cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
478
Views
21
Helpful
6
Replies

PINGing an interface's secondary address gives error

thomasdzubin
Level 1
Level 1

I just want to assign my router all six IPs that my ISP has assigned to me so I can set up various static NAT forwardings based on the destination address (yes, I know I can do forwarding by port, but I've got two HTTPS (port 443) servers that I want to set up)

...but when I try this:

int E0

ip address 123.45.1.2 255.255.255.248

ip address 123.45.1.3 255.255.255.248 secondary

(ip route 0.0.0.0 0.0.0.0 123.45.1.1 = the ISP gateway)

From out on the Internet, I can PING the ..1.2 address just fine, but when I try to PING the ..1.3 address, I get "Reply from 123.45.1.2: Destination net unreachable"

Is it telling me that I can't put two addresses that are in the same subnet on the same interface? I'm sure I've done this in the past. Obviously the packet is getting through to my router's interface since the primary address is the one who is answering back with the ICMP reply, but I can't figure it out.

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

Hi Thomas

You do not need to use secondary addressing for what you are trying to do. You just need nat statements for the servers you are giving access to. So leave the primary address on the e0 interface and then just add static translations to your config eg

ip nat inside source static "private ip of server" 123.45.1.3

and repeat for other servers.

You then need under e0

interface e0

ip nat outside

and an "ip nat inside" on the interface to which your servers are connected.

HTH

Jon

Great! Thanks...that will solve my problem.

(I've already got the "ip nat outside" and "ip nat inside" statements in there since my current setup is working fine.

But, just curious, do you know why I couldn't PING my secondary addresses? Is the "Destination net unreachable" message telling me that it is trying to NAT the secondary address, but since no current translation is defined for it the packet has nowhere to go?

Edison Ortiz
Hall of Fame
Hall of Fame

The problem seems to be at the device that is connected to you.

I just labbed this out and it works as expected.

R4 (183.1.45.4)<---> (183.1.45.5) R5

R5:

interface Ethernet1/0

ip address 183.1.45.5 255.255.255.0

R4:

interface Ethernet0/0

ip address 183.1.45.7 255.255.255.0 secondary

ip address 183.1.45.4 255.255.255.0

R5#ping 183.1.45.7

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 183.1.45.7, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms

R5#show arp | i 45.7

Internet 183.1.45.7 4 aabb.cc00.7b00 ARPA Ethernet1/0

R4#show arp | i 45.7

Internet 183.1.45.7 - aabb.cc00.7b00 ARPA Ethernet0/0

The destination net unreachable indicates, there is an ACL somewhere, else you would get a request time-out.

That's what I thought too... but I'm thinking (see another post in this topic) that since I'm NAT-ing and I don't yet have a translation for that secondary address configured, it sends back the error

The router should respond to the ARP request regardless of the NAT configuration.

If you do 'show arp' on this router, the IP address will be associated to this interface.

The router connected to this E0/0 interface at the remote end should have an entry as well - after a ping.

I wonder if the remote end is using static ARP or some kind of ACL to prevent DoS from you.

Yes, "my bad"...

I had an ACL for permitting PINGs but I only had it for my primary addr. Once I fixed the ACL, I can now PING my secondary address.

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco