

Michael

mmarosz1 · ‎02-27-2020

Hello Rick,

I was trying this some more after the earlier reply,

this is what I entered:

::::::::::::::::::::::::::::::::::::::::

enable

(for some reason, when I log into my router, it immediately goes to the privileged exec mode (where the prompt looks like this, "router1#"), so I never actually enter the "enable" command)

config terminal

interface gigabitethernet0/1

ip nat inside

exit

interface gigabitethernet0/0

ip nat outside

exit

access-list 10 permit 10.10.10.0 0.0.0.127

ip nat inside source list 10 interface gigabitethernet0/0

end

::::::::::::::::::::::::::::::::::::::::

but, pc2 still cannot get on the internet, or ping anything on the internet, eg google.com.

however, from pc2, if I ping google.com, it says "request timed out", but it also shows me an ip address.

then, if I ping google.com from pc4 (which is on the 192.168.1.0 network), the ping replies successfully, and it shows me the same ip address that pc2 showed.

so, does that mean that part of the nat is working, but not all of it.

or, is this related to the dns thing you also mentioned?

::::::::::::::::::::::::::::::::::::::::

Also, I found these commands, and if I run them, this is their output (if this is helpful?):

==========

router1#show ip nat translation

Pro Inside global Inside local Outside local Outside global

--- 192.168.1.50 10.10.10.1 --- ---

tcp 192.168.1.50:4047 10.10.10.2:4047 13.35.86.158:443 13.35.86.158:443

tcp 192.168.1.50:4049 10.10.10.2:4049 13.35.86.158:443 13.35.86.158:443

tcp 192.168.1.50:4051 10.10.10.2:4051 13.68.93.109:443 13.68.93.109:443

tcp 192.168.1.50:4052 10.10.10.2:4052 13.35.86.158:443 13.35.86.158:443

tcp 192.168.1.50:4054 10.10.10.2:4054 13.107.3.128:443 13.107.3.128:443

tcp 192.168.1.50:4055 10.10.10.2:4055 13.68.93.109:443 13.68.93.109:443

tcp 192.168.1.50:4056 10.10.10.2:4056 13.35.86.158:443 13.35.86.158:443

udp 192.168.1.50:50035 10.10.10.2:50035 192.168.1.1:53 192.168.1.1:53

udp 192.168.1.50:53842 10.10.10.2:53842 192.168.1.1:53 192.168.1.1:53

udp 192.168.1.50:54058 10.10.10.2:54058 192.168.1.1:53 192.168.1.1:53

udp 192.168.1.50:54202 10.10.10.2:54202 192.168.1.1:53 192.168.1.1:53

udp 192.168.1.50:54899 10.10.10.2:54899 192.168.1.1:53 192.168.1.1:53

udp 192.168.1.50:59953 10.10.10.2:59953 192.168.1.1:53 192.168.1.1:53

udp 192.168.1.50:60433 10.10.10.2:60433 192.168.1.1:53 192.168.1.1:53

udp 192.168.1.50:60853 10.10.10.2:60853 192.168.1.1:53 192.168.1.1:53

udp 192.168.1.50:61613 10.10.10.2:61613 192.168.1.1:53 192.168.1.1:53

udp 192.168.1.50:64753 10.10.10.2:64753 192.168.1.1:53 192.168.1.1:53

router1#show ip nat statistics

Total active translations: 20 (1 static, 19 dynamic; 19 extended)

Peak translations: 53, occurred 05:26:06 ago

Outside interfaces:

GigabitEthernet0/0

Inside interfaces:

GigabitEthernet0/1

Hits: 3546 Misses: 0

CEF Translated packets: 21, CEF Punted packets: 1021

Expired translations: 1189

Dynamic mappings:

-- Inside Source

[Id: 5] access-list 10 interface GigabitEthernet0/0 refcount 19

Total doors: 0

Appl doors: 0

Normal doors: 0

Queued Packets: 0

router1#

==========

I'm gonna keep at this until i get it!

thank you,

-Michael

Richard Burts · ‎02-27-2020

Michael

I believe that we are making progress. From what you are telling us I am confident that the DNS is working (at least for public Internet resources), especially when you say that the unsuccessful ping from pc2 to google.com shows the same address as the successful ping from pc4.

Could you do a traceroute (or perhaps tracert) from pc2 to google.com and post the output? Also from the router console connection could you do a show run and post the output?

HTH

Rick

Richard Burts · ‎02-28-2020

Michael

I realize that there was a significant flaw in my suggestions and I apologize for that. Please make these changes in your configuration:

no ip nat inside source list 10 interface gigabitethernet0/0

ip nat inside source list 10 interface gigabitethernet0/0 overload

This will tell the address translation to translate for multiple addresses.

HTH

Rick

mmarosz1 · ‎02-29-2020

Hello again Rick,

thank you continuing to help me with this problem! It is definitely showing me important concepts (and configurations) in action.

I ran the new command[s] you showed me, but pc2 is still unable to access the internet, or ping anything on the internet or anything on the 192.168.1.0 network other than 192.168.1.1.

The router itself is also unable to ping anything on the internet, or anythign on the 192.168.1.0 network other than 192.168.1.1, just like pc2

here is the output from what I tried.

I am going to split it into more than one post to make each separate post smaller

mmarosz1 · ‎02-29-2020

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

this output is from pc2,

this is a ping and a tracert to google.com:

note: I also pinged the ip address, 172.217.12.174, and it also said "request timed out" all 4 times

-I also pinged 172.217.12.174 from the router itself, and it failed too in the same way as when it pinged "google.com"

C:\>ping google.com

Pinging google.com [172.217.12.174] with 32 bytes of data:

Request timed out.

Ping statistics for 172.217.12.174:

Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

Control-C

^C

C:\>tracert google.com

Tracing route to google.com [172.217.12.174]

over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 10.10.10.1

2 * * * Request timed out.

3 * * * Request timed out.

4 * * * Request timed out.

5 * * * Request timed out.

6 * * * Request timed out.

7 * * * Request timed out.

8 * * * Request timed out.

9 * * * Request timed out.

10 * * * Request timed out.

11 * * * Request timed out.

12 * * * Request timed out.

13 * * * Request timed out.

14 * * * Request timed out.

15 * * * Request timed out.

16 * * * Request timed out.

17 * * * Request timed out.

18 * * * Request timed out.

19 * * * Request timed out.

20 * * * Request timed out.

21 * * * Request timed out.

22 * * * Request timed out.

23 * * * Request timed out.

24 * * * Request timed out.

25 * * * Request timed out.

26 * * * Request timed out.

27 * * * Request timed out.

28 * * * Request timed out.

29 * * * Request timed out.

30 * * * Request timed out.

Trace complete.

C:\>

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

this output is from the router (while connected to the console port with putty),

this is also a ping and a tracert to google.com:

note: this output was made immediately after turning the router on (eg before running any commands),

-I ran the same ping and traceroute commands after running the new commands you showed me, and the output was the same as before I ran the commands

router1#ping google.com

Translating "google.com"...domain server (192.168.1.1) [OK]

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.217.12.174, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

router1#ping google.com -a

^

% Invalid input detected at '^' marker.

router1#traceroute google.com

Type escape sequence to abort.

Tracing the route to google.com (172.217.12.174)

VRF info: (vrf in name/id, vrf out name/id)

1 * * *

2 * * *

3 * * *

4 * * *

5 * * *

6 * * *

7 * * *

8 * * *

9 * * *

10 * * *

11 * * *

12 * * *

13 * * *

14 * * *

15 * * *

16 * * *

17 * * *

18 * * *

19 * * *

20 * * *

21 * * *

22 * * *

23 * * *

24 * * *

25 * * *

26 * * *

27 * * *

28 * * *

29 * * *

30 * * *

router1#

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

this output is from pc4,

this is also a ping and a tracert to google.com:

C:\>ping google.com

Pinging google.com [172.217.12.174] with 32 bytes of data:

Reply from 172.217.12.174: bytes=32 time=19ms TTL=51

Reply from 172.217.12.174: bytes=32 time=21ms TTL=51

Reply from 172.217.12.174: bytes=32 time=20ms TTL=51

Reply from 172.217.12.174: bytes=32 time=19ms TTL=51

Ping statistics for 172.217.12.174:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 19ms, Maximum = 21ms, Average = 19ms

C:\>tracert google.com

Tracing route to google.com [172.217.12.174]

over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.1.1

2 7 ms 7 ms 8 ms 96.120.66.245

3 9 ms 8 ms 8 ms 96.108.57.109

4 9 ms 9 ms 10 ms 96.108.71.98

5 9 ms 10 ms 9 ms be-327-ar01.chartford.ct.hartford.comcast.net [96.108.71.181]

6 13 ms 16 ms 23 ms be-2-ar01.needham.ma.boston.comcast.net [68.87.147.149]

7 22 ms 21 ms 20 ms be-7015-cr02.newyork.ny.ibone.comcast.net [68.86.90.217]

8 18 ms 20 ms 19 ms be-10390-pe03.111eighthave.ny.ibone.comcast.net [68.86.83.90]

9 19 ms 19 ms 19 ms as174.600wseventh.ca.ibone.comcast.net [66.208.229.114]

10 21 ms 19 ms 32 ms 108.170.234.16

11 22 ms 20 ms 21 ms 172.253.70.5

12 19 ms 19 ms 20 ms lga25s62-in-f14.1e100.net [172.217.12.174]

Trace complete.

