Ok, that makes sense but exactly how? With my setup here in packet tracer I'm trying to simulate a small network and would like to ping the last router (simulating internet) from the laptop. Since packet tracer doesnt have firewalls I'm using the first router as the "firewall" in my LAN, there are no acl or anything on it, just the outside interface with the ip address of the ISP router and an ip route 0.0.0.0.0.0.0.0 x.x.x.x (x.x.x.x. = ISP router).

                                                                                              firewall                internet

Can you post the config of the 1941 Router/Firewall?

Can you ping the outside interface (i.e the one facing the ISP Router) of the first router from the laptop?

As you mentioned, you do need a default route on the first router which points to the ISP router as its next hop but it sounds like you have already done this.

On the first router, do a #Show IP route x.x.x.x and see what it shows?

Make the x.x.x.x address the IP address of the ISP router, i.e the one that you are trying to ping from the laptop.

yes I can ping the outside interface of the first router (1941 router/firewall) from the laptop.

show run of the router/firewall:

Current configuration : 674 bytes

!

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router\Firewall

!

!

!

!

!

!

!

!

!

!

!

!

license udi pid CISCO1941/K9 sn FTX1524OOZK

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

interface GigabitEthernet0/0

description nameif inside

ip address 10.35.23.100 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0/1

description nameif outside

ip address 40.50.10.2 255.255.255.240

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

ip classless

ip route 0.0.0.0 0.0.0.0 40.50.10.1

!

!

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

Show ip route:

Router\Firewall#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 40.50.10.1 to network 0.0.0.0

     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       10.35.23.0/24 is directly connected, GigabitEthernet0/0
L       10.35.23.100/32 is directly connected, GigabitEthernet0/0
     40.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       40.50.10.0/28 is directly connected, GigabitEthernet0/1
L       40.50.10.2/32 is directly connected, GigabitEthernet0/1
S*   0.0.0.0/0 [1/0] via 40.50.10.1
Router\Firewall#

Does your ISP router know about the LAN subnets?

When you ping the interface on the ISP router, the source ip address is the LAN address of your laptop. As there is no NAT happening, this source address is carried through to the ISP router. I suspect the ISP router is receiving the ICMP packets but then does a lookup in its routing table so it can generate an Echo Reply but it finds no matching route for the LAN subnet.

Normally when you ping an Internet address, your router which connects to the ISP translates the packet using NAT and changes the source IP address to its own external

Address which so routable on the Internet.

As you are not using NAT, the source address will not

Change so your ISP router In your lab needs to have a static (or dynamic) route back.

Hope this makes sense!

it does make sense but I dont know how to do it, can you show me please?

Hi,

ip route 10.35.23.0 255.255.255.0 40.50.10.2  on the ISP router

Regards

Alain

Don't forget to rate helpful posts.

That worked, thanks. So that was not a nat, correct?