07-27-2007 07:14 AM - edited 03-05-2019 05:32 PM
I just want to assign my router all six IPs that my ISP has assigned to me so I can set up various static NAT forwardings based on the destination address (yes, I know I can do forwarding by port, but I've got two HTTPS (port 443) servers that I want to set up)
...but when I try this:
int E0
ip address 123.45.1.2 255.255.255.248
ip address 123.45.1.3 255.255.255.248 secondary
(ip route 0.0.0.0 0.0.0.0 123.45.1.1 = the ISP gateway)
From out on the Internet, I can PING the ..1.2 address just fine, but when I try to PING the ..1.3 address, I get "Reply from 123.45.1.2: Destination net unreachable"
Is it telling me that I can't put two addresses that are in the same subnet on the same interface? I'm sure I've done this in the past. Obviously the packet is getting through to my router's interface since the primary address is the one who is answering back with the ICMP reply, but I can't figure it out.
07-27-2007 07:22 AM
Hi Thomas
You do not need to use secondary addressing for what you are trying to do. You just need nat statements for the servers you are giving access to. So leave the primary address on the e0 interface and then just add static translations to your config eg
ip nat inside source static "private ip of server" 123.45.1.3
and repeat for other servers.
You then need under e0
interface e0
ip nat outside
and an "ip nat inside" on the interface to which your servers are connected.
HTH
Jon
07-27-2007 07:31 AM
Great! Thanks...that will solve my problem.
(I've already got the "ip nat outside" and "ip nat inside" statements in there since my current setup is working fine.
But, just curious, do you know why I couldn't PING my secondary addresses? Is the "Destination net unreachable" message telling me that it is trying to NAT the secondary address, but since no current translation is defined for it the packet has nowhere to go?
07-27-2007 07:32 AM
The problem seems to be at the device that is connected to you.
I just labbed this out and it works as expected.
R4 (183.1.45.4)<---> (183.1.45.5) R5
R5:
interface Ethernet1/0
ip address 183.1.45.5 255.255.255.0
R4:
interface Ethernet0/0
ip address 183.1.45.7 255.255.255.0 secondary
ip address 183.1.45.4 255.255.255.0
R5#ping 183.1.45.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 183.1.45.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms
R5#show arp | i 45.7
Internet 183.1.45.7 4 aabb.cc00.7b00 ARPA Ethernet1/0
R4#show arp | i 45.7
Internet 183.1.45.7 - aabb.cc00.7b00 ARPA Ethernet0/0
The destination net unreachable indicates, there is an ACL somewhere, else you would get a request time-out.
07-27-2007 07:35 AM
That's what I thought too... but I'm thinking (see another post in this topic) that since I'm NAT-ing and I don't yet have a translation for that secondary address configured, it sends back the error
07-27-2007 07:40 AM
The router should respond to the ARP request regardless of the NAT configuration.
If you do 'show arp' on this router, the IP address will be associated to this interface.
The router connected to this E0/0 interface at the remote end should have an entry as well - after a ping.
I wonder if the remote end is using static ARP or some kind of ACL to prevent DoS from you.
07-27-2007 08:49 AM
Yes, "my bad"...
I had an ACL for permitting PINGs but I only had it for my primary addr. Once I fixed the ACL, I can now PING my secondary address.
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: