Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
977
Views
1
Helpful
8
Replies

Box-to-Box NAT/HSRP configuration Cisco ISR 4431 version 16.09.05

jamesupcott1
Level 1
Level 1

‎04-19-2023 12:25 PM

Hi All

I have a Cisco ISR in live production, and we have just purchased an additional to run HA for redundancy. I have configured HSRP successfully on the two ISR routers. I have a few SNAT configurations, which I need to ensure work successfully in the event of a failover. I have read the following link (https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/content/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/15-mt/nat-15-mt-book/iadnat-b2b-ha.html.xml), which seems to be what I need, however I would like some additional advice on what my exact configuration will need to look like. I have pasted the configuration of my primary ISR below (I have amended the public IP FYI before anyone mentions). We want them to run active/passive (No asymmetric routing or LB)

!
interface GigabitEthernet0/0/1
description Inside_WVT-RA-VPN
ip vrf forwarding S2S_VPN
ip address 10.14.64.253 255.255.255.0
ip nat outside
standby 1 ip 10.14.64.1
standby 1 preempt
negotiation auto
no ip virtual-reassembly
no ip virtual-reassembly-out
!
interface GigabitEthernet0/0/2
description ***Internet_Out_cpe-hfc-hch-a***
ip vrf forwarding S2S_VPN
ip address 25.255.48.235 255.255.255.240
ip nat inside
ip access-group BLOCK_UDP_EXTERNAL in
standby 2 ip 25.255.48.237
standby 2 preempt
standby 2 name HSRP2
negotiation auto
no ip virtual-reassembly
no ip virtual-reassembly-out
!
interface GigabitEthernet0/0/3
description Inside_WVT-S2S-VPN
ip vrf forwarding S2S_VPN
ip address 10.14.65.253 255.255.255.0
ip nat outside
standby 3 ip 10.14.65.1
standby 3 preempt
standby 3 name HSRP3
negotiation auto
no ip virtual-reassembly
no ip virtual-reassembly-out
!
ip nat pool Inside_WVT_S2S_VIP 10.14.65.1 10.14.65.1 netmask 255.255.255.0
ip nat pool Inside_WVT_RA_VIP 10.14.64.1 10.14.64.1 netmask 255.255.255.0
ip nat inside source list 155 pool Inside_WVT_RA_VIP vrf S2S_VPN overload
ip nat inside source list 160 pool Inside_WVT_S2S_VIP vrf S2S_VPN overload
ip nat inside source list 170 pool Inside_WVT_S2S_VIP vrf S2S_VPN overload
ip nat inside source list 180 pool Inside_WVT_S2S_VIP vrf S2S_VPN overload
ip nat inside source list 190 pool Inside_WVT_S2S_VIP vrf S2S_VPN overload
ip nat inside source list 195 pool Inside_WVT_S2S_VIP vrf S2S_VPN overload
ip nat outside source static 10.14.64.2 25.255.48.229 vrf S2S_VPN add-route
ip nat outside source static 10.14.65.2 25.255.48.238 vrf S2S_VPN add-route
ip nat outside source static 10.14.65.4 25.255.48.233 vrf S2S_VPN add-route
ip nat outside source static 10.14.65.5 25.255.48.234 vrf S2S_VPN add-route
ip nat outside source static 10.14.65.6 25.255.48.232 vrf S2S_VPN add-route
ip nat outside source static 10.14.65.7 25.255.48.230 vrf S2S_VPN add-route
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 192.168.99.1
ip route vrf S2S_VPN 0.0.0.0 0.0.0.0 25.255.48.225
!
!
ip access-list extended 155
permit ip any host 25.255.48.229
ip access-list extended 160
permit ip any host 25.255.48.238
ip access-list extended 170
permit ip any host 25.255.48.233
ip access-list extended 180
permit ip any host 25.255.48.234
ip access-list extended 190
permit ip any host 25.255.48.232
ip access-list extended 195
permit ip any host 25.255.48.230

 

Any help would be really appreciated.

