Introduction
This document explains the NAT Box to Box High Availability feature overview of ISRG2 Router.
Background of This Feature
The Stateful NAT was available with IOS as a redundancy feature of the router that uses Dynamic NAT.
However, the IOS versions after 15.0M no longer support the Stateful NAT.
In addition, the Stateful NAT feature will reach End-Of-Support on January 31, 2014.
End-of-Sale and End-of-Life Announcement for the Cisco IOS Stateful Failover of Network Address Translation (SNAT)
The above link introduces the Cisco ASA Adaptive Security Appliance high availability as Migration Options of the Stateful NAT.
Later on, the NAT Box-to-Box High-Availability feature has been newly added to IOS 15.3(2)T or later.
You can realize high-availability with NAT on ISR G2 Routers by using this feature as the Stateful NAT did.
I will explain the feature overview, basic configuration/settings, and troubleshooting of NAT Box-to-Box High-Availability in the following sections.
Feature Overview
NAT Box to Box High Availability (NAT BtoB HA, hereinafter) is the feature designed to enhance the fault tolerance of the NAT router links or router itself in case of unexpected problems.
In addition, asymmetric routing with Dynamic NAT is also supported.
The NAT BtoB HA consists of two components: a function called Redundancy Group (RG) to control active-standby state and the Network Address Translation (NAT) function.
Thus, you need to configure the two components (RG and NAT) for NAT BtoB HA.
Due to the restrictions currently applicable, for example, ALG is only supported for the FTP application,
please refer to the following document and verify the behavior thoroughly when you implement this feature.
Restrictions for NAT Box-to-Box High-Availability Support
As of now, NAT BtoB HA supports the following NAT features:
Please note that interface overload options are not supported.
-Simple Static NAT configuration
-Extended Static NAT configuration
-Network Static NAT configuration
-Dynamic NAT and Port Address Translation (PAT) configuration
-NAT inside source, outside source, and inside destination rules
-NAT rules for Virtual Routing and Forwarding (VRF) instances to IP
-NAT rules for VRF-VRF (within same VRF)
Key Configuration Element for NAT BtoB HA
You need to configure the following interfaces with NAT BtoB HA.
Figure. 1 shows the conceptual diagram of the configuration.
-NAT inside/outside interface
-RG control interface (for exchange control information by RG)
-RG data interface (for exchange NAT session data, etc.)
-RG Asymmetric Routing (AR) interface (for forwarding AR packets from Standby to Active; optional)
You can define RG Control/Data/AR interfaces in the same physical interface.
Figure. 1
NAT BtoB HA supports the (LAN-LAN) configuration that makes both the inside and outside NAT redundant as well as the (WAN-LAN) configuration that makes only the inside redundant.
Figure. 2 is the topology of each configuration.
Figure. 2
Basic Configuration
This section introduces an example of basic configuration for LAN-LAN and WAN-LAN configuration respectively.
Example: LAN-LAN Configuration
This is a configuration example based on the topology shown at Figure. 3.
Please note that you do not need to configure the HSRP settings (standby ip command, etc.) unlike the case of Stateful NAT.
Figure. 3
redundancy application redundancy group 1 name RG1 preempt priority 105 control Ethernet0/1 protocol 1 data Ethernet0/1 interface Ethernet0/0 ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly in redundancy rii 100 redundancy group 1 ip 192.168.1.254 exclusive decrement 100 interface Ethernet0/1 ip address 192.168.3.1 255.255.255.0 interface Ethernet1/0 ip address 192.168.2.1 255.255.255.0 ip nat outside ip virtual-reassembly in redundancy rii 101 redundancy group 1 ip 192.168.2.254 exclusive decrement 100 ip nat inside source static 192.168.1.3 192.168.2.3 redundancy 1 mapping-id 120/// Router2 ///
redundancy application redundancy group 1 name RG1 preempt control Ethernet0/1 protocol 1 data Ethernet0/1 interface Ethernet0/0 ip address 192.168.1.2 255.255.255.0 ip nat inside ip virtual-reassembly in redundancy rii 100 redundancy group 1 ip 192.168.1.254 exclusive decrement 100 interface Ethernet0/1 ip address 192.168.3.2 255.255.255.0 interface Ethernet1/0 ip address 192.168.2.2 255.255.255.0 ip nat outside ip virtual-reassembly in redundancy rii 101 redundancy group 1 ip 192.168.2.254 exclusive decrement 100 ip nat inside source static 192.168.1.3 192.168.2.3 redundancy 1 mapping-id 120
Example: WAN-LAN Configuration
This is a configuration example based on the topology shown at Figure. 4.
I have also configured the following features, but they are optional.
- RG Asymmetric-routing (*1)
- OSPF for the WAN side routing protocol (*2)
- Tracking an existence of Virtual IP (VIP) in the routing table and Redistributing a gateway's address to the routing protocol (OSPF) for the WAN network. (*3)
Figure. 4
redundancy application redundancy group 1 name RG1 preempt priority 105 control Ethernet0/1 protocol 1 data Ethernet0/1 asymmetric-routing interface Ethernet0/1 (*1) track 100 ip route 192.168.1.254 255.255.255.255 reachability (*3) interface Ethernet0/0 ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly in redundancy rii 100 redundancy group 1 ip 192.168.1.254 exclusive decrement 100 interface Ethernet0/1 ip address 192.168.3.1 255.255.255.0 interface Ethernet1/0 ip address 10.1.1.1 255.255.255.0 ip nat outside ip virtual-reassembly in redundancy rii 101 redundancy asymmetric-routing enable (*1) router ospf 1 (*2) router-id 10.1.1.1 redistribute static subnets network 10.0.0.0 0.255.255.255 area 0 ip nat inside source static 192.168.1.3 10.10.10.10 redundancy 1 mapping-id 120 ip route 10.10.10.10 255.255.255.255 Ethernet0/0 track 100 (*3)/// Router2 ///
redundancy application redundancy group 1 name RG1 preempt control Ethernet0/1 protocol 1 data Ethernet0/1 asymmetric-routing interface Ethernet0/1 (*1) track 100 ip route 192.168.1.254 255.255.255.255 reachability (*3) interface Ethernet0/0 ip address 192.168.1.2 255.255.255.0 ip nat inside ip virtual-reassembly in redundancy rii 100 redundancy group 1 ip 192.168.1.254 exclusive decrement 100 interface Ethernet0/1 ip address 192.168.3.2 255.255.255.0 interface Ethernet1/0 ip address 10.2.2.2 255.255.255.0 ip nat outside ip virtual-reassembly in redundancy rii 101 redundancy asymmetric-routing enable (*1) router ospf 1 (*2) router-id 10.2.2.1 redistribute static subnets network 10.0.0.0 0.255.255.255 area 0 ip nat inside source static 192.168.1.3 10.10.10.10 redundancy 1 mapping-id 120 ip route 10.10.10.10 255.255.255.255 Ethernet0/0 track 100 (*3)
Logs for TAC Analysis
Please get the following logs before opening a TAC service request if possible.
show ip nat redundancy <RG-id>
show ip nat translations redundancy <RG-id> [verbose]
show redundancy application group <RG-id>
show redundancy application protocol group <RG-id>
show ip route
show ip alias
show ip cef
show tech-support
Please consider its impact when you get debug logs in production networks.
debug ip nat [detailed]
debug ip nat redundancy errors
debug ip nat redundancy messages [[detailed] [errors ]]
debug ip nat redundancy packets
debug ip nat redundancy db [errors]
debug ip nat redundancy cf
debug ip nat redundancy rf [errors]
If you want to clear the specific RG group session, issue the following commands:
clear ip nat translation redundancy <RG-id> *
clear ip nat translation redundancy <RG-id> forced
For further detail, please refer to the following document in Cisco.com.
IP Addressing: NAT Configuration Guide, Cisco IOS Release 15M&T
NAT Box-to-Box High-Availability Support
http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/15-mt/iadnat-b2b-ha.htm
Related Information
Original Document:https://supportforums.cisco.com/ja/document/12049976
Author: Toshiaki Kasakake
Posted on January 8, 2014
