Sorry let me map this out a little better:

1.  Comcast router is  network 10.x.x.x

2.  Cisco 1841 router connected to Comcast Router via fa0/0 DHCP, nat OUTSIDE

3.  Cisco 1841 router connected to switch via Fa0/1.  IP :192.168.1.1 nat INSIDE

4.  IP pool defined 192.168.1.0

5.  Default router is 192.168.1.1

6.  I have an access list defined permitting the 192.168.1.0 network.

7.  I have a server w/Active Directory and a W10 workstation connected to the switch getting ip via DHCP from the Cisco router.  They are both on the same domain.

8.  I have a 3rd workstation that is connected via Comcast wireless access.  It's on the 10.0.x.x network and cant' see the 2 other workstations on 192.168.1.x.

9.  I have DNS running on my server w/forward and reverse lookup zones and added the host  for the workstation that's on the wireless network 10.0.x.x

From the 2 workstations connected to the switch in the 192.168.x.x network I can ping the Comcast network 10.0.0.x and I can connect to the public folders of the wireless workstation (using IP not host name) but I can't ping or connect to either of the 2 workstations on the 192.168.x.x network FROM the workstation on the wireless network 10.0.0.x

I'm thinking maybe its because of no access list is defined on the router to allow traffic from the 10.0.x.x network to the 192.168.x.x?  I'm just not sure where it should go.  

Below is the running config of the Cisco 1841 router:

R1#sh ip int brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 10.0.0.20 YES DHCP up up
FastEthernet0/1 192.168.1.1 YES NVRAM up up
Serial0/0/0 unassigned YES NVRAM administratively down down
Serial0/1/0 unassigned YES NVRAM administratively down down
Serial0/1/1 unassigned YES NVRAM administratively down down

!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.5
!
ip dhcp pool InsideDHCP
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 75.75.75.75 75.75.76.76 98.203.121.171
!
!
no ftp-server write-enable
!
!
!
!
interface FastEthernet0/0
description External Interface to the Internet
ip address dhcp
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
description Internal Interface for private clients
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
!
interface Serial0/1/0
no ip address
shutdown
clockrate 2000000
!
interface Serial0/1/1
no ip address
shutdown
clockrate 2000000
!
ip classless
no ip http server
ip nat inside source list 101 interface FastEthernet0/0 overload
!
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
end

Sorry let me map this out a little better:

1.  Comcast router is  network 10.x.x.x

2.  Cisco 1841 router connected to Comcast Router via fa0/0 DHCP, nat OUTSIDE

3.  Cisco 1841 router connected to switch via Fa0/1.  IP :192.168.1.1 nat INSIDE

4.  IP pool defined 192.168.1.0

5.  Default router is 192.168.1.1

6.  I have an access list defined permitting the 192.168.1.0 network.

7.  I have a server w/Active Directory and a W10 workstation connected to the switch getting ip via DHCP from the Cisco router.  They are both on the same domain.

8.  I have a 3rd workstation that is connected via Comcast wireless access.  It's on the 10.0.x.x network and cant' see the 2 other workstations on 192.168.1.x.

9.  I have DNS running on my server w/forward and reverse lookup zones and added the host  for the workstation that's on the wireless network 10.0.x.x

From the 2 workstations connected to the switch in the 192.168.x.x network I can ping the Comcast network 10.0.0.x and I can connect to the public folders of the wireless workstation (using IP not host name) but I can't ping or connect to either of the 2 workstations on the 192.168.x.x network FROM the workstation on the wireless network 10.0.0.x

I'm thinking maybe its because of no access list is defined on the router to allow traffic from the 10.0.x.x network to the 192.168.x.x?  I'm just not sure where it should go.  

Below is the running config of the Cisco 1841 router:

R1#sh ip int brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 10.0.0.20 YES DHCP up up
FastEthernet0/1 192.168.1.1 YES NVRAM up up
Serial0/0/0 unassigned YES NVRAM administratively down down
Serial0/1/0 unassigned YES NVRAM administratively down down
Serial0/1/1 unassigned YES NVRAM administratively down down

!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.5
!
ip dhcp pool InsideDHCP
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 75.75.75.75 75.75.76.76 98.203.121.171
!
!
no ftp-server write-enable
!
!
!
!
interface FastEthernet0/0
description External Interface to the Internet
ip address dhcp
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
description Internal Interface for private clients
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
!
interface Serial0/1/0
no ip address
shutdown
clockrate 2000000
!
interface Serial0/1/1
no ip address
shutdown
clockrate 2000000
!
ip classless
no ip http server
ip nat inside source list 101 interface FastEthernet0/0 overload
!
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
end

Please don't post twice your answer otherwise we will miss something and everyone will be lost including you :-)

Ok, let me do a recap to verify that I've understood.

1. You have 1 router for your internal LAN 192.168.1.0/24 and another router for wireless with network 10.0.0.0/24. Is this 1st statement right?

2. Both routers are interconnected by using the 10.0.0.0/24 network. All users from 192.168.1.0/24 are natted to your f0/0 (WAN) interface that's in DHCP with an IP in the 10.0.0.x network. In that case you are able to reach machines on 10.0.0.0/24 network.

3. You would like to reach 192.168.1.0/24 host from your 10.0.0.0/24 hosts. 

- Why are you using NAT between those 2 internal networks? As per your description you have 2 routers with 2 private addresses.

- On the 2nd network, you can have a route saying that 192.168.1.0/24 is behind interface x/x but not nat needed in that case

- if it's for specific hosts (DNS, AD), you need to do static NAT on the 10.0.0.0/24 network. That mean's from your 10.0.0.0 hosts, they will access DNS, AD with a 10.0.0.x IP address instead of 192.168.1.x ==> Is that you want ?

Ok let me know which solution between 2 and 3 you want to do, I will help you to do the config.

If you want to do solution 3 to map some internal servers that must be accessible from 10.0.0.0 network, the command should be:

ip nat inside source static Real-srv-ip-192.168.1.x Map-ip-srv-10.0.0.x ==> This has to be done on your cisco router 

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Hello:

Thanks for the reply.  Sorry for the additional questions, but I guess I'm trying to really understand the routing statements.

You indicate that  "On the 2nd network, you can have a route saying that 192.168.1.0/24 is behind interface x/x but not nat needed in that case".

Are you saying that this statement should not have the final line "ip nat inside"?

     interface FastEthernet0/1
     description Internal Interface for private clients
     ip address 192.168.1.1 255.255.255.0
     ip nat inside

Basically what I need help with is the statement to allow hosts from 10.0.0.0/24 to reach hosts on 192.168.1.1.0 where my AD server is so I can bring the wireless workstation into the same domain.

You ask: It is for specific hosts (DNS, AD).   you need to do static NAT on the 10.0.0.0/24 network. That mean's from your 10.0.0.0 hosts, they will access DNS, AD with a 10.0.0.x IP address instead of 192.168.1.x ==> Is that you want ?   YES

Again, forgive me for the additional questions, but I don't totally understand your statement:  :-(

ip nat inside source static Real-srv-ip-192.168.1.x Map-ip-srv-10.0.0.x ==> This has to be done on your cisco router. 

Should my command be:

ip nat inside source static 192.168.1.6 255.255.255.0 10.0.0.0 ?

Thanks for you help understanding this.  :-)

What i'm saying is :

- you have a 2nd router in front on the cisco router that is acting as wireless access point, correct?

- does the Internet is connected directly to this wireless router?

Based on your response, you can simply route traffic in between those 2 routers and nat is done in your wireless router for Internet access. 

If you need (or want) to nat traffic from 1 router to the other router, and in the same time need that only dns and AD server has to be accessible from wireless network, you need to nat them to a 10.0.0.x address. In that case the command should be :

Let's assume that internal dns server has an ip 192.168.1.6 and you would like to nat it on 10.0.0.6 (this will be the ip to reach dns from wireless network 10.0.0.0)

ip nat inside source static 192.168.1.6 10.0.0.6

Paul has right too. You set public dns in your dhcp pool. You will need to add a default route. If the route is sent by the dhcp server then the command to apply is the one Paul gave you on his last answer

Hope this clear.

PS: Please don't forget to rate and mark as correct answer if this solved your issue 

I want to thank you both for your help with me understanding the routing.  You are correct that I have a comcast modem connected to the cisco router that has the wireless access point handing out 10.0.x.x addresses.  And yes the internet connects directly from the comcast modem for wireless.

