Hi Paul 

Yes, SP router Lan, FS and cisco router are in the same subnet. I'm not sure if the SP is on bridge mode 

Thanks 

Hello

may I suggest if applicable to attach a small 4-8 port unmanaged switch and relocate  all 3 devices for that  shared subnet  -Point the FS DG as th Cisco 1841 fa0/0 interface and test again

res

paul

Hi Paul

I dont think I mentioned this but as part of my troubleshooting I added a Cisco 2960 switch between the SP and FS and Cisco 1841 router

the topology is now as follows:

SP Router <==> Cisco 2960 switch ( on factory config ) port g0/1<==> Cisco 1840

SP Router <==> Cisco 2960 switch ( on factory config ) port g0/2<==> FS

I still think the issue is related to the NAT config.. when I removed it the 3 hosts A,B, and C can reach each other but host A and B can not go on the internet

Thanks

ik

Hello
Sounds good,
It maybe you could utilize Domain-less NAT instead but before to that can you please clarify the existing config for the
FS and the cisco 1841 regards the NAT and default routing,

res
Paul

Hi Paul 

the FS is win with static IP address 

192.168.2.222, 255.255.255.0, 192.168.2.1 (sp ip )

nat confit on the Cisco re very basic:

f0/0 

IP address 192.168.2.220

ip nat outside

!

f0/1

ip address 192.168.3.220

ip nat inside

!

Ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
ip nat inside source list 100 interface FastEthernet0/0 overload
!
access-list 100 permit ip 192.168.3.0 0.0.0.255 any

access-list 100 permit ip 192.168.1.0 0.0.0.255 any
! 

Ip nat inside source list 100 interface f0/0 overload 

!

Thanks 

Hello
I was on the understanding you couldn't reach host C from internal lans - however this isn't the case and I just noticed-

host A and B can ping C but C can only  ping F0/0 of cisco router.

The reason for this is you are using PAT so its port based translation, so try to apply  static nat for the two hosts internally then it should work.


access-list 100 deny  192.168.1.x
access-list 100 deny  192.168.3.x
access-list 100 permit 192.168.3.0 0.0.0.255
access-list 100 permit 192.168.1.0 0.0.0.255
ip nat inside source static 192.168.1.x 192.168.2.x
ip nat inside source static 192.168.3.x 192.168.2.x

Host C
ping 192.168.2.x


If you dont want to do the above then you apply a  static for Host C and point its default-gateway the cisco 1841

access-list 100 deny host 192.168.3.222
access-list 100 permit 192.168.3.0 0.0.0.255
access-list 100 permit 192.168.1.0 0.0.0.255
ip nat outside source static 192.168.2.222 192.168.3.222 add-route


Host C
default-gateway 192.168.2.220
ping 192.168.3.x
ping 192.168.1.x

res
Paul

Hi Paul,

I managed to get some progress on the issue.. here is the latest:

• Host A and B can access the internet
• Host A and B can ping any IP in subnets:192.168.1.0, 192.168.2.0 and 192.168.3.0
• Host C can ping any IP in subnet 192.168.2.0
• Host C can access the internet
• Host C CANNOT ping/access any IP in subnets: 192.168.1.0 and 192.168.3.0, even though subnet 1 and 3 can ping/access host C

see network diagram for more details

Thanks

ik

Hello

Remove the static route from FS just let it use its DG

add the static nat as suggested and then test again 

FYI- the fs server is in theory on the outside of your network so it cannot ping your internal Subnets without translation - hence the suggestion of adding the static nat statements

res

paul

Hi Paul

Im cnfused from the nat config you suggested:

access-list 100 deny host 192.168.3.222

I dont have a host with ip address 192.168.3.222

can you please elaborate on what exactly i need to change on the 1841 router: 

Here is the current config:

interface FastEthernet0/0
description ++++TO BELL RT-WAN++++
ip address 192.168.2.220 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
description ++++LAN++++
ip address 192.168.3.220 255.255.255.0
ip nat inside
duplex auto
speed auto

!
router rip
version 2
network 192.168.2.0
network 192.168.3.0

!
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
ip nat inside source list 100 interface FastEthernet0/0 overload
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.3.0 0.0.0.255 any

!

Thanks

ik

Hello

Any static host translation( inside/outside)  doesn't require an acl for which NAT refers to.
So you can negate these hosts from the ACL.

Note:
Using a deny statement in a NAT acl without any static translation, negates such host being translated at all

Please test one or both of the examples provided and let us know the results!

res
Paul

Hi Paul

can you please provide the commands config i need to add/modify in my 1841 router based on the config i posted earlier

Thank you

ik

Hello

i have already provided those - Please review them and select either one to use 

res

paul

Hi Paul

I tried both options none fully worked however, using the 2 option I'm now able to: 1) ping 192.168.3.0/24 subset from 192.168.2.0 subnet and vise-versa

2)but I still can not ping 192.168.1.0/24 from 192.168.2.0

here is the config i m using in option 2:

ip nat inside source list 100 interface FastEthernet0/0 overload
ip nat outside source static 192.168.2.222 192.168.3.222 add-route
!
access-list 100 deny ip host 192.168.3.222 any
access-list 100 permit ip 192.168.3.0 0.0.0.255 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any

any thoughts on what am I doing wrong?

Thanks

ik

Hello
For option 2 - Did you remove the static from the FS and change its DG to point to the 1841?

res
Paul