danielrlm
asked on
Cisco 2600 series multiple IP address configuration
I have 32 IP addresses in 2 blocks from my ISP. The first block is 205.xxx.xxx.50 - 205.xxx.xxx.64 and the other is 66.xxx.xxx.34 - 66.xxx.xxx.49. On my router configuration I have many of these IPs routed to various IP addresses on my network for purposes of web, mail and remote desktop connections.
Every time I reboot my router, I have to go in and re-configure at least one route for each IP address other than my defaults otherwise the router does not respond on behalf of that IP address anymore (this seems to bind the address to the NIC again, temporarily).
In my interface configuration, I only have the first IP from both blocks configured. If I were to add the rest of the IP's as secondary addresses under the interface, would that fix my problem? At this point I'm afraid to reboot the router because I don't want to forget to fix every extra IP. Thanks.
Every time I reboot my router, I have to go in and re-configure at least one route for each IP address other than my defaults otherwise the router does not respond on behalf of that IP address anymore (this seems to bind the address to the NIC again, temporarily).
In my interface configuration, I only have the first IP from both blocks configured. If I were to add the rest of the IP's as secondary addresses under the interface, would that fix my problem? At this point I'm afraid to reboot the router because I don't want to forget to fix every extra IP. Thanks.
ASKER
Yes, I am using static NAT's for the various connections.
I'm talking about adding the addresses as secondary addresses under the interface configuration itself. Right now I just have the main IP's from both blocks under my FastEthernet 1/0 config, and I was wondering if I need to add other ones to make sure that all IP addresses are bound upon start.
"copy run start" is a command I'm not familiar with. I was only instructed to use "wr" to write the configuration. When you reboot the router, it's not losing configuration, it's just that the loaded configuration is not working. For example:
domain.com is being routed to my IP address at: 205.xxx.xxx.57 which is being routed to 192.168.0.240 on my internal network.The commands necessary are all still in the running configuration, but until I remove the line and re-enter it the router does not actually follow the configured route.
I'm talking about adding the addresses as secondary addresses under the interface configuration itself. Right now I just have the main IP's from both blocks under my FastEthernet 1/0 config, and I was wondering if I need to add other ones to make sure that all IP addresses are bound upon start.
"copy run start" is a command I'm not familiar with. I was only instructed to use "wr" to write the configuration. When you reboot the router, it's not losing configuration, it's just that the loaded configuration is not working. For example:
domain.com is being routed to my IP address at: 205.xxx.xxx.57 which is being routed to 192.168.0.240 on my internal network.The commands necessary are all still in the running configuration, but until I remove the line and re-enter it the router does not actually follow the configured route.
Dumb question, but are you typing "copy running-config startup-config?" or "write mem" after you configure? If not, the router won't retain your changes after you reboot.
ASKER
I, being at first unfamiliar with Cisco interface, just type "wr" (or "write"). I'm not sure what the default setting is.
wr is good enough.
On the interface, you configure the whole subnet by including the subnet mask. But your blocks don't line up along mask boundaries exactly. What you should have is 66.xxx.xxx.32 - 66.xxx.xxx.47 and 205.xxx.xxx.48 - 205.xxx.xxx.63. You better check with your ISP about this. Assuming these are correct, you could do
interface xx
ip address 66.xx.xx.33 255.255.255.224
ip address 205.xx.xx.49 255.255.255.224 secondary
On the interface, you configure the whole subnet by including the subnet mask. But your blocks don't line up along mask boundaries exactly. What you should have is 66.xxx.xxx.32 - 66.xxx.xxx.47 and 205.xxx.xxx.48 - 205.xxx.xxx.63. You better check with your ISP about this. Assuming these are correct, you could do
interface xx
ip address 66.xx.xx.33 255.255.255.224
ip address 205.xx.xx.49 255.255.255.224 secondary
Mike, correct me if I'm wrong, but you don't need any of the public IP's assigned to the FastEthernet1/0 config assuming that is your internal interface (using private addressing). You can use those as static NAT's as well.
Can you post your configuration? Edit out passwords...
Can you post your configuration? Edit out passwords...
I just picked the first usable IP in each range, but the router can take any address in the range. Using the correct subnet mask informs it which addresses can be on this interface. Remember that the network address (.32 and .48) and the broadcast address (.47 and .63) are reserved and can't be used by hosts or the router.
ASKER
OK, I don't know what I'm talking about. :) Make that FastEthernet 0/0.
I have:
0/0 - External 1
0/1 - External 2
and 1/0 - Internal
My IP's are configured under 0/0.
I have:
0/0 - External 1
0/1 - External 2
and 1/0 - Internal
My IP's are configured under 0/0.
Assigning the addresses as secondaries will NOT do what you need. I'm not sure what the problem is, but that's not the solution.
My guess would be that for some reason the router is coming up with ARP proxying turned off. But with static NAT, I can't imagine why it would do that.
My guess would be that for some reason the router is coming up with ARP proxying turned off. But with static NAT, I can't imagine why it would do that.
ASKER
Here's some sample configuration from my router:
interface FastEthernet0/0
ip address 216.229.189.75 255.255.255.240
ip nat outside
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
ip address 66.236.7.34 255.255.255.240 secondary
ip address 205.158.190.50 255.255.255.240
ip nat outside
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
interface Ethernet1/0
ip address 192.168.0.2 255.255.254.0 secondary
ip address 192.168.1.1 255.255.254.0 secondary
ip address 192.168.0.1 255.255.254.0
ip nat inside
no ip mroute-cache
half-duplex
no cdp enable
!
ip nat pool isp2 205.158.190.50 205.158.190.50 prefix-length 24
ip nat pool isp1 216.229.189.75 216.229.189.75 prefix-length 24
ip nat inside source route-map isp1 pool isp1 overload
ip nat inside source route-map isp2 pool isp2 overload
ip nat inside source static tcp 192.168.0.125 3390 205.158.190.50 3390 extendable
interface FastEthernet0/0
ip address 216.229.189.75 255.255.255.240
ip nat outside
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
ip address 66.236.7.34 255.255.255.240 secondary
ip address 205.158.190.50 255.255.255.240
ip nat outside
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
interface Ethernet1/0
ip address 192.168.0.2 255.255.254.0 secondary
ip address 192.168.1.1 255.255.254.0 secondary
ip address 192.168.0.1 255.255.254.0
ip nat inside
no ip mroute-cache
half-duplex
no cdp enable
!
ip nat pool isp2 205.158.190.50 205.158.190.50 prefix-length 24
ip nat pool isp1 216.229.189.75 216.229.189.75 prefix-length 24
ip nat inside source route-map isp1 pool isp1 overload
ip nat inside source route-map isp2 pool isp2 overload
ip nat inside source static tcp 192.168.0.125 3390 205.158.190.50 3390 extendable
OK, so the mask on F0/1 is wrong for the ranges you given us. It should be 255.255.255.224. But as I said, the ranges you've given up are not within subnet mask boundaries, so that needs to be checked out.
I was about to say that I was sleeping on the job, but it turns out that maybe I wasn't, hahaha.
I was about to say that I was sleeping on the job, but it turns out that maybe I wasn't, hahaha.
ASKER
My bad, actually. I don't remember the exact ranges. Let's just say the subnet is correct according to XO. So my range is wrong.
How did it let you add these:
interface Ethernet1/0
ip address 192.168.0.2 255.255.254.0 secondary
ip address 192.168.1.1 255.255.254.0 secondary
ip address 192.168.0.1 255.255.254.0
These are overlapping subnets.
The mask on F0/1 currently gives you:
205.158.190.33 - 205.158.190.63
interface Ethernet1/0
ip address 192.168.0.2 255.255.254.0 secondary
ip address 192.168.1.1 255.255.254.0 secondary
ip address 192.168.0.1 255.255.254.0
These are overlapping subnets.
The mask on F0/1 currently gives you:
205.158.190.33 - 205.158.190.63
interface Ethernet1/0
ip address 192.168.0.2 255.255.254.0 secondary
ip address 192.168.1.1 255.255.254.0 secondary
ip address 192.168.0.1 255.255.254.0
All three of these addresses are within the subnet mask 255.255.254.0. You only need one address. The hosts just need to be configured with a mask of 255.255.254.0 also. And their default gateway would be whatever address you keep on the router.
ip address 192.168.0.2 255.255.254.0 secondary
ip address 192.168.1.1 255.255.254.0 secondary
ip address 192.168.0.1 255.255.254.0
All three of these addresses are within the subnet mask 255.255.254.0. You only need one address. The hosts just need to be configured with a mask of 255.255.254.0 also. And their default gateway would be whatever address you keep on the router.
Oops, nevermind my last "mask on F0/1" comment, I looked at mikebernhardt's posted mask of 255.255.255.224 instead :)
255.255.255.240 gives you: 205.158.190.49 - 205.158.190.63 only.
255.255.255.240 gives you: 205.158.190.49 - 205.158.190.63 only.
ASKER
Yes, that's the range for that one.
>The mask on F0/1 currently gives you:
>205.158.190.33 - 205.158.190.63
Actually it gives him 205.158.190.49 - 205.158.190.63 and 66.236.7.33 - 66.236.7.47...
>205.158.190.33 - 205.158.190.63
Actually it gives him 205.158.190.49 - 205.158.190.63 and 66.236.7.33 - 66.236.7.47...
Read two posts back :)
ASKER
That's right. Good job. =)
OK, whatever. Part of the problem may be the IP secondary on your outside interface. Router have limitations on what they can do with secondary addresses. Also, something is strange about your NAT config, maybe others will straighten it out before I do. I'm too sleepy this morning :-)
LOL
So far we are pointing out facts but none that seem to lead to your issue...
Could this be a bug in the IOS version loaded on the router???
So far we are pointing out facts but none that seem to lead to your issue...
Could this be a bug in the IOS version loaded on the router???
I'm curious- are all the hosts behind interface Ethernet1/0 directly connected to that interface or is there another router in there?