C:\>

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

mmarosz1 · ‎02-29-2020

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

-this is the output from the "show run" command

-this is a "show run" command immediately after running this command:

no ip nat inside source list 10 interface gigabitethernet0/0

router1#show run

Building configuration...

Current configuration : 5540 bytes

!

! Last configuration change at 15:47:29 GMT Sat Feb 29 2020 by q

!

version 15.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname router1

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 $1$yY34$yyXLY/suppuEusq3d7hTs.

enable password 22

!

no aaa new-model

clock timezone GMT -5 0

!

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool ccp-pool

import all

network 10.10.10.0 255.255.255.128

default-router 10.10.10.1

dns-server 192.168.1.100 192.168.1.1

lease 0 2

!

ip domain name yourdomain.com

ip name-server 192.168.1.1

ip name-server 192.168.1.100

ip cef

no ipv6 cef

multilink bundle-name authenticated

!

cts logging verbose

!

crypto pki trustpoint TP-self-signed-1801969825

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1801969825

revocation-check none

rsakeypair TP-self-signed-1801969825

!

crypto pki certificate chain TP-self-signed-1801969825

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 31383031 39363938 3235301E 170D3138 30343234 31363232

30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38303139

36393832 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

810084B7 02BA01D8 6D1AD033 6D97A382 29F88F83 AD830DA0 FAB29F1C 7E2E0AC7

37CA9826 35A600F0 3031622E E3C4698F 33F84748 3F99CEE0 47098CE5 4A9AB4FE

8101A050 A32FF583 2999DEAC E70183BE 8F0D3F89 8CD03F3F 77E17186 FE1B1A15

AC893999 C657DD3F FE1A1182 D1920EE0 A5A0E482 AB17EFC8 D6D3E6A3 47CD82A4

83D10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

551D2304 18301680 1475D443 08E1D141 483DE73B 264BD53C 0872F7DB 76301D06

03551D0E 04160414 75D44308 E1D14148 3DE73B26 4BD53C08 72F7DB76 300D0609

2A864886 F70D0101 05050003 81810084 44781F37 39C517A5 2A091E35 34275504

A98C7C67 13A6B048 18099424 CD31B613 65D0E711 C3AF7005 BF5CF583 5E5C0DCB

B8A29752 CF1D4560 4DDED09D A001843E 72B83E9B 7063FD00 22B2B2F5 1D2E7800

0BCB0DE6 19596418 81F80C66 3561F076 8FA9AEF9 C774E94F AAEB12E5 E8E44BD2

A3F65D33 CEDD6E87 7ECD0D11 632431

quit

license udi pid CISCO1921/K9 sn FGL2217921M

!

username username privilege 15 secret 5 $1$YWxN$UHwecJPTcRRqbBrZc0ONu.

username radmin1 privilege 15 secret 5 $1$iBVn$GV.xMuDzS/Q3nu6kWR6GE.

username q privilege 15 secret 5 $1$xas9$L/cj5QVPtPCM7bElP3qxd.

!

redundancy

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

ip address 192.168.1.50 255.255.255.0

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1

ip address 10.10.10.1 255.255.255.128

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip default-network 192.168.1.0

ip default-network 0.0.0.0

!

access-list 10 permit 10.10.10.0 0.0.0.127

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to

use.

-----------------------------------------------------------------------

^C

banner login ^C

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device.

This feature requires the one-time use of the username "cisco" with the

password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN

CREDENTIALS

Here are the Cisco IOS commands.

username <myuser> privilege 15 secret 0 <mypassword>

no username cisco

Replace <myuser> and <mypassword> with the username and password you want

to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE

TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the

QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp

-----------------------------------------------------------------------

^C

!

line con 0

exec-timeout 0 0

login local

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

privilege level 15

password 11

login local

transport input telnet ssh

line vty 5 15

privilege level 15

password 11

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

router1#

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

this is a "show run" command immediately after running this command:

ip nat inside source list 10 interface gigabitethernet0/0 overload

note (if this is important): this line,

ip nat inside source list 10 interface GigabitEthernet0/0 overload

...which is towards the end of this output and shortly before these lines,

banner exec ^C

% Password expiration warning.

...is in this output after running the new commands you showed me, but it was also in the "show run" output immediately after turning the router on and before running the new commands you showed me (I ran "show run" before running the new commands, and I saved that output so I could compare it to the output after running the commands).

router1#show run

Building configuration...

Current configuration : 5607 bytes

!

! Last configuration change at 16:58:42 GMT Sat Feb 29 2020 by q