Thanks Edison.

Everything seems to be working. My only concern is that when the primary-nat comes back online some connections may stay on the backup-nat. Is their anyway to ensure this doesn't happen?

The timeout values on the nat translation should help but it isn't guaranteed.

2 second timeout is very low already and should be use with care. It can add processor overhead into the router. Keep an eye on the CPU for any adverse effect.

As you stated that everything is working, please take a moment to rate the individuals who have worked on this thread.

Thanks !

Ok, the CLI help is a little confusing as it shows a reference to vtemplate:

ip nat inside source list 100 interface fa0/0 overload ?

oer Use with vtemplate only. On new translation, if OER BR is UP, OER

will select IP from outgoing Interface. All packets matching

translation are forwarded over Interface for duration of

translation.

portmap Specify Port Map that is to be associated with this mapping

This is not surprising as we know that IOS is very good at being obscure at times. I have never used OER but I see that in this case one can invoke it in the NAT without having configured it explicitly anywhere else in the router. Fine with me!

Paolo,

I was trying to dig some documentation in the matter but couldn't.

I came across that option via the CLI online help and gave it a try without a OER template.

It seems to work quite well in conjunction with the IP SLA.

Right.

Now I don't remember if you were with cisco previously or it is a new job, in any case congratulations!

I couldn't complete the "ten years" with them but the ones that I spent for sure were quite hectic!

Paolo, it's a new job and thanks !

I hope you guys don't mind me reviving an old thread. My original query is in http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbed8bd

I read through this whole thread but failed to see how to solve applications where the relatively short NAT translation timeout becomes an issue. My client has applications running in Citrix as well as YM for communications with their clients. And setting the NAT translation timeout to even 30 seconds would cause them to disconnect at seemingly random times.

However, if I leave it at default, the applications becomes stable but the failover does not happen. I may have made a mess of my config so I would appreciate any help.

Attached below is the excerpt of the config where the NAT translation timeouts are configured:

!

track 1 rtr 1 reachability

!

track 2 rtr 2 reachability

!

interface Serial0/1/1

description ISP2

ip address 2.2.2.1 255.255.255.252

ip nat outside

ip virtual-reassembly

zone-member security out-zone

!

interface Serial0/3/0

description ISP1

ip address 1.1.1.1 255.255.255.252

ip nat outside

ip virtual-reassembly

zone-member security out-zone

!

interface Vlan1

description LAN

ip address 192.168.12.3 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

!

ip nat translation timeout 10

ip nat translation tcp-timeout 10

ip nat translation udp-timeout 10

ip nat translation finrst-timeout 10

ip nat translation syn-timeout 10

ip nat translation dns-timeout 10

ip nat translation routemap-entry-timeout 10

ip nat translation icmp-timeout 10

ip nat translation arp-ping-timeout 10

ip nat inside source route-map ISP1 interface Serial0/3/0 overload oer

ip nat inside source route-map ISP2 interface Serial0/1/1 overload oer

!

ip sla 1

icmp-echo 2.2.2.2 source-interface Serial0/1/1

frequency 5

ip sla schedule 1 life forever start-time now

!

ip sla 2

icmp-echo 1.1.1.2 source-interface Serial0/3/0

frequency 5

ip sla schedule 2 life forever start-time now

!

route-map ISP1 permit 10

match ip address natlist

set ip next-hop verify-availability 1.1.1.2 2 track 2

!

route-map ISP2 permit 10

match ip address natlist

set ip next-hop verify-availability 2.2.2.2 1 track 1

!

ip access-list extended natlist

permit ip any any

!

ip route 0.0.0.0 0.0.0.0 1.1.1.2 track 2

ip route 0.0.0.0 0.0.0.0 2.2.2.2 track 1

!

Please, let's get back to your thread. This one is deep enough that it's very hard to follow.

Thank you very much for this configuration.

I would also like to have static NAT translations for inbound services configured across both ISP links, would i be correct in thinking that i need to use secondary IP Address's on the internal hosts.

ie: Internal Server on IP 192.168.1.10 and a secondary IP of 192.168.1.11.

ip nat inside source static tcp 192.168.1.10 25 interface Ethernet1/0 25

!

ip nat inside source static tcp 192.168.1.11 25 interface Ethernet2/0 25

Regards