We help IT Professionals succeed at work.

Changing Cisco Lan address via remote SSH

462 Views
Last Modified: 2012-04-16
Hi Folks,
 I would really appreciate some advice please. I have been asked to turn DHCP off on a Cisco 1841 and more importantly change a Lan IP address. I am concerned that if I change the Lan IP I will lost the SSH session as the Public IP will be bound to the private IP. Could you please tell me how I can do this safely from a remote ssh session please?



version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname calm_1841
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$9rRu$EafqqTauxb5fP2Koy1AnK0
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.2.250
ip dhcp excluded-address 10.0.2.251
ip dhcp excluded-address 10.0.2.252
!
ip dhcp pool PBX
   network 10.0.2.0 255.255.255.0
   domain-name ****
   dns-server 85.189.102.5 85.189.39.5 
   default-router 10.0.2.250 
   lease 7
!
!
ip ftp username ****
ip ftp password ****
ip domain name ****
ip name-server 85.189.102.5
ip name-server 85.189.39.5
ip ssh logging events
ip ssh version 2
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-97906410
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-97906410
 revocation-check none
 rsakeypair TP-self-signed-97906410
!
!
crypto pki certificate chain TP-self-signed-97906410
 certificate self-signed 01
  30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 39373930 36343130 301E170D 31323031 31383138 32373238 
  5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53 
  2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D393739 30363431 
  3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 81009F3B 
  993FFB8E 8A2B8559 BCBE2706 04B1B7D8 B123A97A C7872E23 AAD5D882 07775C5A 
  0EBA692A A0A3850A 01048131 7B912221 2DFA2FFC 3CABB99D C89D465D CBF98412 
  108226C8 E238F0C9 C7B46136 3EDDEA8F 2056A270 F849CB42 E2969E1F 4A3BDEDF 
  D03D0CA3 30A8ECE0 B59D74DC 916563D8 7C516415 C5AB5536 B73D94BD FEC30203 
  010001A3 7C307A30 0F060355 1D130101 FF040530 030101FF 30270603 551D1104 
  20301E82 1C63616C 6D5F3138 34312E6D 6F6E6579 2D616374 6976652E 636F2E75 
  6B301F06 03551D23 04183016 801473D4 8841E0FC B3C28720 C149F4FA 0F1DC5DA 
  E2C3301D 0603551D 0E041604 1473D488 41E0FCB3 C28720C1 49F4FA0F 1DC5DAE2 
  C3300D06 092A8648 86F70D01 01040500 03818100 5B700381 73B11730 74A813A1 
  9D4DC100 83321675 4FE4FE39 C14019A3 9172ED02 ED25FB92 1508A2F3 61E85D8A 
  9217A19B B9E4E5B9 E505D716 51F26FE0 DF01B0C4 61E36D63 3797120A 9E623AB8 
  310A15E3 5F36F050 8C91B1F2 2B822FC7 F7BF57A6 F8800CCA F0E15587 4C4F13C0 
  9E409C93 6CE3EEF8 D8748482 8E104F84 387AA29F
  quit
username calm privilege 15 secret 5 $1$kzrT$ZMDakVGhRSeknvB5esm260
!
!
class-map match-any AutoQoS-VoIP-RTP-Trust
 match ip dscp ef 
class-map match-any AutoQoS-VoIP-Control-Trust
 match ip dscp cs3 
 match ip dscp af31 
!
!
policy-map AutoQoS-Policy-Trust
 class AutoQoS-VoIP-RTP-Trust
  priority percent 70
 class AutoQoS-VoIP-Control-Trust
  bandwidth percent 5
 class class-default
  fair-queue
!
!
!
!
interface Loopback0
 ip address 10.0.0.1 255.255.255.255
 ip nat inside
 no ip route-cache cef
 no ip route-cache
!
interface FastEthernet0/0
 description connected to WAN
 ip address 141.0.34.109 255.255.255.224
 ip access-group 101 in
 ip access-group OUTBOUND out
 ip nat outside
 duplex auto
 speed auto
 auto qos voip trust 
 service-policy output AutoQoS-Policy-Trust
!
interface FastEthernet0/1
 description connected to Network switch
 ip address 10.0.2.250 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip route-cache flow
 duplex auto
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 141.0.34.97
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list ACL_NAT_DYNAMIC interface FastEthernet0/0 overload
ip nat inside source static 10.0.2.250 141.0.34.109
ip nat outside source static 141.0.34.109 10.0.2.250
!
ip access-list extended ACL_NAT_DYNAMIC
 permit ip 10.0.2.0 0.0.0.255 any
 permit udp any any eq domain
 permit udp any eq domain any
 permit icmp any any
ip access-list extended OUTBOUND
 permit ip any any
 permit tcp any any
 permit udp any any
 permit icmp any any
ip access-list extended VTY_ACCESS
 permit ip host 89.234.56.178 any
 deny   ip any any log
!
access-list 101 remark INBOUND IP'S ALLOWED
access-list 101 permit ip host 85.189.102.5 any
access-list 101 permit ip host 88.208.235.16 any
access-list 101 permit ip host 85.189.39.5 any
access-list 101 permit udp any any eq domain
access-list 101 permit udp any eq domain any
access-list 101 permit udp any any range 10000 20000
access-list 101 permit udp any any range 5060 5061
access-list 101 permit icmp any any
access-list 101 permit tcp any any
access-list 101 permit ip host 89.234.56.178 any
access-list 101 remark MAGRATHEA INBOUND
access-list 101 permit ip host 87.238.72.151 any
access-list 101 permit ip host 87.238.72.153 any
access-list 101 permit ip host 87.238.74.129 any
access-list 101 permit ip host 87.238.74.130 any
access-list 101 permit ip host 213.166.5.129 any
access-list 101 permit ip host 213.166.5.131 any
access-list 101 permit ip host 213.166.5.135 any
access-list 101 deny   ip any any
!
!
!
control-plane
!
rmon event 33333 log trap AutoQoS description "AutoQoS SNMP traps for Voice Drops" owner AutoQoS
rmon alarm 33333 cbQosCMDropBitRate.1059.1061 30 absolute rising-threshold 1 33333 falling-threshold 0 owner AutoQoS
!
!
!
!
!
!
banner motd ^CDO NOT ATTEMPT TO LOGIN TO THIS DEVICE. Authorised users only^C
!
line con 0
 exec-timeout 30 0
 password ****
 logging synchronous
 login local
line aux 0
line vty 0 4
 access-class VTY_ACCESS in
 exec-timeout 30 0
 privilege level 15
 password ****
 login local
 transport input ssh
!
scheduler allocate 20000 1000
end

Open in new window

Comment
Watch Question

Top Expert 2009

Commented:
You can add the new LAN address as a secondary address so the router still responds to the original IP but also responds to the new IP.  Once you are able to access the router remotely via the new LAN IP address, you can clean up the old.

int f0/1
ip address <new IP> 255.255.255.0 secondary
Nayyar HH (CCIE RS)Network Architect
CERTIFIED EXPERT

Commented:
I would proceed along these lines

Create another Static translation to the Loopback0 using a free Public IP

Connect to Loopback0 to effect these required changes - DHCP, LAN IP etc

Verification

Remove above translation

Save changes

Author

Commented:
Thanks guys,
 so JFrederick29 if I add the secondary address then I wont be kicked out of the remote ssh session when I change the primary IP?
Top Expert 2009

Commented:
Correct, as long as you use the "secondary" keyword after the IP address.

Author

Commented:
I Just put the secondary address in then when I changed the primary lan address it kicked me out and dropped ssh session. I can't get back into the router now so I will have to ask the client to reboot the router.
Nayyar HH (CCIE RS)Network Architect
CERTIFIED EXPERT

Commented:
It kicked you out because of the NAT translation, I suggested a new translation to be created soley for the change

Did you manage to get it rebooted?

Author

Commented:
I got this rebooted and the client changed their downstream server address instead but I would be interested in knowing how I would do it in the future as a learning exercise please?
Top Expert 2009

Commented:
Sounds like you got half way there.  You added the secondary address correctly but it sounds like maybe you didn't drop your session and then connect to the new secondary address before changing the primary address.
Network Architect
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.