IP Address conflict when performing static NAT


I am setting up a Cisco 1841 with an external ADSL modem and Firewall IOS. Essentially, I want to map SMTP (25) on the Public Interface to an internal server on the same port and port 9833 (custom port) to the same internal server but on port 3389 (MS-RDP).

I have performed the following basic tasks:

1) Set up a Dialer Interface mapped to the FA0/1 interface to which the bridged ADSL modem is connected. This performs and connects fine.

2) Configure PAT for internal clients to NAT to the IP Address of the Dialer Interface which works fine.

3) Configured Static NAT to map the required ports mentioned above to the appropriate ports on the internal server.

What I am finding is when I apply the commands in step 3 I am getting an error in the Cisco terminal as shown below where the IP address is the same IP used in the static NAT commands:

*Nov 28 10:00:44.507: %IP-4-DUPADDR: Duplicate address 10.XX.XX.XX on FastEthe rnet0/0, sourced by 0020.ed6b.df9a

This router has not yet gone into production so there are many configuration missing such as the inbound ACL but I am hoping someone can help me with this issue as when it occurs the server also detect the conflict and becomes inaccessible. I have included a copy of the config so far below.

Thanks VD

Current configuration : 2208 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname FIREWALL ! boot-start-marker boot-end-marker ! no aaa new-model ! resource policy ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ip cef ! no ip dhcp use vrf connected ! ip host OUTSIDE 220.XX.XX.XX ip host SERVER 10.XX.XX.XX ip inspect name OUTBOUND http ip inspect name OUTBOUND https ip inspect name OUTBOUND ftp ip inspect name OUTBOUND ftps ip inspect name OUTBOUND smtp ip inspect name OUTBOUND dns ip inspect name OUTBOUND citrix ip inspect name OUTBOUND citriximaclient ip inspect name OUTBOUND ica ip inspect name OUTBOUND icabrowser ip inspect name OUTBOUND icmp ip inspect name OUTBOUND pcanywheredata ip inspect name OUTBOUND pcanywherestat ip inspect name OUTBOUND ssh no ip ips deny-action ips-interface ! interface FastEthernet0/0 ip address 10.XX.XX.XX ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 duplex auto speed auto ! interface FastEthernet0/1 description $ETH-WAN$ no ip address duplex auto speed auto pppoe enable pppoe-client dial-pool-number 1 ! interface FastEthernet0/0/0 ! interface FastEthernet0/0/1 ! interface FastEthernet0/0/2 ! interface FastEthernet0/0/3 ! interface Vlan1 ! interface Dialer0 ip address negotiated ip mtu 1452 ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap callin ppp chap hostname snipped-for-privacy@XXXX.XXXXX ppp chap password 0 XXXXXXXXXX ! ip classless ip route Dialer0 ! ! ip http server no ip http secure-server ip nat inside source list 1 interface Dialer0 overload ip nat outside source static tcp 220.XX.XX.XX 25 10.XX.XX.XX 25 extendable ip nat outside source static tcp 220.XX.XX.XX 9833 10.XX.XX.XX 3389 extendable ! ip access-list extended INBOUND permit tcp any host 220.XX.XX.XX eq smtp ! access-list 1 permit 10.XX.XX.0 dialer-list 1 protocol ip permit ! control-plane ! line con 0 line aux 0 line vty 0 4 login ! end

Reply to
Loading thread data ...

There is nothing wrong with the router, you have a device inside that has the same IP as the one you assigned to the ethernet interface.

Reply to
Brian V

Thanks for the feedback but I don't think this is the case. The IP of the inside, and only connected interface, is 10.x.x.2 and the server which it is conflicting with is 10.x.x.10. I have checked the server to confirm there is no secondary IP configured.

When the inside interface is up, the error message below appears and there server cannot be reached and when the interface is down the message disappears and the server regains connectivity.

*Nov 28 11:54:40.775: %IP-4-DUPADDR: Duplicate address 10.x.x.10 on FastEthe rnet0/0, sourced by 0020.ed6b.df9a

The conflict seems to only start occuring once I enter the static NAT commands which are meant to map ports 25 and 9833 on the outside interface (FA0/1) to ports 25 and 3389 respectively on the server.


Reply to

The right syntax is

ip nat inside source static tcp extendable

you did the opposite.

Unless you are trying to do something else or testing a new way to do things....

HTH Alex.

Reply to

Thanks for your advice,

I have changed the configuration around to that shown here:

ip nat inside source static tcp 10.XX.XX.10 25 220.XX.XX.XX 25 extendable ip nat inside source static tcp 10.XX.XX.10 3389 220.XX.XX.XX 9833 extendable

Once I enable this however I continue to get the IP address conflict issue. Just to clarify, this is what I want to acheive:

- The device is a perimeter router/firewall

- Packets address to 220.xx.xx.xx:25 where 220.xx.xx.xx is the static Public IP of the Dialer 0 interface mapped to FA0/1 is forwarded to


- Packets addressed to 220.xx.xx.xx:9833 are forwarded to


Seeing this translation would be happening on the interface assigned NAT Outside (Dialer0-FA0/1) I presume, as per my original configuration that the NAT command would take the form:

ip nat outside source static tcp

I am still at a loss regarding the address conflict issue though. Any further assistance would be appreciated with this.


Reply to

IP of the Dialer 0 interface mapped to FA0/1 is forwarded to 10.xx.xx.10:25

Just as test try not to append the word extendable at the end of the NAT command. I know it should be necessary but I had a look to my router and I didn't put it.

Let us know.


Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.