Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1197
Views
0
Helpful
4
Replies

Active/Standy ISR4431- Box-to-box NAT configuration

jamesupcott1
Level 1
Level 1

‎05-02-2023 01:02 AM

Hi All

(Reposting this as I would like to try and achieve an example, using my configuration below, of how I can achieve NAT failover for my Cisco ISR 4431, now I am introducing a new unit for failover)

I have a Cisco ISR in live production, and we have just purchased an additional to run HA for redundancy. I have configured HSRP successfully on the two ISR routers. I have a few SNAT configurations, which I need to ensure work successfully in the event of a failover. I have read the following link (https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/content/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/15-mt/nat-15-mt-book/iadnat-b2b-ha.html.xml), which seems to be what I need, however I would like some additional advice on what my exact configuration will need to look like. I have pasted the configuration of my primary ISR below (I have amended the public IP FYI before anyone mentions). We want them to run active/passive (No asymmetric routing or LB)

!
interface GigabitEthernet0/0/1
description Inside_WVT-RA-VPN
ip vrf forwarding S2S_VPN
ip address 10.14.64.253 255.255.255.0
ip nat outside
standby 1 ip 10.14.64.1
standby 1 preempt
negotiation auto
no ip virtual-reassembly
no ip virtual-reassembly-out
!
interface GigabitEthernet0/0/2
description ***Internet_Out_cpe-hfc-hch-a***
ip vrf forwarding S2S_VPN
ip address 25.255.48.235 255.255.255.240
ip nat inside
ip access-group BLOCK_UDP_EXTERNAL in
standby 2 ip 25.255.48.237
standby 2 preempt
standby 2 name HSRP2
negotiation auto
no ip virtual-reassembly
no ip virtual-reassembly-out
!
interface GigabitEthernet0/0/3
description Inside_WVT-S2S-VPN
ip vrf forwarding S2S_VPN
ip address 10.14.65.253 255.255.255.0
ip nat outside
standby 3 ip 10.14.65.1
standby 3 preempt
standby 3 name HSRP3
negotiation auto
no ip virtual-reassembly
no ip virtual-reassembly-out
!
ip nat pool Inside_WVT_S2S_VIP 10.14.65.1 10.14.65.1 netmask 255.255.255.0
ip nat pool Inside_WVT_RA_VIP 10.14.64.1 10.14.64.1 netmask 255.255.255.0
ip nat inside source list 155 pool Inside_WVT_RA_VIP vrf S2S_VPN overload
ip nat inside source list 160 pool Inside_WVT_S2S_VIP vrf S2S_VPN overload
ip nat inside source list 170 pool Inside_WVT_S2S_VIP vrf S2S_VPN overload
ip nat inside source list 180 pool Inside_WVT_S2S_VIP vrf S2S_VPN overload
ip nat inside source list 190 pool Inside_WVT_S2S_VIP vrf S2S_VPN overload
ip nat inside source list 195 pool Inside_WVT_S2S_VIP vrf S2S_VPN overload
ip nat outside source static 10.14.64.2 25.255.48.229 vrf S2S_VPN add-route
ip nat outside source static 10.14.65.2 25.255.48.238 vrf S2S_VPN add-route
ip nat outside source static 10.14.65.4 25.255.48.233 vrf S2S_VPN add-route
ip nat outside source static 10.14.65.5 25.255.48.234 vrf S2S_VPN add-route
ip nat outside source static 10.14.65.6 25.255.48.232 vrf S2S_VPN add-route
ip nat outside source static 10.14.65.7 25.255.48.230 vrf S2S_VPN add-route
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 192.168.99.1
ip route vrf S2S_VPN 0.0.0.0 0.0.0.0 25.255.48.225
!
!
ip access-list extended 155
permit ip any host 25.255.48.229
ip access-list extended 160
permit ip any host 25.255.48.238
ip access-list extended 170
permit ip any host 25.255.48.233
ip access-list extended 180
permit ip any host 25.255.48.234
ip access-list extended 190
permit ip any host 25.255.48.232
ip access-list extended 195
permit ip any host 25.255.48.230

0 Helpful
4 Replies 4

pieterh
VIP
VIP

‎05-05-2023 05:52 AM

look at this guide: IP Addressing: NAT Configuration Guide, Cisco IOS XE Release 3S - Configuring Stateful Interchassis Redundancy [Support] - Cisco

  • By default, Network Address Translation (NAT) high availability (inter and intrabox) does not replicate HTTP sessions to the standby device. To replicate HTTP sessions on the standby device during a switchover, you must configure the ip nat switchover replication http command.

0 Helpful

jamesupcott1
Level 1
Level 1
In response to pieterh

‎05-05-2023 09:42 AM

I’m not sure this answers the question sorry.

This doesn’t address the box-to-box configuration required. I don’t currently have this.

I’m looking for someone to confirm what should be amended to the existing configuration.

Appreciate your response
0 Helpful

pieterh
VIP
VIP
In response to jamesupcott1

‎05-07-2023 11:50 PM - edited ‎05-07-2023 11:50 PM

the whole document is about hardware redundancy 

Chapter: Configuring Stateful Interchassis Redundancy

0 Helpful

jamesupcott1
Level 1
Level 1
In response to pieterh

‎05-12-2023 08:31 AM

Thanks. I have followed that guide, and drafted my configuration, however the only bit it doesn't let me apply is the redundancy configuration specifically on the interface itself e.g below:

redundancy rii 100
redundancy group 1 ip 10.14.64.1 exclusive decrement 100

Perhaps a version issue? Or that command isn't available on 4431 ISR?

 

0 Helpful
Customers Also Viewed These Support Documents