My server also has DNS turned and is getting its addresses from the Cisco router.  Should I not have the AD server's DNS turned on since I have it pushing out from the Cisco router?

I tried your statement:

ip nat inside source static 192.168.1.6 10.0.0.19 (wireless device) and I get a duplicate address error on the router and it still can't ping 192.168.1.6

I also tried the default route by paul:

IP route 0.0.0.0 0.0.0.0 dhcp 

and I still could not contact the server at 192.168.1.6

Could the extra nat statement here be causing the issue:

interface FastEthernet0/1
description Internal Interface for private clients
ip address 192.168.1.1 255.255.255.0
ip nat inside

Again, thanks for your help and patience! 

Ok I will try to explain in a simple way.

1. As your internet access is connected behind your comcast modem, if you remove nat feature on cisco router, does host behind cisco router can access internet or do you need to do nat? If accessing internet is fine with 192.168.0.0/24 machines without nat, just do simple routing and PCs from 10.0.0.0/24 can talk with PCs in 192.168.0.0/24 network.

2. If you need nat because 192.168.0.0/24 machines can't access internet, you need to add a nat statement for your servers to be reachable from your wireless network. the statement I gave with IP 10.0.0.19 was an example. You need to replace that IP by 1 free on your network otherwise you'll get duplicate IP. Same minding for 192.168.1.6, it should be replaced by the real server IP.

3. It's up to you if you want to use your internal DNS server capabilities. If you want so, then on DHCP pool, just delete all other DNS and push your server IP as DNS. Your server must have been configured correctly with forwarders to internet dns in order to resolve internal public name.

4. for ip route dhcp, that means your other router is not giving a default route from DHCP answer. Then use ip route 0.0.0.0 0.0.0.0 f0/0

Hope this is a little bit more clear.

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Hi Jd,

The problem seems to be on your comcast modem.

Lets say you are trying to ping 10.0.0.16 from 192.168.1.10

So when you try to ping the 10.0.0.16 from your inside (i.e 192.168.1.10) , the traffic hits the inside of the Cisco router where you have the nat statement and as per the nat statement the source ip gets changed from 192.168.1.10 to 10.0.0.20 (which is the fa 0/0 interface ip) and gets forwarded to the comcast device.

The comcast knows where the destination (10.0.0.16) is and it forwards the traffic to the destination. For the response the return traffic from the destination would now have a source of 10.0.0.16 and destination of 10.0.0.20, which the comcast forwards to Cisco router (as the destination is the fa 0/0 interface ip). The Cisco router receives it and based on the nat translation changes the destination ip back to 192.168.1.10 and forwards it to the PC.

All this works as expected and as per your first test.

However when you try to ping from the machine which is connected to the wireless on the network (10.x.x.x), you are trying to ping 192.168.1.x subnet which the comcast might not be even aware of and thus the traffic is getting dropped.

For this to work you would need static nat entries on the Cisco router as follows:

Lets say your AD/DNS servers on the inside are 192.168.1.10 and 192.168.1.11.

We need two ip address in the 10.x.x.x subnet which are not being used. Lets says 10.0.0.10 and 10.0.0.11.

Configure the nat statement as :

ip nat inside source static 192.168.1.10 10.0.0.10

ip nat inside source static 192.168.1.11 10.0.0.11

What this will do is it will create static nat entries and anything hitting 10.0.0.10 and 10.0.0.11 would be converted to 192.168.1.10 and 192.168.1.11.

Now from the machine connected to comecast wireless try reaching to the ip address 10.0.0.10 and 10.0.0.11. You might also need some routing(static route) on the comcast side so that when you try for these ips it should forward the request to the Cisco router the only the translation table be hit and the router would forward the request to the internal ip address.

Hope this would help.

Hello

if you can ping from the workstations to that 10.x.x.x sunset then your routing seems fine- However imitating icmp from that 10.x.x.x sunset suggests a FW is prohibiting icmp requests iand maybe these PCs have a software FW enabled to drop echo requests but not echo-replys.

Also - I don't  see any default route for external routing but Your Dhcp is showing external dns servers and no internal dns  server  for dns forwarding 

Try:

1) Disabling any software firewalls on the PCs or allowing echo requests

2) add an internal dns in the dhcp scope (if applicable )

3)  add a default route for external traffic <-----  IP route 0.0.0.0 0.0.0.0 dhcp 

res

paul