Here there!  Thanks for replying!

I went ahead and pulled this beast back behind the wireless so it is no longer exposed to the outside.   I have attached the config so you can review it.  Good to know I can concatenate ip's to an individual access list.  I can ping 192.168.42.5 on the computer, I can ping 192.168.41.1 on the computer.  I can ping google.com from the Cisco router usb console but am unable to ping google.com from the computer.  Just running a laptop connected to g0/2 with 192.168.41.29 as ip, mask 255.255.255.0, gateway 192.168.41.1

version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname tri
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 xx
!
no aaa new-model
memory-size iomem 25
!
no ipv6 cef
!
!         
!
!         
!
ip name-server 68.105.28.16
ip name-server 68.105.29.16
ip cef    
multilink bundle-name authenticated
!         
!
crypto pki token default removal timeout 0
!
!         
license udi pid CISCO2911/K9 sn FTX1648AKVJ
license accept end user agreement
license boot module c2900 technology-package datak9
!         
!
!         
redundancy
!         
!
!         
!
!         
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown 
!
interface GigabitEthernet0/0
 description TEMP CONN TO WIRELESS
 ip address 192.168.42.5 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description LAN TO INTRANET
 no ip address
 ip nat inside
 ip virtual-reassembly in
 shutdown
 duplex auto
 speed auto
!         
interface GigabitEthernet0/2
 description WIRELESS TO FIBER 
 ip address 192.168.41.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!         
!
ip default-gateway 192.168.42.1
ip forward-protocol nd
!         
no ip http server
no ip http secure-server
!
no ip nat service sip udp port 5060
ip nat inside source list 23 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.42.1
!
access-list 23 deny   any
access-list 23 permit 192.168.41.0 0.0.0.255
!
!         
!
!         
!
!         
control-plane
!         
!
!         
line con 0
 password xxx
 login
line aux 0
 password xxx
 login    
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
  transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 password xxx
 login    
 transport input all
!         
scheduler allocate 20000 1000
end

A couple of things

in your config

access-list 23 deny   any < will stop all packets
access-list 23 permit 192.168.41.0 0.0.0.255 <never get a hit because of line above

so get rid of "access-list 23 deny   any"

also has the 192.168.42.1 device got a route back to the 192.168.41.0/24 network.

" ip route 192.168.41.0 25.255.255.0 192.168.42.5"

HTH

Richard.

If I put in ip route I get this error message: 

%Invalid next hop address (it's this router)

I still can ping the router and g0/0, g0/2, just not 192.168.42.1 (default Gateway, the wireless router that the cisco 2911 is plugged into from g0/0) from the computer.  Still can ping 192.168.42.1 and google.com from the router.

Ye the acl is on the wrong order they always start from top down from least most specific rule to least usually , going by your original config this is what I would have set to get it running , what the below says is anything coming from the 192.168.41 or 42 network nat to the public ip address , also gives default route as edge route pointing everything out to public ip as that's the only way you can go

interface GigabitEthernet0/0

 description WAN TO INTERNET
 ip address x.x.62.166 255.255.255.248

 ip nat outside

 ip virtual-reassembly in

 duplex auto

 speed auto

!

interface GigabitEthernet0/1

 description LAN TO INTRANET

 ip address 192.168.42.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly in

 duplex auto

 speed auto

!

interface GigabitEthernet0/2

 description WIRELESS TO FIBER

 ip address 192.168.41.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly in

 duplex auto

 speed auto

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 x.x.62.161

!

access-list 1 permit 192.168.41.0 0.0.0.255

access-list 1 permit 192.168.42.0 0.0.0.255

access-list 1 deny any

Doesn't work.  This is why this is getting frustrating.  Very very frustrating.

To be able to work on this without network interruption on the floor, I have to put this thing behind the cisco wireless.

So here's the new config with your exact changes:

ip name-server 68.105.28.16

ip name-server 68.105.29.16

!

interface GigabitEthernet0/0

 ip address 192.168.42.5 255.255.255.0

 ip nat outside

 ip virtual-reassembly in

 no ip route-cache

 duplex auto

 speed auto

!

interface GigabitEthernet0/1

 ip address 192.168.41.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly in

 no ip route-cache

 duplex auto

 speed auto

!

interface GigabitEthernet0/2

 no ip address

 ip virtual-reassembly in

 no ip route-cache

 shutdown 

 duplex auto

 speed auto

!

!         

ip default-gateway 192.168.42.1

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!         

no ip nat service sip udp port 5060

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 192.168.42.1

!         

access-list 1 permit 192.168.41.0 0.0.0.255

access-list 1 permit 192.168.42.0 0.0.0.255

Except "deny all" gives me:Translating "deny"...domain server (68.105.28.16)

I have a Cisco wireless router facing the internet on network 192.168.42, the bottom 100 are not dynamically assigned so I know .5 works as I can ping out of the router when assigning g0/0 to .5 and "ping google.com".  Which works.  If I call traceroute:

Translating "google.com"...domain server (68.105.28.16) [OK]

Type escape sequence to abort.

