cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4866
Views
0
Helpful
10
Replies

NAT and DHCP, duplicate IP issue

kuesteral
Level 1
Level 1

All,

I have a small internal network setup. The goal we are trying to accomplish is have one side of the 1721 router give out DHCP addresses and allow users with static IP's from the other interface to ssh into the DHCP clients. We do not want the static side to pickup DHCP from the router.

The problem I am running into so far is when I add static routes for static IP users to get to the DHCP clients I get a duplicate IP error. Current config below, without the static routes that were giving me problems.

sh start
Using 1473 out of 29688 bytes
!
! Last configuration change at 10:01:28 Chicago Tue Nov 1 2011
! NVRAM config last updated at 10:34:54 Chicago Tue Nov 1 2011
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 xxxxxxxxx

enable password xxxxxxxx
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
ip dhcp excluded-address 10.1.3.0 10.1.3.29
ip dhcp excluded-address 10.1.3.60 10.1.3.255
!
ip dhcp pool tvmbox
   network 10.1.3.0 255.255.255.0
   default-router 10.1.3.1
!
ip cef
ip audit po max-events 100
ip dhcp-server 10.1.3.1
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
ip address 10.1.1.190 255.255.255.0
ip nat outside
full-duplex
!
interface FastEthernet0
ip address 10.1.3.1 255.255.255.0
ip nat inside
speed auto
full-duplex
!
interface Serial0
no ip address
shutdown
!
ip default-gateway 10.1.1.2
ip nat pool tvm 10.1.1.190 10.1.1.190 netmask 255.255.255.0
ip nat inside source list 1 pool tvm overload
ip classless
ip http server
ip http secure-server
!
!
access-list 1 permit 10.1.3.0 0.0.0.255
!
!
line con 0
line aux 0
line vty 0 4
password xxxxxxxxxx
login
!
end

Router#

Al

1 Accepted Solution

Accepted Solutions

Hi,

you don't need any ACL to permit traffic as by default there is no ACL configured nor aaplied so everything is permitted.

As you devices are in 2 different subnets all they need is a default gateway configured as the router interface ip address that is in their subnet.

As on the router these 2 subnets are directly connected interfaces, forwarding will be done without any problem.

Can you ssh into the device from the router and debug ip pack detail where ACL is access-list permitting ssh traffic:

logging buffered 100000

logging buffered debugging

debug ip packet detail 150

conf t

no service timestamp debug

access-list 150 permit tcp any any eq ssh

access-list 150 permit any eq ssh any

And post results

Alain

Don't forget to rate helpful posts.

View solution in original post

10 Replies 10

cadet alain
VIP Alumni
VIP Alumni

Hi,

first you have no default route here but just an ip default gateway which won't work as it is only considered when not doing any routing which is not your case.

Second, you want users from which subnet to ssh  into the 10.1.3.0 /24 network ?if these users are in a subnet directly attached to the router then no need for any static route.

Furthermore you didn't post the output of the failing command.

Regards.

Alain.

Don't forget to rate helpful posts.

Alain,

I have removed the default-gateway, this was left over from various configs we tried.

I am trying to get users from a 10.1.1.x/16 to ssh into the DHCP clients (10.1.3.x). The 10.1.1.x clients are coming in through the Ethernet0 int and FastEthernet0 int gives out the DHCP only to that side.

When I add:

ip nat inside source static 10.1.1.35 10.1.3.30

I get:

%IP-4-DUPADDR Duplicate address 10.1.3.30 on FastEthernet0

The part I am not understanding is how I accomplish routing 10.1.1.35 to any 10.1.3.x client without getting the duplicate address message.

Al

Hi,

this is not routing you are doing but static NAT but you inversed the inside and outside address in the statement and gave an inside address from the router.

To statically map a whole subnet you can do this:

ip nat inside source static   network 10.1.1.0 10.1.3.0/24

But you'll have to either use a software firewall on the host to only accept ssh or configure an ACL inbound on the outside interface permitting only ssh from the outise to the inside.

Regards.

Alain.

Don't forget to rate helpful posts.

Alain,

Thanks for the replies thus far. The changes you suggested have helped get some better ping results but we still are lost on getting ssh to work.

Just to be clear, we are ok with more than just ssh getting through. The thing we want to prevent is the 10.1.3.1 int with/DHCP from giving out addresses on the 10.1.1.x side, which we have configured at this point. But when we try to ssh from 10.1.1.35 to 10.1.3.30, for example, we get no ssh connection. I guess what we need at this point is how to allow ssh from 10.1.1.35 to 10.1.3.30.

Ultimately what we want to do is be able to ssh from any 10.1.1.x to the range of DHCP clients 10.1.3.30-10.1.3.59.