ASKER
When we first migrated to the Cisco 2600, there were 2 routers. In order to avoid problems, we went ahead and gave the Cisco a secondary address of 192.168.0.2. The 192.168.1.1 was added in hopes of expanding my internal IP address range to 192.168.0.1-192.168.1.254.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
OK, I'll look at that one and make any comments I have.
Does anyone have any input on his NAT configuration?
Does anyone have any input on his NAT configuration?
I think the 2 questions may be related. It appears that there aren't any hosts directly behind the router, only the firewall. The LANs are behind the firewall. You should not have the LAN subnet configured on the router then. You should have a subnet configured between the router and the firewall, and then use static routes to tell the router where the LANs are, and on the firewall to give it a default route.
ASKER
Are you saying that static routes (for web sites, for example) should be configured on the firewall and *not* the router? That was something I was wondering today, but wasn't sure.
No. Static routes point to subnets, not individual hosts. This has nothing to do with NAT. The router needs to connect to the firewall with a unique subnet, say 192.168.5.1 on the router and 5.2 on the firewall. Then you put the following static route in the router:
ip route 192.168.0.0 255.255.254.0 192.168.5.2
The firewall has a static route that says the default route for it is 192.168.5.1. The LAN interface on the firewall is addressed with the 192.168.0.1, etc.
ip route 192.168.0.0 255.255.254.0 192.168.5.2
The firewall has a static route that says the default route for it is 192.168.5.1. The LAN interface on the firewall is addressed with the 192.168.0.1, etc.
ASKER
Sorry, you lost me a bit. (BTW, I've increased the point value since we're getting into more than you bargained for.)
Currently my "ip nat inside" commands are all pointing to individual hosts (per instructions from a networking guru). Is that wrong?
What it sounds like you're saying is that I should basically bag all of those, set up a unique subnet between the router and firewall (something NOT in the 192.168.0.0 or 192.168.1.0 subnets) and let the firewall point things where they belong?
So basically, your "ip route..." command would tell the router to look to the firewall for all requests pertaining to anything in the 192.168.0.0 arena?
Sorry for my confusion. So far my expertise has been with computers, not networking equipment. But let's just say my job has been expanded a bit. =)
Currently my "ip nat inside" commands are all pointing to individual hosts (per instructions from a networking guru). Is that wrong?
What it sounds like you're saying is that I should basically bag all of those, set up a unique subnet between the router and firewall (something NOT in the 192.168.0.0 or 192.168.1.0 subnets) and let the firewall point things where they belong?
So basically, your "ip route..." command would tell the router to look to the firewall for all requests pertaining to anything in the 192.168.0.0 arena?
Sorry for my confusion. So far my expertise has been with computers, not networking equipment. But let's just say my job has been expanded a bit. =)
ASKER
Adding increase. =)
NAT and routes, static or otherwise aren't really related. Routes tell the router where to send traffic. NAT is address translation. The router translates, in your case, tcp port 3390 on 192.168.0.125 3390 so that the outside world sees it as 205.158.190.50 port 3390. But the router needs to know where 192.168.0.x is, and that's routing. The person who helped you with NAT may have thought that the 192.168 hosts are connected directly to this router instead of being behind a firewall.
Does that make sense or do you need more detail?
Does that make sense or do you need more detail?
ASKER
OK, I think I get it. So I keep my NAT commands for the appropriate links, but I tell the router to send all requests for 192.168.0.x through the firewall explicitly... right?
Yes, exactly.
ASKER
So let me run through this:
Subnet 1: 192.168.5.0 (subnet 255.255.255.254 - limiting to 2 hosts)
-> Device 1 - Cisco router (Ethernet 1/0 set to 192.168.5.1)
-> Device 2 - Firewall (WAN set to 192.168.5.2, Trusted set to, say 192.168.0.4)
Subnet 2: 192.168.0.0 (subnet 255.255.254.0 - limiting to 510 hosts)
-> Device 1 - HP Managed Switch (IP set to 192.168.0.3 - what it is currently set at)
-> Other devices - Systems, Servers, Printers (appropriate IP's set)
Should I basically work on this, and then see if the router's config problem is resolved?
Subnet 1: 192.168.5.0 (subnet 255.255.255.254 - limiting to 2 hosts)
-> Device 1 - Cisco router (Ethernet 1/0 set to 192.168.5.1)
-> Device 2 - Firewall (WAN set to 192.168.5.2, Trusted set to, say 192.168.0.4)
Subnet 2: 192.168.0.0 (subnet 255.255.254.0 - limiting to 510 hosts)
-> Device 1 - HP Managed Switch (IP set to 192.168.0.3 - what it is currently set at)
-> Other devices - Systems, Servers, Printers (appropriate IP's set)
Should I basically work on this, and then see if the router's config problem is resolved?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sounds great. Any other tips? I think I'll have to accept your answer soon. =)
The problem is, this may not solve your problem. See if it does first before you accept my answer...
If you are using static NAT's and a private address space on your internal network, you do not need any of the public IP addresses assigned to your inside interface. You definitely do not want to add the rest as secondary addresses.
You are saving your configuration "copy run start" before you reload the router, right?