Solved

Cisco 2600 series multiple IP address configuration

Posted on 2004-09-29
39
464 Views
Last Modified: 2010-04-17
I have 32 IP addresses in 2 blocks from my ISP. The first block is 205.xxx.xxx.50 - 205.xxx.xxx.64 and the other is 66.xxx.xxx.34 - 66.xxx.xxx.49. On my router configuration I have many of these IPs routed to various IP addresses on my network for purposes of web, mail and remote desktop connections.

Every time I reboot my router, I have to go in and re-configure at least one route for each IP address other than my defaults otherwise the router does not respond on behalf of that IP address anymore (this seems to bind the address to the NIC again, temporarily).

In my interface configuration, I only have the first IP from both blocks configured. If I were to add the rest of the IP's as secondary addresses under the interface, would that fix my problem? At this point I'm afraid to reboot the router because I don't want to forget to fix every extra IP. Thanks.
0
Comment
Question by:danielrlm
  • 15
  • 14
  • 7
  • +1
39 Comments
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
When you say "routed" do you mean you have static NAT's configured for your web, mail, remote deskop connections?

If you are using static NAT's and a private address space on your internal network, you do not need any of the public IP addresses assigned to your inside interface.  You definitely do not want to add the rest as secondary addresses.

You are saving your configuration "copy run start" before you reload the router, right?
0
 

Author Comment

by:danielrlm
Comment Utility
Yes, I am using static NAT's for the various connections.

I'm talking about adding the addresses as secondary addresses under the interface configuration itself. Right now I just have the main IP's from both blocks under my FastEthernet 1/0 config, and I was wondering if I need to add other ones to make sure that all IP addresses are bound upon start.

"copy run start" is a command I'm not familiar with. I was only instructed to use "wr" to write the configuration. When you reboot the router, it's not losing configuration, it's just that the loaded configuration is not working. For example:

domain.com is being routed to my IP address at: 205.xxx.xxx.57 which is being routed to 192.168.0.240 on my internal network.The commands necessary are all still in the running configuration, but until I remove the line and re-enter it the router does not actually follow the configured route.
0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
Dumb question, but are you typing "copy running-config startup-config?" or "write mem" after you configure? If not, the router won't retain your changes after you reboot.
0
 

Author Comment

by:danielrlm
Comment Utility
I, being at first unfamiliar with Cisco interface, just type "wr" (or "write"). I'm not sure what the default setting is.
0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
wr is good enough.

On the interface, you configure the whole subnet by including the subnet mask. But your blocks don't line up along mask boundaries exactly. What you should have is 66.xxx.xxx.32 - 66.xxx.xxx.47 and 205.xxx.xxx.48 - 205.xxx.xxx.63. You better check with your ISP about this. Assuming these are correct, you could do

interface xx
 ip address 66.xx.xx.33 255.255.255.224
 ip address 205.xx.xx.49 255.255.255.224 secondary
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Mike, correct me if I'm wrong, but you don't need any of the public IP's assigned to the FastEthernet1/0 config assuming that is your internal interface (using private addressing).  You can use those as static NAT's as well.

Can you post your configuration?  Edit out passwords...
0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
I just picked the first usable IP in each range, but the router can take any address in the range. Using the correct subnet mask informs it which addresses can be on this interface. Remember that the network address (.32 and .48) and the broadcast address (.47 and .63) are reserved and can't be used by hosts or the router.
0
 

Author Comment

by:danielrlm
Comment Utility
OK, I don't know what I'm talking about. :) Make that FastEthernet 0/0.

I have:
0/0 - External 1
0/1 - External 2
and 1/0 - Internal

My IP's are configured under 0/0.
0
 
LVL 11

Expert Comment

by:PennGwyn
Comment Utility
Assigning the addresses as secondaries will NOT do what you need.  I'm not sure what the problem is, but that's not the solution.

My guess would be that for some reason the router is coming up with ARP proxying turned off.  But with static NAT, I can't imagine why it would do that.

0
 

Author Comment

by:danielrlm
Comment Utility
Here's some sample configuration from my router:

interface FastEthernet0/0
 ip address 216.229.189.75 255.255.255.240
 ip nat outside
 no ip mroute-cache
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0/1
 ip address 66.236.7.34 255.255.255.240 secondary
 ip address 205.158.190.50 255.255.255.240
 ip nat outside
 no ip mroute-cache
 duplex auto
 speed auto
 no cdp enable
!
interface Ethernet1/0
 ip address 192.168.0.2 255.255.254.0 secondary
 ip address 192.168.1.1 255.255.254.0 secondary
 ip address 192.168.0.1 255.255.254.0
 ip nat inside
 no ip mroute-cache
 half-duplex
 no cdp enable
!
ip nat pool isp2 205.158.190.50 205.158.190.50 prefix-length 24
ip nat pool isp1 216.229.189.75 216.229.189.75 prefix-length 24
ip nat inside source route-map isp1 pool isp1 overload
ip nat inside source route-map isp2 pool isp2 overload
ip nat inside source static tcp 192.168.0.125 3390 205.158.190.50 3390 extendable
0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
OK, so the mask on F0/1 is wrong for the ranges you given us. It should be 255.255.255.224. But as I said, the ranges you've given up are not within subnet mask boundaries, so that needs to be checked out.

I was about to say that I was sleeping on the job, but it turns out that maybe I wasn't, hahaha.
0
 

Author Comment

by:danielrlm
Comment Utility
My bad, actually. I don't remember the exact ranges. Let's just say the subnet is correct according to XO. So my range is wrong.
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
How did it let you add these:

interface Ethernet1/0
ip address 192.168.0.2 255.255.254.0 secondary
ip address 192.168.1.1 255.255.254.0 secondary
ip address 192.168.0.1 255.255.254.0

These are overlapping subnets.

The mask on F0/1 currently gives you:

205.158.190.33 - 205.158.190.63
0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
interface Ethernet1/0
 ip address 192.168.0.2 255.255.254.0 secondary
 ip address 192.168.1.1 255.255.254.0 secondary
 ip address 192.168.0.1 255.255.254.0

All three of these addresses are within the subnet mask 255.255.254.0. You only need one address. The hosts just need to be configured with a mask of 255.255.254.0 also. And their default gateway would be whatever address you keep on the router.
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Oops, nevermind my last "mask on F0/1" comment, I looked at mikebernhardt's posted mask of 255.255.255.224 instead :)

255.255.255.240 gives you: 205.158.190.49 - 205.158.190.63 only.
0
 

Author Comment

by:danielrlm
Comment Utility
Yes, that's the range for that one.
0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
>The mask on F0/1 currently gives you:
>205.158.190.33 - 205.158.190.63

Actually it gives him 205.158.190.49 - 205.158.190.63 and 66.236.7.33 - 66.236.7.47...
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Read two posts back :)
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:danielrlm
Comment Utility
That's right. Good job. =)
0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
OK, whatever. Part of the problem may be the IP secondary on your outside interface. Router have limitations on what they can do with secondary addresses. Also, something is strange about your NAT config, maybe others will straighten it out before I do. I'm too sleepy this morning :-)
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
LOL

So far we are pointing out facts but none that seem to lead to your issue...

Could this be a bug in the IOS version loaded on the router???
0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
I'm curious- are all the hosts behind interface Ethernet1/0 directly connected to that interface or is there another router in there?
0
 

Author Comment

by:danielrlm
Comment Utility
When we first migrated to the Cisco 2600, there were 2 routers. In order to avoid problems, we went ahead and gave the Cisco a secondary address of 192.168.0.2. The 192.168.1.1 was added in hopes of expanding my internal IP address range to 192.168.0.1-192.168.1.254. I have another thread going if you're interested... =)
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 250 total points
Comment Utility
Changing the mask to 255.255.254.0 like you have gives you 510 usable addresses. 192.168.0.1 - 192.168.1.254.  You do not need the secondary addresses on Ethernet1/0.  Just make sure you change the subnet mask on all hosts to 255.255.254.0 as well.
0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
OK, I'll look at that one and make any comments I have.