Also, with the config I am pasting below we get no more complaints from the router about duplicate IP's but the compter itself is complaining about duplicate addresses.

(The access-list entries are not is use but something we were trying out, did not work btw.)

sh run
Building configuration...

Current configuration : 1393 bytes
!
! No configuration change since last restart
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 xxxxxxxxxxxxxxxxxxxx

enable password xxxxxxxx
!
clock timezone Chicago -6
clock summer-time Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
ip dhcp excluded-address 10.1.3.0 10.1.3.29
ip dhcp excluded-address 10.1.3.60 10.1.3.255
!
ip dhcp pool tvmbox
   network 10.1.3.0 255.255.255.0
   default-router 10.1.3.1
!
ip cef
ip audit po max-events 100
ip dhcp-server 10.1.3.1
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0

ip address 10.1.1.190 255.255.255.0
ip nat inside
full-duplex
!
interface FastEthernet0
ip address 10.1.3.1 255.255.255.0
ip nat outside
speed auto
full-duplex
!
interface Serial0
no ip address
shutdown
!
ip nat inside source static network 10.1.1.0 10.1.3.0 /24
ip classless
ip http server
ip http secure-server
!
!
access-list 1 permit 10.1.3.0 0.0.0.255
access-list 100 permit tcp 10.1.1.0 0.0.0.255 eq 22 10.1.3.0 0.0.0.255 eq 22
!
!
line con 0
line aux 0
line vty 0 4
password xxxxxxxxxx
login
!
end

Router#

Oh, and both of these networks are directly connected to the router.

10.1.1.x through the Ethernet0 int and 10.1.3.x through the FastEthernet0 int.

Hi,

If you just remove the nat config isn't it working?

Best regards,

Alex

Alex,

Ping still works without NAT, yes. I am still struggling to get ssh to work from a PC on the 10.1.1.x side to a dhcp client on the 10.1.3.x side. You can see some access-lists I have tried with no success, It has been a long time since I had to work with Cisco IOS so I am not sure what it is I am missing at this point.

I have tried adding an ip route (gateway of last resort) and that did not help or again maybe I am using the wrong info.

Here is the config, what else do I need to accomplish this? Appreciate the replies thus far from you guys.

sh run
Building configuration...

Current configuration : 1349 bytes
!
! Last configuration change at 16:57:33 Chicago Sat Nov 5 2011
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $xxxxxxxxxxxxxxxxxxxxxxxx

enable password xxxxxxxx
!
username xxxxxxx password 0 xxxxxxxx
clock timezone Chicago -6
clock summer-time Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
ip dhcp excluded-address 10.1.3.0 10.1.3.29
ip dhcp excluded-address 10.1.3.60 10.1.3.255
!
ip dhcp pool tvmbox
   network 10.1.3.0 255.255.255.0
   default-router 10.1.3.1
!
ip cef
ip audit po max-events 100
ip dhcp-server 10.1.3.1
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
ip address 10.1.1.190 255.255.255.0
full-duplex
!
interface FastEthernet0
ip address 10.1.3.1 255.255.255.0
speed auto
full-duplex
!
interface Serial0
no ip address
shutdown
!
ip classless
no ip http server
ip http secure-server
!
!
access-list 1 permit 10.1.3.0 0.0.0.255
access-list 100 permit tcp 10.1.1.0 0.0.0.255 eq 22 10.1.3.0 0.0.0.255 eq 22
access-list 101 permit tcp any eq 22 any eq 22
!
!
line con 0
line aux 0
line vty 0 4
password xxxxxxxxx
login
!
end

Router#

Hi,

you don't need any ACL to permit traffic as by default there is no ACL configured nor aaplied so everything is permitted.

As you devices are in 2 different subnets all they need is a default gateway configured as the router interface ip address that is in their subnet.

As on the router these 2 subnets are directly connected interfaces, forwarding will be done without any problem.

Can you ssh into the device from the router and debug ip pack detail where ACL is access-list permitting ssh traffic:

logging buffered 100000

logging buffered debugging

debug ip packet detail 150

conf t

no service timestamp debug

access-list 150 permit tcp any any eq ssh

access-list 150 permit any eq ssh any

And post results

Alain

Don't forget to rate helpful posts.

Hi,

In addition to what Alain suggest please try to ssh from in PC the same subnetwork as your ssh dchp client and tell is everithing is ok.

Best regards,

Alex

Guys,

Turns out the NAT stuff was not needed, as was mentioned. Also ssh connectivity working...once I had a proper ssh server running on the side I was trying to connect to. Like I said, it's been awhile and it was slow coming back to me.

Thanks for the replies and pointing me in the right direction, it is appreciated.

I marked the most recent Alain post as correct since just a pretty basic config was needed for our setup.

Al

Review Cisco Networking for a $25 gift card