Stateful NAT failover = yes. Stateful CBAC failover = ????

alec.waters · ‎06-09-2004

Hi all,

Stateful NAT failover is described here:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801fce09.html

If you have a setup like the one shown in Figure 1, things will fall down if the routers in question are running the IOS firewall feature set. The dynamic ACL entries added by CBAC on the "Primary NAT" router will not have been replicated to the "Backup NAT" router, and the return traffic will be dropped (even though a NAT translation exists for it).

Is there anything like stateful CBAC failover, in a similar vein to the above? Or some other way to synchronize dynamic ACL entries between two IOS Firewall routers?

thanks a lot,

alec

a.rivoltella · ‎06-14-2004

Hello alec,

unfortunally, ithink there aren't any kind of NAT statefull failover using Router!! Also Using IOS FW. This because the router doesn't known the session betwen each others. (ie. PIX, has the satefull cable. If you disconnect the calbe the devices work as stateless...)

But, anyone has more experience in this??

thanks

Bytz! alex

alec.waters · ‎06-14-2004

Hi Alex,

>i think there aren't any kind of NAT statefull failover using Router

Yes there is! It's described here:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801fce09.html

Stateful CBAC failover is lacking at the moment. I've logged an enhancement request, and wait with bated breath!

thanks for your reply,

alec