Thank you very much for the help Peter!

After applying your changes I am now able to ping the nameservers (from SDM and through DOS ping.) Now that that has been solved though, another issue has shown up. I am not getting name resolution (I think, I should say.) The PCs indicate that they have internet connectivity, but browsers are unable to go anywhere using resolved names, I didn't know any IP addresses off hand so I'm going to switch over in a moment and try this site's IP in a moment. Just wanted to say thanks first.

I'll post in a moment with my results of the next test.

I also wanted to note that initially I had no ACLs (that I'm aware of) in the 1811, but added them through the SDM in a last ditch effort to allow every kind of communication I could find. So I'm guessing that the default route issue was the problem. One last question though, shouldn't I be defining a default route somewhere that uses the default gateway address which shows up in the Netgear's WAN setup, which is actually the cable modem's inside address?

Terry,

You are welcome.

Please verify if your PCs that get their IP configuration from the DHCP server on the 1811 also get the IP address of a DNS server. If not, try to deactivate and reactivate the network card on the PC and see if the DNS address has been supplied via DHCP. If not then it is possible that this setting is not provided to your router automatically, and has to be statically defined in your DHCP configuration as follows:

configure terminal

ip dhcp pool sdm-pool

dns-server X.X.X.X Y.Y.Y.Y ...

end

write

where X.X.X.X and Y.Y.Y.Y are the IP addresses of DNS servers to be assigned to PCs - there can be multiple addresses present in a single dns-server command.

Please do not put the ACLs back just yet. First, let's get your communication working fully without them. After that, we can put them back after correcting some of them.

Regarding the default route: you could add such a default route to your configuration. Then again, this route is already being added to your router dynamically via DHCP, so it is not necessary to have it configured.

Best regards,

Peter

Hey Peter, Thanks Again!!

While waiting for your next reply I went back to the router console and tried simply enabling domain-lookup and I'm proud to say that I am replying to this post through the 1811.

You've been a huge help, and I really appreciate it (so does my hair.) I got so excited about connectivity that I completely forgot about ACLs for a moment, so I'm real glad you mentioned them again. I'm going to wait and see what you've got to say before I attempt anything else.

If I could borrow a little bit more of your expertise... when we purchased the 1811 (on Ebay) it was pictured with the antennas and listed as an 1811w, which is isn't as it doesn't have a radio or spaces in the casing where antenna connections would come through. Anyway, I'm thinking that I'll use the Netgear as a zone router for the wireless machines. This means that I will have to turn on the RIP protocols correct? Would I then have to add any wireless com considerations in the 1811's setup? Should I set up the switchport and Netgear with statics?

Thanks again for all your help.

Hi Terry,

Wonderful - thanks for your generous ratings and letting me know that you gradually got it running

As it is 1:25am here in Slovakia, and I must be getting up again in 5 hours, i have to apologize and have some sleep but I promise to post the corrected ACLs for you here in the upcoming 24 hours. Please do test your configuration in the meantime - try even powering your 1811 off and back on and see if everything comes back up properly, and do come back with any remaining issues you might have.

Best regards,

Peter

Hello Terry,

Regarding your ACLs...

If you do not plan to limit the access of your internal network to the internet then you do not need the ACL 100. You may delete it in that case.

The ACL 101 needed a bit of reworking, mostly due to DHCP and the most usual protocols that need to be statically enabled.

This is the list of changes I would personally suggest pasting to your router configuration.

no ip dhcp pool AIWNet
no ip address-pool local
!
ip dhcp pool sdm-pool
 lease 0 1
!
interface FastEthernet0
 no ip access-group 101 in
 no ip access-group sdm_fastethernet0_out out
!
interface Vlan1
 no ip access-group 100 in
!
no access-list 100
no access-list 101
no ip access-list extended sdm_fastethernet0_out
!
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 68.105.29.16 eq domain any
access-list 101 permit udp host 68.105.28.16 eq domain any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any packet-too-big
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip any any log
!
interface FastEthernet0
 ip access-group 101 in

This configuration changes replace the ACL 101, delete the unused ACLs 100 and sdm_fastethernet0_out and also remove some superfluous or too generous settings.

Regarding your question about the Netgear and wireless access: whether you need to run RIP depends on the setting of the Netgear. If it is configured to work as a router between its wireless and wired interface then some kind of routing is called for. It does not have to be RIP - a static route in your case would be perfectly sufficient, without the overhead of running a dynamic routing protocol. The easiest way to set up this, however, would be if you could configure your Netgear for a switched/bridged operation between its wireless and wired ports, and connect it to your 1811. This way, the wired and wireless network would share the same IP space and no further configuration on the 1811 would be necessary. I assume that the Netgear already has some LAN ports which are bridged with the wireless interface - so it should suffice to connect one of Netgear's LAN ports to the 1811 LAN port.

Please back up your configuration before making my suggested changes so that you can revert back to it in case something goes wrong. Also, after modifying the configuration, do not forget to store it, and try restarting the 1811 to see if everything comes up properly after reboot.

Best regards,

Peter

not sure if you'll be coming back, but just in case you do... Thanks again for all of your help Peter.

I should note that I was mistaken on Saturday when I reported that I was successfully browsing through the 1811. I had forgotten to switch my browser PC over and fooled myself because I had just been working on my console PC. When I discovered my blunder I switched the browser PC over and alas, I was still not getting name resolution.

Today is the first day that I've had any time to even look at the 1811 and I won't be able to test connectivity until about 3:30 Pacific Standard, after most everyone has already gone home for the evening. I have entered the ACL changes you suggested, and while looking at the running config I noticed that my "ip dhcp-pool" settings already include a "dns-server" line with both servers listed. I must have l must have put it there back on Saturday.

If I'm not typing into a cyberspace black hole, I'll let you know how it goes this afternoon.

Thanks again, Peter

p.s. where would i find any research material that would have enlightened me as far as proper default routing and some of the other bits of cisco gold you've given me? Some of my incorrect entries come straight out of the documentation/papers/discussions I have read.

Hello Terry,

You are welcome!

After you perform the tests today, please do come back and tell me what works and what does not. If your name resolution in particular does not work, please verify that your PC stations are being assigned the correct DNS server. You may also want to verify the basic IP and NAT connectivity by pinging an external IP address (you may try pinging the 158.193.138.40 or 87.197.31.42, these should answer).

In any case, please attach the most recent version of your running-config.

Regarding the research material... To be honest, I do not even remember where did I get that information I provided you with. Being several years with Cisco devices, you simply learn things. But in your case, the problem was caused by the fact that a static route that points out an interface without a next-hop address is considered a directly connected network. And, naturally, as for all directly connected networks, there is no more routing expected - the router thinks that it can talk to each destination directly. In your case, your router was thinking that the entire internet "sits" on the cable behind the Ethernet interface. As a result, the router tried to ARP for each and every destination IP address in a packet being routed out that interface, and naturally, nobody responded because nobody had that particular IP address on that segment.

If the cable modem supported the so-called Proxy ARP function (answering ARP replies even if I do not have the IP address that is being searched for but I know how to reach it), it would apparently work but you would get a separate ARP cache entry for each destination address you spoke to, growing possibly to hundreds or thousands of entries.

Looking forward to reading from you.

Best regards,

Peter