cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
367
Views
0
Helpful
3
Replies

EEM script for NAT change during WAN failover

ReUse888
Level 1
Level 1

Hi there, I have been running an EEM script in IOS-XE (1100 series ISR) to change a bunch of NAT entries when my primary WAN fails over to my secondary eg…

 

event manager applet PRI_Down

 description If Dialer is down then clear NAT and RandR NAT entries

 event track 1 state down

 action 1.1 cli command "enable"

 action 1.2 cli command "configure terminal"

 action 1.3 cli command "do clear ip nat translation forced"

 action 1.4 cli command "no ip nat inside source static tcp 192.168.1.2 443 interface Dialer0 443"

action 1.5 cli command "ip nat inside source static tcp 192.168.1.2 443 interface Cellular0/2/0 443"

 

…. This is just one of many NAT’s that get swapped out. Most of these correctly ‘swap out’ however some get ‘stuck’ and don’t get replaced.

I know if I manually remove and re-add these NATS I sometimes get “Port #### in use by…” system Error which I think is due to the external IP I am using for my static NAT is also used for the PAT pool and the port is already allocated. IF I shut the WAN interface down and re-add the NAT lines they are accepted without issue… So my question…..

Please help me with a better EEM script!

Note - You may laugh but I added a line to shut the interface down and then re add the NAT entries but of course that sent the primary and secondary links into a never ending loop of detection, switchover, shutdown

3 Replies 3

No need EEM you can use 

Conditional static NAT

https://www.ciscozine.com/using-route-maps-for-conditional-nat/

MHM

Thank you so much for the reply, I appreciate any help I can get with this.... I THINK this is actually how I have it setup right now for my internal LAN to switchover to WAN2 and NAT or 'overload' that interface.

HOWEVER! The next step is where I need help (maybe I should be describing this as PAT translation?)

I need some internal servers to be accessible via the 'WAN2' link should it become active. ie Server is at 192.168.1.200 and when the router receives a connection on port 443 it should PAT it to that server. Seems an EEM is the only way to remove the PAT for WAN1 (action 1.1) and replace with WAN2 (action 1.2).. Like this......

action 1.1 cli command "no ip nat inside source static tcp 192.168.1.200 443 interface Dialer0 443"

action 1.2 cli command "ip nat inside source static tcp 192.168.1.200 443 interface Cellular0/2/0 443"


This usually works but sometimes system? says it has those ports in use and will not run the action. I think this is maybe due the NAT overload conflicting but in any case I think i need a smarter way to change these PAT's over. Thanks.

The link I share for conditional NAT work for all types of NAT.

No need EEM.

And when WAN change ypu need some dynamic DNS to inform user new public IP.

MHM

Review Cisco Networking for a $25 gift card