PINGing an interface's secondary address gives error

Unanswered Question
Jul 27th, 2007

I just want to assign my router all six IPs that my ISP has assigned to me so I can set up various static NAT forwardings based on the destination address (yes, I know I can do forwarding by port, but I've got two HTTPS (port 443) servers that I want to set up)

...but when I try this:

int E0

ip address

ip address secondary

(ip route = the ISP gateway)

From out on the Internet, I can PING the ..1.2 address just fine, but when I try to PING the ..1.3 address, I get "Reply from Destination net unreachable"

Is it telling me that I can't put two addresses that are in the same subnet on the same interface? I'm sure I've done this in the past. Obviously the packet is getting through to my router's interface since the primary address is the one who is answering back with the ICMP reply, but I can't figure it out.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.2 (5 ratings)
Jon Marshall Fri, 07/27/2007 - 07:22

Hi Thomas

You do not need to use secondary addressing for what you are trying to do. You just need nat statements for the servers you are giving access to. So leave the primary address on the e0 interface and then just add static translations to your config eg

ip nat inside source static "private ip of server"

and repeat for other servers.

You then need under e0

interface e0

ip nat outside

and an "ip nat inside" on the interface to which your servers are connected.



thomasdzubin Fri, 07/27/2007 - 07:31

Great! Thanks...that will solve my problem.

(I've already got the "ip nat outside" and "ip nat inside" statements in there since my current setup is working fine.

But, just curious, do you know why I couldn't PING my secondary addresses? Is the "Destination net unreachable" message telling me that it is trying to NAT the secondary address, but since no current translation is defined for it the packet has nowhere to go?

Edison Ortiz Fri, 07/27/2007 - 07:32

The problem seems to be at the device that is connected to you.

I just labbed this out and it works as expected.

R4 (<---> ( R5


interface Ethernet1/0

ip address


interface Ethernet0/0

ip address secondary

ip address


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:


Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms

R5#show arp | i 45.7

Internet 4 aabb.cc00.7b00 ARPA Ethernet1/0

R4#show arp | i 45.7

Internet - aabb.cc00.7b00 ARPA Ethernet0/0

The destination net unreachable indicates, there is an ACL somewhere, else you would get a request time-out.

thomasdzubin Fri, 07/27/2007 - 07:35

That's what I thought too... but I'm thinking (see another post in this topic) that since I'm NAT-ing and I don't yet have a translation for that secondary address configured, it sends back the error

Edison Ortiz Fri, 07/27/2007 - 07:40

The router should respond to the ARP request regardless of the NAT configuration.

If you do 'show arp' on this router, the IP address will be associated to this interface.

The router connected to this E0/0 interface at the remote end should have an entry as well - after a ping.

I wonder if the remote end is using static ARP or some kind of ACL to prevent DoS from you.

thomasdzubin Fri, 07/27/2007 - 08:49

Yes, "my bad"...

I had an ACL for permitting PINGs but I only had it for my primary addr. Once I fixed the ACL, I can now PING my secondary address.



This Discussion