Tracing the route to google.com (216.58.219.14)

VRF info: (vrf in name/id, vrf out name/id)

  1 192.168.42.1 4 msec 4 msec 0 msec

  3 wsip-184-176-47-136.sd.sd.cox.net (184.176.47.136) 4 msec 0 msec 4 msec

  4 fed1sysc01-gex0905.sd.sd.cox.net (68.6.8.60) 4 msec 0 msec 4 msec

  5 sanjbprj01-ae0.0.rd.sj.cox.net (68.1.5.184) 20 msec 24 msec 24 msec

  6 paltbprj02-ae1-308.rd.pt.cox.net (68.105.31.37) 20 msec 24 msec 24 msec

  7 216.239.49.168 16 msec 16 msec

    216.239.49.170 24 msec

  8 209.85.246.253 [MPLS: Label 24328 Exp 4] 16 msec

    209.85.246.20 [MPLS: Label 625856 Exp 4] 16 msec

    209.85.246.10 [MPLS: Label 634768 Exp 4] 40 msec

  9 64.233.174.206 [MPLS: Label 304242 Exp 4] 40 msec 16 msec 16 msec

 10 209.85.248.124 16 msec 16 msec 16 msec

 11 209.85.240.107 16 msec 16 msec 12 msec

 12 google.com (216.58.219.14) 12 msec 16 msec 16 msec

So I know I'm connecting.  But the computer can ping the router g0/0 and g0/1 just not the 192.168.42.1 which is the cisco wireless.

The computer is 192.168.41.5/24 with a gateway to 192.168.41.1

What am I missing here??

The solutions to this I'm finding, do not work.

Can you -

1) remove this line from your NAT acl -

access-list 1 permit 192.168.42.0 0.0.0.255

2) do a "clear ip nat translations *" on the router

3) ping an internet IP and then post "sh ip nat translations" from your router.

Jon

This is the current config:

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 192.168.42.1

!         

access-list 1 permit 192.168.41.0 0.0.0.255

I then cleared the nat translation from the router, and I started pinging from both the computer and router different internal ip addresses, including 192.168.41.1 and the 42.1 and google, and "show ip nat translation" does not give any output

Can you post your entire router configuration.

Jon

The entire config is below:

Building configuration...

Current configuration : 1978 bytes

!

! Last configuration change at 16:03:55 UTC Tue Oct 6 2015

! NVRAM config last updated at 16:04:32 UTC Tue Oct 6 2015

! NVRAM config last updated at 16:04:32 UTC Tue Oct 6 2015

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname xx

!

boot-start-marker

boot-end-marker

!

!

enable secret 5 xx

!

no aaa new-model

memory-size iomem 25

!

no ipv6 cef

no ip routing

!         

!

!         

!

!         

ip name-server 68.105.28.16

ip name-server 68.105.29.16

no ip cef

multilink bundle-name authenticated

!

!         

crypto pki token default removal timeout 0

crypto pki token default removal timeout 0

!         

!

license udi pid CISCO2911/K9 sn FTX1648AKVJ

license accept end user agreement

license boot module c2900 technology-package datak9

!

!         

!

redundancy

!

!         

!

!         

!

!         

interface Embedded-Service-Engine0/0

 no ip address

 no ip route-cache

 shutdown 

!

interface GigabitEthernet0/0

 ip address 192.168.42.5 255.255.255.0

 ip nat outside

 ip virtual-reassembly in

 no ip route-cache

 duplex auto

 speed auto

!

interface GigabitEthernet0/1

 ip address 192.168.41.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly in

 no ip route-cache

 duplex auto

 speed auto

!

interface GigabitEthernet0/2

 no ip address

 ip virtual-reassembly in

 no ip route-cache

 shutdown 

 duplex auto

 speed auto

!

!         

ip default-gateway 192.168.42.1

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!         

no ip nat service sip udp port 5060

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 192.168.42.1

!         

access-list 1 permit 192.168.41.0 0.0.0.255

!         

!

!         

!

!         

!

control-plane

!

!         

!

line con 0

 password xx

 login    

line aux 0

 password xx

 login

line 2    

 no activation-character

 no exec  

 transport preferred none

 transport input all

 transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh

 stopbits 1

line vty 0 4

 password xx

 login

 transport input all

!

scheduler allocate 20000 1000

end

So you would only want to disable routing for DHCP?  It's working by the way.  Holy lord.  Thank you.  THANK YOU.

You probably wouldn't want to disable routing even if you were using DHCP.

For some reason some of the newer IOSs seem to disable it or that is my experience on these forums.

It's quite rare that you would ever want to manually disable it on a router.

Glad to hear it's working.

Jon

I'm glad too!  I think I can switch this thing out tonight now and I can say I had a rough crash course into cisco configuration.  I can say it was a punch in the face but it is also fascinating.  While I was configuring this thing, I was wondering to myself, how do I programmatically make cisco changes?  If you had a large ISP center and you had these beasts on chassis, it seems ridiculous to configure and make widespread changes just by hunkering around like I did, making individual calls and logging in every time.  Is Python the language of choice for network engineers for making widespread changes or automating network configuration?