Re: HSRP beginner

Miguel Angel Alvarez Rodriguez · ‎09-17-2013

Hi:

I never use HSRP before. Now I'm configuring it in the public interface of two new Cisco 1921 routers. I have three cuestions:

1) I'm going to bind all my static NAT rules to the GigabitEthernet0/0 interface: is the router clever enough to automatically use the virtual IP for this rules, or is going to use the real IP of the interface? May I change the NAT rules for using the virtual IP inestead of the interface name?

2) All my ACLs are binded to the virtual IP, but I don't know if this is going to work or I need to configure the ACLs with the real outside interface address. It's the reverse question of the one before.

3) I'd like to continue using some static NAT rules only with the real IP address. Can I do that? For example:

IP real address: X.X.X.X

HSRP virtual IP address X.X.X.X+1

ip nat inside source static tcp 192.168.1.1 4444 interface GigabitEthernet0/1 2222 /*as I have defined HSRP I suppose GigabitEthernet0/1=X.X.X.X+1

ip nat inside source static tcp 192.168.1.2 5555 interface X.X.X.X 2222 /*I suppose I can use real IP (X.X.X.X) for other NAT statements

Richard Burts · ‎09-17-2013

1) No the router will not use the virtual IP for the translation. It will use the physical interface address.

2) I do not quite understand this question. And I am not sure that it is really the reverse of question 1.

Part of my confusion is that you do not bind ACL to an address but you bind it to the interface. Are you asking about what address to use in the permit/deny statements or are you asking something else?

3) I do not understand this question either.

HSRP on the public interface of a router is pretty unusual (it is more common to use HSRP on the inside interface). Perhaps you could provide some information about the topology of the network and how you expect HSRP to work on the public interface?

HTH

Rick

HTH

Rick

Miguel Angel Alvarez Rodriguez · ‎09-19-2013

Hi Richard:

After several configurations I got HSRP working with some minor issues. This is the situation:

1) I tried using physical interface name in the NAT statements, but this did not work. Then I tried using the virtual IP address instead, and it works. I'm attaching the configuration.

2) I suppose I expressed myself badly. What I really wanted to ask is what outside interface's IP address (the real one or the virtual one) I must use in the ACLs to deny or permit traffic based on the destination address. I tried with the virtual one, and then again it works.

3) The third question is related to the fact that when you use HSRP there are two IP addresses working in the outside interface (the real and the virtual one). I'm using the virtual one for NAT statements and ACLs, but I would like to have some specific traffic working only with the real IP address, this is without HSRP. I tried this and it works too, but only when the active router was the one in which I configured the rules for the real IP address. In the configuration I'm attaching the NAT statement and the ACL rule related to this are the ones using the U tcp port.

My topology is very simple:

- I have two identical routers giving redundant access to Internet to a network using one only Internet access with one public IP address for each router (the real IP addresses).

- I expect that when one of the routers goes down the other keeps working with the same public IP address (the virtual one IP address). Is there any simpler way to get this working than HSRP?

As I said to you my configuration is now working, but with some minor issues. At this moment the internal network have Internet access, and external users can access to services permited in internal hosts through NAT. The main problem is that DNS traffic is blocked, so internal hosts have Internet access, but they can't surf the web, and I don't know why.