8 Replies 8

MHM Cisco World
VIP
VIP

‎04-19-2023 12:38 PM - edited ‎04-19-2023 02:17 PM

check my below comment 

0 Helpful

jamesupcott1
Level 1
Level 1
In response to MHM Cisco World

‎04-19-2023 12:55 PM

Thanks. I am looking though for how the configuration I posted before would look like of it were to be adapted?
0 Helpful

MHM Cisco World
VIP
VIP
In response to jamesupcott1

‎04-19-2023 12:57 PM - edited ‎04-19-2023 02:18 PM

check below comment 

0 Helpful

jamesupcott1
Level 1
Level 1
In response to MHM Cisco World

‎04-19-2023 01:03 PM

No, my ISR doesn’t accept that configuration.

It looks to accept the syntax I mention in my original post, I’m just unsure of how that will exactly look on my existing configuration, as the NAT config is very much standalone currently.
0 Helpful

MHM Cisco World
VIP
VIP
In response to jamesupcott1

‎04-19-2023 01:41 PM

friend there is different between IOS-XE HA and HSRP, your config is pure HSRP, I will run lab for IOS-XE and see how we can make NAT ware of HSRP.

0 Helpful

jamesupcott1
Level 1
Level 1
In response to MHM Cisco World

‎04-20-2023 05:07 AM

Can you provide an example, using my configuration below, on how the configuration should look?

interface GigabitEthernet0/0/1
description Inside_WVT-RA-VPN
ip vrf forwarding S2S_VPN
ip address 10.14.64.253 255.255.255.0
ip nat outside
standby 1 ip 10.14.64.1
standby 1 preempt
negotiation auto
no ip virtual-reassembly
no ip virtual-reassembly-out
!
interface GigabitEthernet0/0/2
description ***Internet_Out_cpe-hfc-hch-a***
ip vrf forwarding S2S_VPN
ip address 25.255.48.235 255.255.255.240
ip nat inside
ip access-group BLOCK_UDP_EXTERNAL in
standby 2 ip 25.255.48.237
standby 2 preempt
standby 2 name HSRP2
negotiation auto
no ip virtual-reassembly
no ip virtual-reassembly-out
!
interface GigabitEthernet0/0/3
description Inside_WVT-S2S-VPN
ip vrf forwarding S2S_VPN
ip address 10.14.65.253 255.255.255.0
ip nat outside
standby 3 ip 10.14.65.1
standby 3 preempt
standby 3 name HSRP3
negotiation auto
no ip virtual-reassembly
no ip virtual-reassembly-out
!
ip nat pool Inside_WVT_S2S_VIP 10.14.65.1 10.14.65.1 netmask 255.255.255.0
ip nat pool Inside_WVT_RA_VIP 10.14.64.1 10.14.64.1 netmask 255.255.255.0
ip nat inside source list 155 pool Inside_WVT_RA_VIP vrf S2S_VPN overload
ip nat inside source list 160 pool Inside_WVT_S2S_VIP vrf S2S_VPN overload
ip nat inside source list 170 pool Inside_WVT_S2S_VIP vrf S2S_VPN overload
ip nat inside source list 180 pool Inside_WVT_S2S_VIP vrf S2S_VPN overload
ip nat inside source list 190 pool Inside_WVT_S2S_VIP vrf S2S_VPN overload
ip nat inside source list 195 pool Inside_WVT_S2S_VIP vrf S2S_VPN overload
ip nat outside source static 10.14.64.2 25.255.48.229 vrf S2S_VPN add-route
ip nat outside source static 10.14.65.2 25.255.48.238 vrf S2S_VPN add-route
ip nat outside source static 10.14.65.4 25.255.48.233 vrf S2S_VPN add-route
ip nat outside source static 10.14.65.5 25.255.48.234 vrf S2S_VPN add-route
ip nat outside source static 10.14.65.6 25.255.48.232 vrf S2S_VPN add-route
ip nat outside source static 10.14.65.7 25.255.48.230 vrf S2S_VPN add-route
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 192.168.99.1
ip route vrf S2S_VPN 0.0.0.0 0.0.0.0 25.255.48.225
!
!
ip access-list extended 155
permit ip any host 25.255.48.229
ip access-list extended 160
permit ip any host 25.255.48.238
ip access-list extended 170
permit ip any host 25.255.48.233
ip access-list extended 180
permit ip any host 25.255.48.234
ip access-list extended 190
permit ip any host 25.255.48.232
ip access-list extended 195
permit ip any host 25.255.48.230

0 Helpful

jamesupcott1
Level 1
Level 1
In response to MHM Cisco World

‎04-19-2023 02:17 PM

Awesome thankyou very much. I look forward to hearing from you.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card