Solved: Cisco 4351 with three ports and one connects to the internet.

Jobee1 · ‎11-12-2025

I am recently retired from IT, with NO routing experience, so don't be surprised if I say something anything that is incorrect. I'm working on a home lab to isolate my experimentation from the rest of the house and I have a problem - my Cisco 4351 has three ports and subnets, and the port/subnet that is my internet connection is the only one that connects to the internet - the other two just time out. Here's my setup:

192.168.1.9 >> 192.168.1.99-RaspPi-192.168.0.123 >> 192.168.0.1 >> Internet

1.9 is the router port that connects to my Raspberry Pi at 1.99. The other side of the Pi is 0.123, which connects to my home router, 0.1, and from there to the internet. Here is my configuration information:

GarageRouter#show running-config | section dhcp
ip dhcp excluded-address 10.10.20.1 10.10.20.10
ip dhcp excluded-address 10.10.0.1 10.10.0.10
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp pool 10.10.0.5
network 10.10.0.0 255.255.255.0
default-router 10.10.0.5
dns-server 63.135.49.10 8.8.8.8
ip dhcp pool 10.10.20.5
network 10.10.20.0 255.255.255.0
default-router 10.10.20.5
dns-server 63.135.49.10 8.8.8.8
ip dhcp pool 192.168.1.9
network 192.168.1.0 255.255.255.0
default-router 192.168.1.9
dns-server 63.135.49.10 8.8.8.8
GarageRouter#

GarageRouter#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 192.168.0.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 192.168.0.1
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.10.0.0/24 is directly connected, GigabitEthernet0/0/0
L 10.10.0.5/32 is directly connected, GigabitEthernet0/0/0
C 10.10.20.0/24 is directly connected, GigabitEthernet0/0/2
L 10.10.20.5/32 is directly connected, GigabitEthernet0/0/2
S 192.168.0.0/24 [1/0] via 192.168.1.99
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, GigabitEthernet0/0/1
L 192.168.1.9/32 is directly connected, GigabitEthernet0/0/1
GarageRouter#

Each port can ping the other two ports. Adding a gateway of last resort allowed my internet port reach the internet, so since I had nothing to lose I added one to the other two interfaces, but no joy. In my wanderings across the internet I have found some conflicting information so I have come here to see if any of you can point out the error of my way. Again, this is my first experience at doing router configuration so don't worry about upsetting or offending me.

Thanks,

Joe B

Giuseppe Larosa · ‎11-15-2025

Hello @Jobee1 ,

you need to put the static routes not on the router itself but on the other hosts 192.168.1.34 and 192.168.1.43 to make them able to reply to ping request.

the router is complaining that the next-hop is itself.

Hope to help

Giuseppe

View solution in original post

Ben Weber · ‎11-12-2025

Hey Joe

You're close!

You need to configure Network Address Translation (NAT) on the Cisco router to allow for traffic from the private subnets to be routed over the Internet.

I'll leave this here to let you figure out how to get NAT up and running (it's not too tricky once you understand why it's required): https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13772-12.html

Good luck, and welcome to the world of networking!

- BW
Please rate posts if they have been helpful.

Jobee1 · ‎11-13-2025

Thanks for the quick reply. I forgot to mention that the 192.168.0.1
address is a home router. I CAN reach the internet from my Cisco router,
so shouldn't the rest of the devices be able to reach it?

GarageRouter#ping yahoo.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 98.137.11.164, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 14/14/15 ms
GarageRouter#

Thanks,
Joe

Giuseppe Larosa · ‎11-13-2025

Hello @Jobee1 ,

as noted by @Ben Weber you need to configure NAT.

All the internal subnets of your Cisco router can be mapped to the external interface IP address 192.168.1.9.

To be noted this IP address is later translated on another device either the raspberry or your home router.

As an alternative NAT for Cisco router internal subnets can be performed on the home router but in this case all devices need static routes for them

the subnets are 10.10.0.0/24 and 10.10.20.0/24.

These have to be NATTed to be able to reach the internet.

Hope to help

Giuseppe

Jobee1 · ‎11-13-2025

Ok, out of curiosity I just did another test - I plugged my laptop into the 0/0/0 (10.10.0.5) interface and then the 0/0/2 (10.10.20.5) interface. I was able to ping the 0/0/1 interface (192.168.1.9) while connected to each of those interfaces, so I tried pinging two other devices, 192.168.1.34 and 192.168.1.43, on that subnet. No replies. While looking on the internet for help I read that I didn't need VLANs because by default the interfaces can speak to each other. Is that correct or not? I don't know where to go from here...

Thanks,

Joe

Giuseppe Larosa · ‎11-13-2025

Hello @Jobee1 ,

>> I plugged my laptop into the 0/0/0 (10.10.0.5) interface and then the 0/0/2 (10.10.20.5) interface. I was able to ping the 0/0/1 interface (192.168.1.9) while connected to each of those interfaces, so I tried pinging two other devices, 192.168.1.34 and 192.168.1.43, on that subnet

Yes, this happens because the Cisco router is able to route between interfaces. The other hosts like 192.168.1.34 and 192.168.1.43 need static routes pointing to the Cisco router IP 192.168.1.9 to be able to answer to ping echo requests started from internal subnets 10.10.0.0/24 and 10.10.20.0/24.

In Cisco CLI a static route is like the following:

ip route 10.10.0.0 255.255.255.0 192.168.1.9

ip route 10.10.20.0 255.255.255.0 192.168.1.9

Similar commands are available for windows or linux systems.

The alternative to these static routes is to configure NAT on the Cisco 4351 router.

Either you need static routes for return traffic or you need to translate internal addresses to 192.168.1.9 to hide them.

Hope to help

Giuseppe

Jobee1 · ‎11-14-2025

Hello Giuseppe. I tried entering those two static routes, but my router doesn't like the commands:

GarageRouter(config)#ip route 10.10.0.0 255.255.255.0 192.168.1.9
%Invalid next hop address (it's this router)
GarageRouter(config)#ip route 10.10.20.0 255.255.255.0 192.168.1.9
%Invalid next hop address (it's this router)
GarageRouter(config)#

What am I doing wrong?

Joe

Giuseppe Larosa · ‎11-15-2025

Hello @Jobee1 ,

you need to put the static routes not on the router itself but on the other hosts 192.168.1.34 and 192.168.1.43 to make them able to reply to ping request.

the router is complaining that the next-hop is itself.

Hope to help

Giuseppe

Jobee1 · ‎11-16-2025

Thank you so very much Giuseppe, that was it!!!! And I appreciate your hanging in there with me. Here is how to add a route on a Windows machine, both server and workstation:

For anyone else trying to gain internet access from a Windows machine in a private network, here is what I did to gain access to the internet from my lab, across my home network. First, open a command prompt with administrative privileges: 1) Right-click on the Command Prompt icon 2) In the option window right-click on Command Prompt and select Run as administrator 3) In the Administrator Command Prompt window type the route add command like I did here, but replace the network address (10.10.0.0), the net mask (255.255.255.0), and the next hop (192.168.1.9) with the addresses you are using on your system.

route add 10.10.0.0 mask 255.255.255.0 192.168.1.9

route add 10.10.20.0 mask 255.255.255.0 192.168.1.9

Thanks again, Giuseppe!

Joe