cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3699
Views
45
Helpful
18
Replies

HSRp + NAT + Route-map

salemmahara
Level 3
Level 3

Hello everyone,

we use to do NAT on our router but we are planned to buy a couple of routers to provide redundancy.

But I heard NAT doesn't work with HSRP!

 

Our configuration:

ip nat inside source route-map X interface X/X overload

 

Now, we are planned to apply following command:

 

ip nat pool TEST x.x.x.1 x.x.x.1 mask 255.255.255.0

ip nat inside source route-map X pool TEST overload

 

* x.x.x.1 is virtual ip of our routers connected to outside

* Route-map X shows on which traffic should NAT effect

 

If it is not going to work, what is the solution? 

Our new routers will be ISR 4000

 

1 Accepted Solution

Accepted Solutions

Hello,

 

I have come up with a somewhat simplified solution where the NAT entries would be cleared by an EEM script, regardless of which HSRP (LAN or WAN) fails. It would look like below:

 

Active Router:

interface GigabitEthernet0/0
ip nat outside
ip add 2.2.2.2 255.255.255.0
no ip redirects
standby 2 ip 2.2.2.1
standby 2 priority 110
standby 2 preempt
!
interface GigabitEthernet1/1
ip nat inside
ip address 1.1.1.2 255.255.255.0
standby 1 ip 1.1.1.1
standby 1 priority 110
standby 1 preempt
!
ip nat pool VIP 2.2.2.1 2.2.2.1 255.255.255.0
ip nat inside source list 1 pool VIP overload
!
access-list 1 permit 1.1.1.0 0.0.0.255
!
event manager applet HSRP_DOWN
event syslog pattern "Active -> Init"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"
!
event manager applet HSRP_UP
event syslog pattern "Listen -> Active"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"

 

Standby Router:

 

interface GigabitEthernet0/0
ip nat outside
ip add 2.2.2.3 255.255.255.0
no ip redirects
standby 2 ip 2.2.2.1
!
interface GigabitEthernet1/1
ip nat inside
ip address 1.1.1.3 255.255.255.0
standby 1 ip 1.1.1.1
!
ip nat pool VIP 2.2.2.1 2.2.2.1 255.255.255.0
ip nat inside source list 1 pool VIP overload
!
access-list 1 permit 1.1.1.0 0.0.0.255
!
event manager applet HSRP_DOWN
event syslog pattern "Active -> Init"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"
!
event manager applet HSRP_UP
event syslog pattern "Listen -> Active"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"

 

 

View solution in original post

18 Replies 18

balaji.bandi
Hall of Fame
Hall of Fame

Look at the thread may help you :

 

https://community.cisco.com/t5/routing/nat-hsrp-and-routemap/td-p/579506

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

hi @balaji.bandi ,

Thank you for replying

Unfortunately, here are 2 missed points in your reply:

1.As I mentioned in my question, it is not a static NAT.

2. I am going to assume my outside VIP as NAT Pool

salemmahara
Level 3
Level 3

Everybody,

What do you think of below configuration:

 

Active Router:

int x/x

ip nat outside

ip add 1.1.1.1 255.255.255.0

no ip redirects

standby 1 ip 1.1.1.3

standby 1 preempt 

standby 1 name HSRP1

 

ip nat stateful 1

redundancy HSRP1

mapping-id 1

 

ip access-list 100 permit ip LAN_Range to Specific_Destination

 

ip route-map TEST

match ip address 100

 

ip nat pool VIP 1.1.1.3 1.1.1.3 255.255.255.0

ip nat inside source route-map TEST pool VIP mapping-id 1 overload

 

 

Same configuration for Router 2 (With only change of physical interface ip address to 1.1.1.2)

Note: We are trying to configure HSRP and NAT on outside interface

Note: HSRP will be configured on both internal and external network ( There is a LAN between some routers on external interface which is connected through a switch and we need to intrude them our Outside VIP as next-hop to reach inside network)

Hello 

statefull nat with hsrp is superseded with box-to-box nat I have found this out when performing and iOS upgrade and the new iOS version didn’t work with the previous stateful nat  

 

box-to-box nat

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

It think the final configuration must be something like this:

 

int gig 1/1

ip nat inside

ip address 1.1.1.2 255.255.255.0

standby 1 ip 1.1.1.1

standby 1 name HSRP

standby 1 track int gig 0/0

standby 1 preempt

 

int gig 0/0

ip nat outside

ip address 2.2.2.2 255.255.255.0

standby 2 ip 2.2.2.1

standby 2 name HSRP2

standby 2 track int gig 1/1

standby 2 preempt

 

ip nat stateful 1

redundancy HSRP

mapping-id 10

ip access-list 100 permit tcp LAN_Range Specific_destinations eq X 

route-map TEST

match ip add 100

 

ip nat pool VIP 2.2.2.1 2.2.2.1 netmask 255.255.255.0

ip nat inside source route-map TEST pool VIP mapping-id 10 overload

 

Note:

- We have LAN on both sides, so we need to run HSRP on both inside and outside

- We are supposed to config NAT to translate inside lan address to outside VIP for some specific traffics. Because other routers only accept requests with this IP .

 

Guys, Do you agree or not ? 

Hello @salemmahara ,

the document provided by @paul driver should be more actual then the one I have just found

 

see for comparison:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/nat-xe-3s-book/iadnat-dynamc-hsrp.html#reference_CD872D03F4A64B7AA7C3A65DD8508E75

 

if Stateful NAT is not a feature available anymore on ISR 4000 in recent IOS XE images the following should apply:

We need also to consider the following considerations:

 

Note:

>>>1>- We have LAN on both sides, so we need to run HSRP on both inside and outside

>>>2>- We are supposed to config NAT to translate inside lan address to outside VIP for some specific traffics. Because other routers only accept requests with this IP .

 

In old stateful NAT the "external " VIP could not be used.

You need to run HSRP on "internal" and "external " LAN side.

You should decide which router let's say R1 is master in normal conditions.

The active router must be active at the same time for "internal" and "external" HSRP Redundancy groups this can be achieved by using a priority 105 on R1.

The logic is the following:

Internal HSRP RG must monitor external interface or it can use IP SLA, on the opposite the external RG HSRP group must monitor the internal LAN interface and to check that the active router for  the internal RG is local.

If either groups fail both must reduce their priority so the R2 can pre-empt.

Gratutious ARP can make the clearing of NAT entries not necessary. However. @Georg Pauwen use of scripts can be very helpful.

However, you need to create a configuration that satisfy the requirement:

 

at any given time for any condition (either R1 is active on BOTH internal and external HSRP RGs) EXOR (R2 is active on BOTH the internal and external HSRP RGs)

 

see

>> From document provided by @paul driver 

 

>>>

NAT in Active-Standby Mode

In active-standby mode, the redundancy group (RG) that Network Address Translation (NAT) is part of remains in the standby mode on one device and active on a peer device. NAT in an RG that is in active mode translates the traffic according the configured translation rules.

NAT does not actively perform any translations on the device where its RG is in the standby mode. In an RG, only one peer is in active mode at a given instance and the other peer is in standby mode. Applications that belong to the RG are active only on the device on which the RG is active. On all other devices, applications that belong to the RG are in the standby mode.

 

 

Hope to help

Giuseppe

 

Hi @paul driver ,

as you mentioned, unfortunately SNAT doesn’t work on ISR 4000 anymore.

 

I have a question

what would happen if we do nat with traditional way? I mean configuring nat as always on both routers? ( outside vip would be our pool). If router 1 fails, router 2 comes ip and do nat (with new sessions) 

 

redundancy only works for ftp LAG. So is it necessary to configure it or not?

Hello


@salemmahara wrote:

 

what would happen if we do nat with traditional way? I mean configuring nat as always on both routers? ( outside vip would be our pool). If router 1 fails, router 2 comes ip and do nat (with new sessions) 

redundancy only works for ftp LAG. So is it necessary to configure it or not?


With statful nat and hrsp redundancy the nat tables are shared so when running two internal hsrp nat routers without staful nat then the translation table would still have entries active pertaining the failing router, and nothing on the secondary router, What is possible without using stateful nat with hsrp redundancy or box-to-box nat  is you could do incorporate ip sla tracking and eem scripting to track the uplink of the primary router and on reachability failure through the tracking the eem script would be able to clear the nat translation table on the primary router and failover nat to the secondary router.

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi again @paul driver ,

So you mean the traditional configuration works fine (Translate address without problem) until the active router goes down. Then, Second router will not come up. Am I right? Or it means new sessions would be okay over second router?

 

The biggest concern here is that I thought NAT is not working when we configure HSRP on interfaces (both side) and NAT some addresses to the pool which contains our outside VIP. 

 

Is it okay ?

Hello,

 

I have come up with a somewhat simplified solution where the NAT entries would be cleared by an EEM script, regardless of which HSRP (LAN or WAN) fails. It would look like below:

 

Active Router:

interface GigabitEthernet0/0
ip nat outside
ip add 2.2.2.2 255.255.255.0
no ip redirects
standby 2 ip 2.2.2.1
standby 2 priority 110
standby 2 preempt
!
interface GigabitEthernet1/1
ip nat inside
ip address 1.1.1.2 255.255.255.0
standby 1 ip 1.1.1.1
standby 1 priority 110
standby 1 preempt
!
ip nat pool VIP 2.2.2.1 2.2.2.1 255.255.255.0
ip nat inside source list 1 pool VIP overload
!
access-list 1 permit 1.1.1.0 0.0.0.255
!
event manager applet HSRP_DOWN
event syslog pattern "Active -> Init"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"
!
event manager applet HSRP_UP
event syslog pattern "Listen -> Active"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"

 

Standby Router:

 

interface GigabitEthernet0/0
ip nat outside
ip add 2.2.2.3 255.255.255.0
no ip redirects
standby 2 ip 2.2.2.1
!
interface GigabitEthernet1/1
ip nat inside
ip address 1.1.1.3 255.255.255.0
standby 1 ip 1.1.1.1
!
ip nat pool VIP 2.2.2.1 2.2.2.1 255.255.255.0
ip nat inside source list 1 pool VIP overload
!
access-list 1 permit 1.1.1.0 0.0.0.255
!
event manager applet HSRP_DOWN
event syslog pattern "Active -> Init"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"
!
event manager applet HSRP_UP
event syslog pattern "Listen -> Active"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"

 

 

Hi @Georg Pauwen 

Thanks a million for accepting my request for participating in this topic. I really appreciate it.

To sum up, I'm going to ask some questions:

 

1. Why we need to clear nat translation? Standby router will come up and start to NAT and Active router will lose its priority and responsibility of VIP. So, everything continues over standby router (Which is now active router). What would happen if we don't do that?

 

2. So, as you mentioned as well, my configuration will work and I only need to clear Ip nat translation. I mean NAT still works on HSRP interfaces and will be okay with VIP . 

 

Hello,

 

the reason you want to clear the NAT entries when the HSRP state changes is because you don't want the standby router to keep the NAT translations in the translation table and wait for the regular NAT timeout to occur.

NAT with HSRP will work nevertheless...

Everybody,

Thank you for participating in this topic. I really appreciate you all. I wish I could mark all replies as solution, however, it is not possible(Is it ? I mean can I mark all replies? Because the solution could be a combination of them). 

BTW, I'll check them and come back to mark the working solution. 

Again and again, thank you for trying to keep Cisco community as helpful as possible. The globe needs you guys to keep going. 

@Georg Pauwen 

@Giuseppe Larosa 

@paul driver 

@balaji.bandi 

salemmahara
Level 3
Level 3

Hello again,

we configured NAT and HSRP on both devices ( Same configuration ) and it is working fine. There is something strange however. We have copied ACLs from our previous router to the new ones. One ACL is checking input traffic through an interface. All traffics are passing fine, but traffics from a specific router (containing different services) stop passing through the router after a while! We have to remove and rewrite those lines of ACL related to these traffic. When we check the ACL, the Match hint is increasing, even when clients can't see the services!!! Other services and lines of ACL are working fine at the same time. I removed and rewrite the whole of ACL from the scratch. Have you even been in such situation?

 

Another question. I've heard Cisco is forcing costumers to use Smart license since IOS XE 16.9.x . Is it true? Does it mean, if we don't have internet access, we can not upgrade to 16.9.x ? What would happen if we do it? 

@Giuseppe Larosa @Georg Pauwen @paul driver @balaji.bandi 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: