Alain,

I have removed the default-gateway, this was left over from various configs we tried.

I am trying to get users from a 10.1.1.x/16 to ssh into the DHCP clients (10.1.3.x). The 10.1.1.x clients are coming in through the Ethernet0 int and FastEthernet0 int gives out the DHCP only to that side.

When I add:

ip nat inside source static 10.1.1.35 10.1.3.30

I get:

%IP-4-DUPADDR Duplicate address 10.1.3.30 on FastEthernet0

The part I am not understanding is how I accomplish routing 10.1.1.35 to any 10.1.3.x client without getting the duplicate address message.

Al

Hi,

this is not routing you are doing but static NAT but you inversed the inside and outside address in the statement and gave an inside address from the router.

To statically map a whole subnet you can do this:

ip nat inside source static   network 10.1.1.0 10.1.3.0/24

But you'll have to either use a software firewall on the host to only accept ssh or configure an ACL inbound on the outside interface permitting only ssh from the outise to the inside.

Regards.

Alain.

Alain,

Thanks for the replies thus far. The changes you suggested have helped get some better ping results but we still are lost on getting ssh to work.

Just to be clear, we are ok with more than just ssh getting through. The thing we want to prevent is the 10.1.3.1 int with/DHCP from giving out addresses on the 10.1.1.x side, which we have configured at this point. But when we try to ssh from 10.1.1.35 to 10.1.3.30, for example, we get no ssh connection. I guess what we need at this point is how to allow ssh from 10.1.1.35 to 10.1.3.30.

Ultimately what we want to do is be able to ssh from any 10.1.1.x to the range of DHCP clients 10.1.3.30-10.1.3.59.

Also, with the config I am pasting below we get no more complaints from the router about duplicate IP's but the compter itself is complaining about duplicate addresses.

(The access-list entries are not is use but something we were trying out, did not work btw.)

sh run
Building configuration...

Current configuration : 1393 bytes
!
! No configuration change since last restart
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 xxxxxxxxxxxxxxxxxxxx

enable password xxxxxxxx
!
clock timezone Chicago -6
clock summer-time Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
ip dhcp excluded-address 10.1.3.0 10.1.3.29
ip dhcp excluded-address 10.1.3.60 10.1.3.255
!
ip dhcp pool tvmbox
   network 10.1.3.0 255.255.255.0
   default-router 10.1.3.1
!
ip cef
ip audit po max-events 100
ip dhcp-server 10.1.3.1
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0

ip address 10.1.1.190 255.255.255.0
ip nat inside
full-duplex
!
interface FastEthernet0
ip address 10.1.3.1 255.255.255.0
ip nat outside
speed auto
full-duplex
!
interface Serial0
no ip address
shutdown
!
ip nat inside source static network 10.1.1.0 10.1.3.0 /24
ip classless
ip http server
ip http secure-server
!
!
access-list 1 permit 10.1.3.0 0.0.0.255
access-list 100 permit tcp 10.1.1.0 0.0.0.255 eq 22 10.1.3.0 0.0.0.255 eq 22
!
!
line con 0
line aux 0
line vty 0 4
password xxxxxxxxxx
login
!
end

Router#

Oh, and both of these networks are directly connected to the router.

10.1.1.x through the Ethernet0 int and 10.1.3.x through the FastEthernet0 int.

Hi,

If you just remove the nat config isn't it working?

Best regards,

Alex

Alex,

Ping still works without NAT, yes. I am still struggling to get ssh to work from a PC on the 10.1.1.x side to a dhcp client on the 10.1.3.x side. You can see some access-lists I have tried with no success, It has been a long time since I had to work with Cisco IOS so I am not sure what it is I am missing at this point.

I have tried adding an ip route (gateway of last resort) and that did not help or again maybe I am using the wrong info.

Here is the config, what else do I need to accomplish this? Appreciate the replies thus far from you guys.

sh run
Building configuration...

Current configuration : 1349 bytes
!
! Last configuration change at 16:57:33 Chicago Sat Nov 5 2011
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $xxxxxxxxxxxxxxxxxxxxxxxx

enable password xxxxxxxx
!
username xxxxxxx password 0 xxxxxxxx
clock timezone Chicago -6
clock summer-time Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
ip dhcp excluded-address 10.1.3.0 10.1.3.29
ip dhcp excluded-address 10.1.3.60 10.1.3.255
!
ip dhcp pool tvmbox
   network 10.1.3.0 255.255.255.0
   default-router 10.1.3.1
!
ip cef
ip audit po max-events 100
ip dhcp-server 10.1.3.1
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
ip address 10.1.1.190 255.255.255.0
full-duplex
!
interface FastEthernet0
ip address 10.1.3.1 255.255.255.0
speed auto
full-duplex
!
interface Serial0
no ip address
shutdown
!
ip classless
no ip http server
ip http secure-server
!
!
access-list 1 permit 10.1.3.0 0.0.0.255
access-list 100 permit tcp 10.1.1.0 0.0.0.255 eq 22 10.1.3.0 0.0.0.255 eq 22
access-list 101 permit tcp any eq 22 any eq 22
!
!
line con 0
line aux 0
line vty 0 4
password xxxxxxxxx
login
!
end

Router#

Hi,

In addition to what Alain suggest please try to ssh from in PC the same subnetwork as your ssh dchp client and tell is everithing is ok.

Best regards,

Alex

Guys,

Turns out the NAT stuff was not needed, as was mentioned. Also ssh connectivity working...once I had a proper ssh server running on the side I was trying to connect to. Like I said, it's been awhile and it was slow coming back to me.

Thanks for the replies and pointing me in the right direction, it is appreciated.

I marked the most recent Alain post as correct since just a pretty basic config was needed for our setup.

Al