Advice needed on NAT and HSRP

lyesinn.ang · ‎10-07-2002

Hi,

I have 2 routers , Router A and Router B, running on HSRP on the FE0/0 (eg. 50.50.50.x/24 serial :172.10.20.x/30). Router A being the active. Now, I have a segment connected to the both FE0/1 with segment 10.10.10.x/24.

Due to some constraint, if any traffic that is intended for 10.10.10.x, I would need to do NAT. Can I configure Router B as the active HSRP for the 10.10.10.x segment. Any advice on that? Which will be the best option for the router to do NAT?

One more thing, if there is a failover on the HSRP, will all the NAT address be affected will all the connection be drop? or will it be transparent. Thanks!!

Any help would be appreciated..

Regards

Ang

thisisshanky · ‎10-07-2002

Using HSRP and NAT together would lead to all connections getting dropped, when failover occurs.

If you still need the HSRP configs .....

You could create 2 HSRP groups. 1 and 2.

group 1 would serve 50.50.50.x with Router A as active and B as standby.

group 2 would serve 10.10.10.x with router A as standby and B as active.

Under fa0/0 of Router A

standby 1 ip <>

standby 1 preempt

standby 1 priority 120

standby 2 ip <>

standby 2 preempt

standby 2 priority 90

standby 1 track serial0 40 - additionally to track serial interface failures

standby 2 track serial0 40

Under fa0/0 of Router B

standby 1 ip <>

standby 1 preempt

standby 1 priority 90

standby 2 ip <>

standby 2 preempt

standby 2 priority 120

standby 1 track serial0 40

standby 2 track serial 0 40

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

lyesinn.ang · ‎10-07-2002

Thank alot ....

tim.negron · ‎10-10-2002

Also note that the most common failure on a WAN router such as the ones you are configuring will be a loss of the WAN circuit. When one of the circuits goes down, you can still maintain the NAT state by ensuring that the returning traffic through the secondary circuit and router gets passed through to the primary router. You do this by cross-connecting the two routers via a back-to-back serial cable or ethernet cable and configuring a static route to the NAT source address through the cross-connect interface. So, when reply traffic comes back over the secondary WAN circuit, it gets forwarded to the primary router first, where the NAT state is maintained, and then is forwarded onto the ethernet segment it is bound for.

The HSRP configs previously provided are still fine. The ethernet HSRP can still track the serial interfaces so that new outbound traffic uses the secondary router.

-Tim

thisisshanky · ‎10-10-2002

Hello Tim,

Suppose, internal lan is 10.x.x.x and router 1 and router 2 are the gateways with leased lines to internet. 10.x.x.x is NAT ed to 200.x.x.x. router 1 and 2 have HSRP configured via ethernet.

As per your previous note, router 1 and 2 are also connected back to back with a serial cable, with a network 172.x.x.x configured on them. (.1 and .2)

Now, router 1 and 2 are tracking their serial interfaces.

A packet goes from inside to outside. 10.x.x.x is translated to 200.x.x.x. A NAT table entry is made. Now primary leased line fails. R2 becomes active. Now return packet comes through secondary leased line. Now should the static route be as follows.

ip route 200.x.x.x 172.x.x.1

where 172.x.x.1 is the router 1 back to back serial interface ip address.???

THis seems like a good idea!

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus