12-31-2019 08:54 AM - edited 01-01-2020 01:25 AM
Hello everyone,
we use to do NAT on our router but we are planned to buy a couple of routers to provide redundancy.
But I heard NAT doesn't work with HSRP!
Our configuration:
ip nat inside source route-map X interface X/X overload
Now, we are planned to apply following command:
ip nat pool TEST x.x.x.1 x.x.x.1 mask 255.255.255.0
ip nat inside source route-map X pool TEST overload
* x.x.x.1 is virtual ip of our routers connected to outside
* Route-map X shows on which traffic should NAT effect
If it is not going to work, what is the solution?
Our new routers will be ISR 4000
Solved! Go to Solution.
01-01-2020 03:13 AM
Hello,
I have come up with a somewhat simplified solution where the NAT entries would be cleared by an EEM script, regardless of which HSRP (LAN or WAN) fails. It would look like below:
Active Router:
interface GigabitEthernet0/0
ip nat outside
ip add 2.2.2.2 255.255.255.0
no ip redirects
standby 2 ip 2.2.2.1
standby 2 priority 110
standby 2 preempt
!
interface GigabitEthernet1/1
ip nat inside
ip address 1.1.1.2 255.255.255.0
standby 1 ip 1.1.1.1
standby 1 priority 110
standby 1 preempt
!
ip nat pool VIP 2.2.2.1 2.2.2.1 255.255.255.0
ip nat inside source list 1 pool VIP overload
!
access-list 1 permit 1.1.1.0 0.0.0.255
!
event manager applet HSRP_DOWN
event syslog pattern "Active -> Init"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"
!
event manager applet HSRP_UP
event syslog pattern "Listen -> Active"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"
Standby Router:
interface GigabitEthernet0/0
ip nat outside
ip add 2.2.2.3 255.255.255.0
no ip redirects
standby 2 ip 2.2.2.1
!
interface GigabitEthernet1/1
ip nat inside
ip address 1.1.1.3 255.255.255.0
standby 1 ip 1.1.1.1
!
ip nat pool VIP 2.2.2.1 2.2.2.1 255.255.255.0
ip nat inside source list 1 pool VIP overload
!
access-list 1 permit 1.1.1.0 0.0.0.255
!
event manager applet HSRP_DOWN
event syslog pattern "Active -> Init"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"
!
event manager applet HSRP_UP
event syslog pattern "Listen -> Active"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"
12-31-2019 09:12 AM
Look at the thread may help you :
https://community.cisco.com/t5/routing/nat-hsrp-and-routemap/td-p/579506
12-31-2019 10:41 AM - edited 12-31-2019 10:43 AM
hi @balaji.bandi ,
Thank you for replying
Unfortunately, here are 2 missed points in your reply:
1.As I mentioned in my question, it is not a static NAT.
2. I am going to assume my outside VIP as NAT Pool
12-31-2019 11:13 AM - edited 12-31-2019 11:33 AM
Everybody,
What do you think of below configuration:
Active Router:
int x/x
ip nat outside
ip add 1.1.1.1 255.255.255.0
no ip redirects
standby 1 ip 1.1.1.3
standby 1 preempt
standby 1 name HSRP1
ip nat stateful 1
redundancy HSRP1
mapping-id 1
ip access-list 100 permit ip LAN_Range to Specific_Destination
ip route-map TEST
match ip address 100
ip nat pool VIP 1.1.1.3 1.1.1.3 255.255.255.0
ip nat inside source route-map TEST pool VIP mapping-id 1 overload
Same configuration for Router 2 (With only change of physical interface ip address to 1.1.1.2)
Note: We are trying to configure HSRP and NAT on outside interface
Note: HSRP will be configured on both internal and external network ( There is a LAN between some routers on external interface which is connected through a switch and we need to intrude them our Outside VIP as next-hop to reach inside network)
12-31-2019 03:34 PM
Hello
statefull nat with hsrp is superseded with box-to-box nat I have found this out when performing and iOS upgrade and the new iOS version didn’t work with the previous stateful nat
12-31-2019 09:10 PM
It think the final configuration must be something like this:
int gig 1/1
ip nat inside
ip address 1.1.1.2 255.255.255.0
standby 1 ip 1.1.1.1
standby 1 name HSRP
standby 1 track int gig 0/0
standby 1 preempt
int gig 0/0
ip nat outside
ip address 2.2.2.2 255.255.255.0
standby 2 ip 2.2.2.1
standby 2 name HSRP2
standby 2 track int gig 1/1
standby 2 preempt
ip nat stateful 1
redundancy HSRP
mapping-id 10
ip access-list 100 permit tcp LAN_Range Specific_destinations eq X
route-map TEST
match ip add 100
ip nat pool VIP 2.2.2.1 2.2.2.1 netmask 255.255.255.0
ip nat inside source route-map TEST pool VIP mapping-id 10 overload
Note:
- We have LAN on both sides, so we need to run HSRP on both inside and outside
- We are supposed to config NAT to translate inside lan address to outside VIP for some specific traffics. Because other routers only accept requests with this IP .
Guys, Do you agree or not ?
01-01-2020 05:20 AM
Hello @salemmahara ,
the document provided by @paul driver should be more actual then the one I have just found
see for comparison:
if Stateful NAT is not a feature available anymore on ISR 4000 in recent IOS XE images the following should apply:
We need also to consider the following considerations:
Note:
>>>1>- We have LAN on both sides, so we need to run HSRP on both inside and outside
>>>2>- We are supposed to config NAT to translate inside lan address to outside VIP for some specific traffics. Because other routers only accept requests with this IP .
In old stateful NAT the "external " VIP could not be used.
You need to run HSRP on "internal" and "external " LAN side.
You should decide which router let's say R1 is master in normal conditions.
The active router must be active at the same time for "internal" and "external" HSRP Redundancy groups this can be achieved by using a priority 105 on R1.
The logic is the following:
Internal HSRP RG must monitor external interface or it can use IP SLA, on the opposite the external RG HSRP group must monitor the internal LAN interface and to check that the active router for the internal RG is local.
If either groups fail both must reduce their priority so the R2 can pre-empt.
Gratutious ARP can make the clearing of NAT entries not necessary. However. @Georg Pauwen use of scripts can be very helpful.
However, you need to create a configuration that satisfy the requirement:
at any given time for any condition (either R1 is active on BOTH internal and external HSRP RGs) EXOR (R2 is active on BOTH the internal and external HSRP RGs)
see
>> From document provided by @paul driver
>>>
In active-standby mode, the redundancy group (RG) that Network Address Translation (NAT) is part of remains in the standby mode on one device and active on a peer device. NAT in an RG that is in active mode translates the traffic according the configured translation rules.
NAT does not actively perform any translations on the device where its RG is in the standby mode. In an RG, only one peer is in active mode at a given instance and the other peer is in standby mode. Applications that belong to the RG are active only on the device on which the RG is active. On all other devices, applications that belong to the RG are in the standby mode.
Hope to help
Giuseppe
12-31-2019 11:42 PM
Hi @paul driver ,
as you mentioned, unfortunately SNAT doesn’t work on ISR 4000 anymore.
I have a question
what would happen if we do nat with traditional way? I mean configuring nat as always on both routers? ( outside vip would be our pool). If router 1 fails, router 2 comes ip and do nat (with new sessions)
redundancy only works for ftp LAG. So is it necessary to configure it or not?
01-01-2020 02:45 AM - edited 01-01-2020 02:52 AM
Hello
@salemmahara wrote:what would happen if we do nat with traditional way? I mean configuring nat as always on both routers? ( outside vip would be our pool). If router 1 fails, router 2 comes ip and do nat (with new sessions)
redundancy only works for ftp LAG. So is it necessary to configure it or not?
With statful nat and hrsp redundancy the nat tables are shared so when running two internal hsrp nat routers without staful nat then the translation table would still have entries active pertaining the failing router, and nothing on the secondary router, What is possible without using stateful nat with hsrp redundancy or box-to-box nat is you could do incorporate ip sla tracking and eem scripting to track the uplink of the primary router and on reachability failure through the tracking the eem script would be able to clear the nat translation table on the primary router and failover nat to the secondary router.
01-01-2020 03:02 AM
Hi again @paul driver ,
So you mean the traditional configuration works fine (Translate address without problem) until the active router goes down. Then, Second router will not come up. Am I right? Or it means new sessions would be okay over second router?
The biggest concern here is that I thought NAT is not working when we configure HSRP on interfaces (both side) and NAT some addresses to the pool which contains our outside VIP.
Is it okay ?
01-01-2020 03:13 AM
Hello,
I have come up with a somewhat simplified solution where the NAT entries would be cleared by an EEM script, regardless of which HSRP (LAN or WAN) fails. It would look like below:
Active Router:
interface GigabitEthernet0/0
ip nat outside
ip add 2.2.2.2 255.255.255.0
no ip redirects
standby 2 ip 2.2.2.1
standby 2 priority 110
standby 2 preempt
!
interface GigabitEthernet1/1
ip nat inside
ip address 1.1.1.2 255.255.255.0
standby 1 ip 1.1.1.1
standby 1 priority 110
standby 1 preempt
!
ip nat pool VIP 2.2.2.1 2.2.2.1 255.255.255.0
ip nat inside source list 1 pool VIP overload
!
access-list 1 permit 1.1.1.0 0.0.0.255
!
event manager applet HSRP_DOWN
event syslog pattern "Active -> Init"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"
!
event manager applet HSRP_UP
event syslog pattern "Listen -> Active"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"
Standby Router:
interface GigabitEthernet0/0
ip nat outside
ip add 2.2.2.3 255.255.255.0
no ip redirects
standby 2 ip 2.2.2.1
!
interface GigabitEthernet1/1
ip nat inside
ip address 1.1.1.3 255.255.255.0
standby 1 ip 1.1.1.1
!
ip nat pool VIP 2.2.2.1 2.2.2.1 255.255.255.0
ip nat inside source list 1 pool VIP overload
!
access-list 1 permit 1.1.1.0 0.0.0.255
!
event manager applet HSRP_DOWN
event syslog pattern "Active -> Init"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"
!
event manager applet HSRP_UP
event syslog pattern "Listen -> Active"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"
01-01-2020 03:43 AM - edited 01-01-2020 03:47 AM
Thanks a million for accepting my request for participating in this topic. I really appreciate it.
To sum up, I'm going to ask some questions:
1. Why we need to clear nat translation? Standby router will come up and start to NAT and Active router will lose its priority and responsibility of VIP. So, everything continues over standby router (Which is now active router). What would happen if we don't do that?
2. So, as you mentioned as well, my configuration will work and I only need to clear Ip nat translation. I mean NAT still works on HSRP interfaces and will be okay with VIP .
01-01-2020 04:43 AM
Hello,
the reason you want to clear the NAT entries when the HSRP state changes is because you don't want the standby router to keep the NAT translations in the translation table and wait for the regular NAT timeout to occur.
NAT with HSRP will work nevertheless...
01-02-2020 12:39 AM - edited 01-02-2020 12:41 AM
Everybody,
Thank you for participating in this topic. I really appreciate you all. I wish I could mark all replies as solution, however, it is not possible(Is it ? I mean can I mark all replies? Because the solution could be a combination of them).
BTW, I'll check them and come back to mark the working solution.
Again and again, thank you for trying to keep Cisco community as helpful as possible. The globe needs you guys to keep going.
01-05-2020 04:04 AM - edited 01-05-2020 04:09 AM
Hello again,
we configured NAT and HSRP on both devices ( Same configuration ) and it is working fine. There is something strange however. We have copied ACLs from our previous router to the new ones. One ACL is checking input traffic through an interface. All traffics are passing fine, but traffics from a specific router (containing different services) stop passing through the router after a while! We have to remove and rewrite those lines of ACL related to these traffic. When we check the ACL, the Match hint is increasing, even when clients can't see the services!!! Other services and lines of ACL are working fine at the same time. I removed and rewrite the whole of ACL from the scratch. Have you even been in such situation?
Another question. I've heard Cisco is forcing costumers to use Smart license since IOS XE 16.9.x . Is it true? Does it mean, if we don't have internet access, we can not upgrade to 16.9.x ? What would happen if we do it?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: