08-13-2024 03:41 PM
Hi there, I have been running an EEM script in IOS-XE (1100 series ISR) to change a bunch of NAT entries when my primary WAN fails over to my secondary eg…
event manager applet PRI_Down
description If Dialer is down then clear NAT and RandR NAT entries
event track 1 state down
action 1.1 cli command "enable"
action 1.2 cli command "configure terminal"
action 1.3 cli command "do clear ip nat translation forced"
action 1.4 cli command "no ip nat inside source static tcp 192.168.1.2 443 interface Dialer0 443"
action 1.5 cli command "ip nat inside source static tcp 192.168.1.2 443 interface Cellular0/2/0 443"
…. This is just one of many NAT’s that get swapped out. Most of these correctly ‘swap out’ however some get ‘stuck’ and don’t get replaced.
I know if I manually remove and re-add these NATS I sometimes get “Port #### in use by…” system Error which I think is due to the external IP I am using for my static NAT is also used for the PAT pool and the port is already allocated. IF I shut the WAN interface down and re-add the NAT lines they are accepted without issue… So my question…..
Please help me with a better EEM script!
Note - You may laugh but I added a line to shut the interface down and then re add the NAT entries but of course that sent the primary and secondary links into a never ending loop of detection, switchover, shutdown
08-19-2024 01:45 PM
No need EEM you can use
Conditional static NAT
https://www.ciscozine.com/using-route-maps-for-conditional-nat/
MHM
08-21-2024 06:57 PM
Thank you so much for the reply, I appreciate any help I can get with this.... I THINK this is actually how I have it setup right now for my internal LAN to switchover to WAN2 and NAT or 'overload' that interface.
HOWEVER! The next step is where I need help (maybe I should be describing this as PAT translation?)
I need some internal servers to be accessible via the 'WAN2' link should it become active. ie Server is at 192.168.1.200 and when the router receives a connection on port 443 it should PAT it to that server. Seems an EEM is the only way to remove the PAT for WAN1 (action 1.1) and replace with WAN2 (action 1.2).. Like this......
action 1.1 cli command "no ip nat inside source static tcp 192.168.1.200 443 interface Dialer0 443"
action 1.2 cli command "ip nat inside source static tcp 192.168.1.200 443 interface Cellular0/2/0 443"
This usually works but sometimes system? says it has those ports in use and will not run the action. I think this is maybe due the NAT overload conflicting but in any case I think i need a smarter way to change these PAT's over. Thanks.
08-22-2024 12:36 PM
The link I share for conditional NAT work for all types of NAT.
No need EEM.
And when WAN change ypu need some dynamic DNS to inform user new public IP.
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide