Solved: Second public IP address - and lost connection

johnheath77 · ‎08-28-2014

Hi all,

It's been a while since I did my CCENT and I have a client in need right now - so while I'm brushing up on my skills, I am in a bit of a jam and need to resolve it! Any help gratefully received :)

I have a client who has one public IP address, who has requested and received a second public static IP address. We've set up NAT on the Cisco 900 series router (sho run output below) and all is well with the first IP address. The second one doesn't ping (TTL timeout) but you can find it via tracert.

We have 220.9.9.9 (edited) belonging to the router itself. This is bound to fast ethernet port 4. NAT uses this IP to forward ports to the SBS server.

We also have 58.9.9.9 (also edited) which we want to set up for access to the new CRM server. We need the second public IP address as the client's web devs need some of the same ports already used, for connecting to the CRM server.

In the sho run output below, I don't see where the 58.9.9.9 IP is bound to an interface. Is this needed? I can see where NAT rules are set, forwarding traffic for 58.9.9.9 to the internal IP of the CRM server (192.168.0.20). It isn't working, though.

Sho run gives the following output (some password entries removed):

version 15.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname CLIENT881
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
memory-size iomem 10
clock timezone AEST 10 0
clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
!
ip dhcp pool LAN
network 192.168.0.0 255.255.255.0
default-router 192.168.0.254
dns-server 192.168.0.2 58.x.x.x 220.x.x.x 8.8.8.8
!
ip name-server 58.x.x.x
ip name-server 220.x.x.x
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address 220.9.9.9 255.255.255.254
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.0.20 443 58.9.9.9 443 extendable
ip nat inside source static tcp 192.168.0.20 3389 58.9.9.9 3389 extendable
ip nat inside source static tcp 192.168.0.20 8080 58.9.9.9 8080 extendable
ip nat inside source static tcp 192.168.0.20 9090 58.9.9.9 9090 extendable
ip nat inside source static tcp 192.168.0.20 9091 58.9.9.9 9091 extendable
ip nat inside source static tcp 192.168.0.2 25 220.9.9.9 25 extendable
ip nat inside source static tcp 192.168.0.2 80 220.9.9.9 80 extendable
ip nat inside source static tcp 192.168.0.2 110 220.9.9.9 110 extendable
ip nat inside source static tcp 192.168.0.2 135 220.9.9.9 135 extendable
ip nat inside source static tcp 192.168.0.2 443 220.9.9.9 443 extendable
ip nat inside source static tcp 192.168.0.2 995 220.9.9.9 995 extendable
ip nat inside source static tcp 192.168.0.2 3389 220.9.9.9 3389 extendable
ip nat inside source static tcp 192.168.0.2 6001 220.9.9.9 6001 extendable
ip nat inside source static tcp 192.168.0.2 6002 220.9.9.9 6002 extendable
ip nat inside source static tcp 192.168.0.2 6003 220.9.9.9 6003 extendable
ip nat inside source static tcp 192.168.0.2 6004 220.9.9.9 6004 extendable
ip route 0.0.0.0 0.0.0.0 220.9.9.8
!
access-list 1 permit 192.168.0.0 0.0.0.255
!
!
!
line con 0
password 7 xxx
login
no modem enable
line aux 0
line vty 0 4
password 7 xxx
login
transport input all
!
ntp server 220.1.5.7
!
end

I throw myself on your mercy, friends. What do I need to do to get this config right?

Oh - part two. I had consulted various forum posts and thought the answer was a secondary IP address. I went into interface config mode and did just that - but hit "enter" before adding the word "secondary" to the second IP command. I have now lost remote access to the device. I should be fine going to the office and connecting via Telnet from the LAN and using the local IP address, right?

Thanks in advance for any help.

michael o'nan · ‎08-28-2014

You can power cycle the router and it should revert to the old IP address. But yes internally you should be able to telnet/ssh/or console with no issues. The secondary address with the proper NAT statement should work just fine! Here is a sample config:

interface fastEthernet0/1

ip address 2.2.2.2 255.255.255.0 secondary

ip address 1.1.1.1 255.255.255.0

View solution in original post

michael o'nan · ‎08-28-2014

You can power cycle the router and it should revert to the old IP address. But yes internally you should be able to telnet/ssh/or console with no issues. The secondary address with the proper NAT statement should work just fine! Here is a sample config:

interface fastEthernet0/1

ip address 2.2.2.2 255.255.255.0 secondary

ip address 1.1.1.1 255.255.255.0

Walter Astori · ‎08-29-2014

I think that the command instruction about ip nat is wrong when you have two ip address.You can execute the following command :

no ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list 1 220.9.9.9 overload or
ip nat inside source list 1 or 2 58.9.9.9 overload