192.168.20.1 and 10.10.10.1 do not have any information about each other (they are not this router).  I can not add routes to either and have no control over them.  PC1 can't see 192.168.20.1.  It can ping 192.168.20.120 (because it's gateway router as you mentioned), but can NOT get through the 1841 to the other subnet.  PC2 sees everything on both subnets.

How have you got PC2 working if you cannot add routes to the other routers ?

You are not translating PC2s IP when it goes to the 10.10.10.1 router so that router must have a route back to 192.168.20.x but you said those routers can't have any knowledge of the internal subnets.

What is EIGRP for ?

And what are the two static routes for the local subnets meant to be doing ie. the 1841 has a locally connected interface in each of those subnets so those routes are not being used.

Jon

PC2 started talking to PC1s subnet when I put the EIGRP in.  I put the static routes in to force specific traffic certain directions, and it appears to be working, as it was not routing them correctly until I made those entries.  From PC2 if I tracert to anything on the PC1 subnet it goes out to the 10.10.10.1 router I have no control over and reaches the destination.  Likewise, if I tracert anything on the internet it goes out through the 192.168.20.1 router I have no control over.  So it works as intended. 

It might be possible that the there is a secondary connection in the 10.10.10.1 router for 192.168.20.x that I am not aware of, but from the 10.10.10.x network you cannot ping the 192.168.20.1 router at all, so that router is not routing traffic to it either.

Basically I want to offload internet traffic through 192.168.20.2 for both networks by way of the 1841, but I want everything that is 10.10.0.0 to go out over the 10.10.10.1 router.  I also need to pick and choose certain subnets to send toward 10.10.10.1 as needed.  If I need to do it differently I can certainly do that, but I have no control over the .1 routers and they should not be made aware of any connections I make.

The 10.10.10.1 router must know about the 192.168.20.x subnet or it wouldn't work.

Basically there are a number of possible solutions and it depends on how much you can change.

Firstly I'm sure you know but for PC2 the traffic via it's local internet is asymmetric ie. to the internet it routes via the 1841 but return traffic is sent direct because the 192.168.20.1 router is in the same IP subnet.

I mention this because the actual solution I would use involves quite a bit of reconfiguration and it depends on whether you can readdress the PCs subnets. Note the IP subnets you are using would still be needed for the 1841 to router connections as you cannot change anything on the other routers.

So basically you need to use NAT and there are a number of possible solutions -

1) if PC2 is working then you only need to translate PC1s IP to 192.168.20.120 on the 1841 so you could make that interface "ip nat outside" and leave the 10.10.10.120 interface as "ip nat inside".

This may work but as we don't really know why PC2 is working currently it may break things.

You may be able to use "ip nat enable" and not allocated "ip nat inside" or "ip nat outside" to any interfaces and NAT both PCs if they have to go the non local router.

I honestly don't know whether this would work as I have not used that type of NAT and it may not.

If anyone else reading this wants to comment please do.

2) my preferred option if you can readdress the PC subnets is to use subinterfaces on each of the main 1841 interfaces.

So each 1841 to switch link is a trunk and you need two vlans on the switch. The first vlan is used for the PCs and is a new vlan and IP subnet.

The second vlan is used for the connection between the 1841 and the router and it uses the existing IP subnet so you don't need to readdress on the routers.

You can then use "ip nat inside" on the PC subinterface and "ip nat outside" on the 1841 to router subinterface and so NAT the PCs wherever they are going to.

This would also remove the asymmetric traffic I mentioned earlier.

However that is a lot of reconfiguration so if PC2 is working you may want to just try setting up NAT for PC1.

Jon

Well...head scratcher.  I tried changing the ip nat inside/outside like you mentioned.  No change.  Tried taking them out completely.  No change.  Took the EIGRP out for the heck of it.  No change.  So now I am thinking the static routes I put in are the only thing making PC2 work.  Unless I have some residual dynamic routes hanging in there somewhere.  My brain hurts, and my white board has so many lines on it that I'm getting hungry for spaghetti.  Too much thinking for a Friday.

Actually I think going back to a basic configuration is a good idea so we can work out exactly what is needed.

I believe the 3 static routes I mentioned in my last post are needed.

I don't think you need EIGRP and that fact you removed it and it still works suggests you don't.

With the configuration you originally posted the "ip nat inside" statements weren't doing anything because there was no matching "ip nat outside" on any interface.

The remaining question though is how is PC2 working ?

The static route for the 10.10.0.0 255.255.0.0 network routes PC2s traffic to the 10.10.10.1 router but how does that router know about the 192.168.20.x subnet.

There is obviously something else going on and if you could work out how that is working it would help with any solution because otherwise anything you do could just break something else.

Happy to help with anything I can.

Jon

I did try your options for #1.  There is no command "ip nat enable".  Enable is not an option.  As for #2 I am unable to do anything with the PC subnets. 

In digging some more, I found that the 192.168.20.x network is connected to the 10.10.10.1 router on an extra interface.  The odd part is I cannot ping from the 10.10.10.x network to the 192.168.20.1 router even with the 10.10.10.1 as the gateway, so if it is connected then why not?  Must be something in that router stopping it.  But if that is the case then why is it getting in the way of the rest of this?  I wish I understood this better.

Okay if PC2 can ping 10.10.10.1 and beyond then what exactly happened when you tried the first option of enabling "ip nat outside" on the 192.168.20.120 interface ?

You realise you need additional configuration for the NAT to work ie. you need to define an acl and add a NAT statement as well as adding "ip nat outside" to the 192.168.20.120 interface ?

Jon

Nothing happened.  I don't know what else I need to put in there, so that is probably why.  Could you help me with the commands?  I am not very Cisco savvy (obviously).  Know just enough to be dangerous, but that's how we all start off right.  :-)

Okay, this should not break PC2's connectivity.

Just as a test we will do PC1 connectivity ie. you need to add the following to your 1841 -

int fa0/0
ip nat outside

int fa0/1
ip nat inside

access-list 101 deny ip host <PC1 IP> host <PC2 IP>
access-list 101 permit ip host <PC1 IP> any

ip nat inside source list 101 interface fa0/0 overload

let me know how you get on.

Jon

that works...PC1 works.  How do I get everything on PC1s subnet to work?

Thank you so much for your help.  I have been beating my head on the whiteboard for a long time trying to figure this out.  Thanks!  have a great weekend.