Does anyone have any input on his NAT configuration?
0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
I think the 2 questions may be related. It appears that there aren't any hosts directly behind the router, only the firewall. The LANs are behind the firewall. You should not have the LAN subnet configured on the router then. You should have a subnet configured between the router and the firewall, and then use static routes to tell the router where the LANs are, and on the firewall to give it a default route.
0
 

Author Comment

by:danielrlm
Comment Utility
Are you saying that static routes (for web sites, for example) should be configured on the firewall and *not* the router? That was something I was wondering today, but wasn't sure.
0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
No. Static routes point to subnets, not individual hosts. This has nothing to do with NAT. The router needs to connect to the firewall with a unique subnet, say 192.168.5.1 on the router and 5.2 on the firewall. Then you put the following static route in the router:
ip route 192.168.0.0 255.255.254.0 192.168.5.2

The firewall has a static route that says the default route  for it is 192.168.5.1. The LAN interface on the firewall is addressed with the 192.168.0.1, etc.
0
 

Author Comment

by:danielrlm
Comment Utility
Sorry, you lost me a bit. (BTW, I've increased the point value since we're getting into more than you bargained for.)

Currently my "ip nat inside" commands are all pointing to individual hosts (per instructions from a networking guru). Is that wrong?

What it sounds like you're saying is that I should basically bag all of those, set up a unique subnet between the router and firewall (something NOT in the 192.168.0.0 or 192.168.1.0 subnets) and let the firewall point things where they belong?

So basically, your "ip route..." command would tell the router to look to the firewall for all requests pertaining to anything in the 192.168.0.0 arena?

Sorry for my confusion. So far my expertise has been with computers, not networking equipment. But let's just say my job has been expanded a bit. =)
0
 

Author Comment

by:danielrlm
Comment Utility
Adding increase. =)
0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
NAT and routes, static or otherwise aren't really related. Routes tell the router where to send traffic. NAT is address translation. The router translates, in your case,  tcp port 3390 on 192.168.0.125 3390 so that the outside world sees it as 205.158.190.50 port 3390. But the router needs to know where 192.168.0.x is, and that's routing. The person who helped you with NAT may have thought that the 192.168 hosts are connected directly to this router instead of being behind a firewall.

Does that make sense or do you need more detail?
0
 

Author Comment

by:danielrlm
Comment Utility
OK, I think I get it. So I keep my NAT commands for the appropriate links, but I tell the router to send all requests for 192.168.0.x through the firewall explicitly... right?
0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
Yes, exactly.
0
 

Author Comment

by:danielrlm
Comment Utility
So let me run through this:

Subnet 1: 192.168.5.0 (subnet 255.255.255.254 - limiting to 2 hosts)
 -> Device 1 - Cisco router (Ethernet 1/0 set to 192.168.5.1)
 -> Device 2 - Firewall (WAN set to 192.168.5.2, Trusted set to, say 192.168.0.4)

Subnet 2: 192.168.0.0 (subnet 255.255.254.0 - limiting to 510 hosts)
 -> Device 1 - HP Managed Switch (IP set to 192.168.0.3 - what it is currently set at)
 -> Other devices - Systems, Servers, Printers (appropriate IP's set)

Should I basically work on this, and then see if the router's config problem is resolved?
0
 
LVL 28

Assisted Solution

by:mikebernhardt
mikebernhardt earned 250 total points
Comment Utility
Yes. For clarity I would set the firewall's trusted address to 192.168.0.1 if you can. All workstations, printers, etc. on the LAN need to be set up thusly:
address 192.168.0.x or 1.x
subnet mask 255.255.254.0
gateway 192.168.0.1
0
 

Author Comment

by:danielrlm
Comment Utility
Sounds great. Any other tips? I think I'll have to accept your answer soon. =)
0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
The problem is, this may not solve your problem. See if it does first before you accept my answer...
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now