04-19-2023 12:25 PM
Hi All
I have a Cisco ISR in live production, and we have just purchased an additional to run HA for redundancy. I have configured HSRP successfully on the two ISR routers. I have a few SNAT configurations, which I need to ensure work successfully in the event of a failover. I have read the following link (https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/content/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/15-mt/nat-15-mt-book/iadnat-b2b-ha.html.xml), which seems to be what I need, however I would like some additional advice on what my exact configuration will need to look like. I have pasted the configuration of my primary ISR below (I have amended the public IP FYI before anyone mentions). We want them to run active/passive (No asymmetric routing or LB)
!
interface GigabitEthernet0/0/1
description Inside_WVT-RA-VPN
ip vrf forwarding S2S_VPN
ip address 10.14.64.253 255.255.255.0
ip nat outside
standby 1 ip 10.14.64.1
standby 1 preempt
negotiation auto
no ip virtual-reassembly
no ip virtual-reassembly-out
!
interface GigabitEthernet0/0/2
description ***Internet_Out_cpe-hfc-hch-a***
ip vrf forwarding S2S_VPN
ip address 25.255.48.235 255.255.255.240
ip nat inside
ip access-group BLOCK_UDP_EXTERNAL in
standby 2 ip 25.255.48.237
standby 2 preempt
standby 2 name HSRP2
negotiation auto
no ip virtual-reassembly
no ip virtual-reassembly-out
!
interface GigabitEthernet0/0/3
description Inside_WVT-S2S-VPN
ip vrf forwarding S2S_VPN
ip address 10.14.65.253 255.255.255.0
ip nat outside
standby 3 ip 10.14.65.1
standby 3 preempt
standby 3 name HSRP3
negotiation auto
no ip virtual-reassembly
no ip virtual-reassembly-out
!
ip nat pool Inside_WVT_S2S_VIP 10.14.65.1 10.14.65.1 netmask 255.255.255.0
ip nat pool Inside_WVT_RA_VIP 10.14.64.1 10.14.64.1 netmask 255.255.255.0
ip nat inside source list 155 pool Inside_WVT_RA_VIP vrf S2S_VPN overload
ip nat inside source list 160 pool Inside_WVT_S2S_VIP vrf S2S_VPN overload
ip nat inside source list 170 pool Inside_WVT_S2S_VIP vrf S2S_VPN overload
ip nat inside source list 180 pool Inside_WVT_S2S_VIP vrf S2S_VPN overload
ip nat inside source list 190 pool Inside_WVT_S2S_VIP vrf S2S_VPN overload
ip nat inside source list 195 pool Inside_WVT_S2S_VIP vrf S2S_VPN overload
ip nat outside source static 10.14.64.2 25.255.48.229 vrf S2S_VPN add-route
ip nat outside source static 10.14.65.2 25.255.48.238 vrf S2S_VPN add-route
ip nat outside source static 10.14.65.4 25.255.48.233 vrf S2S_VPN add-route
ip nat outside source static 10.14.65.5 25.255.48.234 vrf S2S_VPN add-route
ip nat outside source static 10.14.65.6 25.255.48.232 vrf S2S_VPN add-route
ip nat outside source static 10.14.65.7 25.255.48.230 vrf S2S_VPN add-route
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 192.168.99.1
ip route vrf S2S_VPN 0.0.0.0 0.0.0.0 25.255.48.225
!
!
ip access-list extended 155
permit ip any host 25.255.48.229
ip access-list extended 160
permit ip any host 25.255.48.238
ip access-list extended 170
permit ip any host 25.255.48.233
ip access-list extended 180
permit ip any host 25.255.48.234
ip access-list extended 190
permit ip any host 25.255.48.232
ip access-list extended 195
permit ip any host 25.255.48.230
Any help would be really appreciated.
04-19-2023 12:38 PM - edited 04-19-2023 02:17 PM
check my below comment
04-19-2023 12:55 PM
04-19-2023 12:57 PM - edited 04-19-2023 02:18 PM
check below comment
04-19-2023 01:03 PM
04-19-2023 01:41 PM
friend there is different between IOS-XE HA and HSRP, your config is pure HSRP, I will run lab for IOS-XE and see how we can make NAT ware of HSRP.
04-19-2023 02:17 PM
04-20-2023 05:07 AM
Can you provide an example, using my configuration below, on how the configuration should look?
interface GigabitEthernet0/0/1
description Inside_WVT-RA-VPN
ip vrf forwarding S2S_VPN
ip address 10.14.64.253 255.255.255.0
ip nat outside
standby 1 ip 10.14.64.1
standby 1 preempt
negotiation auto
no ip virtual-reassembly
no ip virtual-reassembly-out
!
interface GigabitEthernet0/0/2
description ***Internet_Out_cpe-hfc-hch-a***
ip vrf forwarding S2S_VPN
ip address 25.255.48.235 255.255.255.240
ip nat inside
ip access-group BLOCK_UDP_EXTERNAL in
standby 2 ip 25.255.48.237
standby 2 preempt
standby 2 name HSRP2
negotiation auto
no ip virtual-reassembly
no ip virtual-reassembly-out
!
interface GigabitEthernet0/0/3
description Inside_WVT-S2S-VPN
ip vrf forwarding S2S_VPN
ip address 10.14.65.253 255.255.255.0
ip nat outside
standby 3 ip 10.14.65.1
standby 3 preempt
standby 3 name HSRP3
negotiation auto
no ip virtual-reassembly
no ip virtual-reassembly-out
!
ip nat pool Inside_WVT_S2S_VIP 10.14.65.1 10.14.65.1 netmask 255.255.255.0
ip nat pool Inside_WVT_RA_VIP 10.14.64.1 10.14.64.1 netmask 255.255.255.0
ip nat inside source list 155 pool Inside_WVT_RA_VIP vrf S2S_VPN overload
ip nat inside source list 160 pool Inside_WVT_S2S_VIP vrf S2S_VPN overload
ip nat inside source list 170 pool Inside_WVT_S2S_VIP vrf S2S_VPN overload
ip nat inside source list 180 pool Inside_WVT_S2S_VIP vrf S2S_VPN overload
ip nat inside source list 190 pool Inside_WVT_S2S_VIP vrf S2S_VPN overload
ip nat inside source list 195 pool Inside_WVT_S2S_VIP vrf S2S_VPN overload
ip nat outside source static 10.14.64.2 25.255.48.229 vrf S2S_VPN add-route
ip nat outside source static 10.14.65.2 25.255.48.238 vrf S2S_VPN add-route
ip nat outside source static 10.14.65.4 25.255.48.233 vrf S2S_VPN add-route
ip nat outside source static 10.14.65.5 25.255.48.234 vrf S2S_VPN add-route
ip nat outside source static 10.14.65.6 25.255.48.232 vrf S2S_VPN add-route
ip nat outside source static 10.14.65.7 25.255.48.230 vrf S2S_VPN add-route
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 192.168.99.1
ip route vrf S2S_VPN 0.0.0.0 0.0.0.0 25.255.48.225
!
!
ip access-list extended 155
permit ip any host 25.255.48.229
ip access-list extended 160
permit ip any host 25.255.48.238
ip access-list extended 170
permit ip any host 25.255.48.233
ip access-list extended 180
permit ip any host 25.255.48.234
ip access-list extended 190
permit ip any host 25.255.48.232
ip access-list extended 195
permit ip any host 25.255.48.230
04-19-2023 02:17 PM
Awesome thankyou very much. I look forward to hearing from you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide