HSRP with NAT and PAT for hosted solution from VoIP ISP

ssfmoffett · ‎01-13-2017

I have a project in which we will be running HSRP between to routers to a hosted VoIP solution from ISP. I am unable to find a configuration that will answer a few questions:

1. Can the same pools be configured on both routers (heard that this can cause black holes)?

2. How to avoid asymmetric routing (this isn't supported with VoIP, packets must use same router for exit and return traffic)?

3. Can someone provide a short configuration for this scenario?

BGP will be used for the routing protocol to ISP and static routing on LAN. These are multiple T1 links to the ISP using MLPPP. There will be 1 VLAN for phones that will need to be PAT translated, as well as one address for an SBC that will need to be NAT translated. In the configuration below the SBC address will need to be xlated to 123.65.80.1. The SBC must be statically xlated to this address. The phones can use PAT. Does this config address the above?

Template config:

Router 1

!

interface Loopback100
description NAT address for VoIP
ip address 123.80.2 255.255.255.255

!
interface Multilink1
description PPP multilink group 1, link to MPLS PE
ip address x.246.37.62 255.255.255.252
ip nat outside
ip virtual-reassembly in
ppp chap hostname x.246.37.62
ppp multilink
ppp multilink group 1
ppp multilink fragment disable
service-policy output QA_CLAN_M9
hold-queue 32768 out
!
interface GigabitEthernet0/0
description connection to customer LAN - SBC and Phones
ip address 10.207.6.113 255.255.255.248
ip access-group 113 in
ip nat inside
no standby redirect
standby version 2
standby 10 ip 10.207.6.115
standby 10 priority 110
standby 10 preempt delay minimum 60
standby 10 track 1 decrement 20
!

interface GigabitEthernet0/1
description B2B interface
ip address x.246.39.249 255.255.255.252
duplex full
speed 100

!

ip nat inside source route-map VoIP-NAT interface Loopback100 overload
ip nat inside source static 10.53.6.98 123.65.80.1

access-list 110 remark VoIP ip NAT
access-list 110 permit ip 172.23.56.0 0.0.1.255 123.127.255.0 0.0.0.255

!

route-map HVS-NAT permit 10
match ip address 110

Router 2

!
interface Loopback100
description NAT address for HVS
ip address 123.65.80.3 255.255.255.255
!

interface Multilink1
description PPP multilink group 1, link to MPLS PE
ip address x.246.39.138 255.255.255.252
ip nat outside
ip virtual-reassembly in
ppp chap hostname x.246.39.138
ppp multilink
ppp multilink group 1
ppp multilink fragment disable
service-policy output QA_CLAN_M92
hold-queue 32768 out
!

interface GigabitEthernet0/0
description connection to customer LAN - SBC and Phones
ip address 10.207.6.114 255.255.255.248
ip access-group 113 in
ip nat inside
no standby redirect
standby version 2
standby 10 ip 10.207.6.115
standby 10 preempt
service-policy output CA_OUT_MARK_PASSIVE
!
interface GigabitEthernet0/1
description B2B interface
ip address x.246.39.250 255.255.255.252
duplex full
speed 100
!

ip nat inside source route-map VoIP-NAT interface Loopback100 overload
ip nat inside source static 10.53.6.98 123.65.80.1

!

!
route-map VoIP-NAT permit 10
match ip address 110
set as-path prepend 2 2 2 2

!

access-list 110 remark VoIP Data ip NAT
access-list 110 permit ip 172.23.56.0 0.0.1.255 123.127.255.0 0.0.0.255

!

Thank you

Georg Pauwen · ‎01-20-2017

Hello,

static and dynamic NAT in an HSRP environment can be configured using redundancy groups as outlined in the link below.

Post the full configs of your routers including and we can fill in the missing parts...

Configuring NAT for High Availability

http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/15-2mt/iadnat-ha.html#GUID-3050D9AD-AD33-4CDA-8D51-E26B1C055109

ssfmoffett · ‎01-20-2017

Thank you for the response. I will try to retrieve the current configs. Wish SNAT supported SIP per the link you posted...that would've been great. Configs to come...

Georg Pauwen · ‎01-20-2017

Hello,

there is a feature where NAT can be configured as SIP Session Border Controller:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/15-mt/nat-15-mt-book/iadnat-host-sbc.html

ssfmoffett · ‎01-20-2017

There is a separate SBC for this design, the Cisco routers won't be acting as SBC...would be nice if they were, then I could set it up that way. They have strict requirements to use their own SBC. Thanks.

ssfmoffett · ‎01-20-2017

Current configs:

Router 1

!
interface Loopback100
description NAT address for VoIP
ip address xxx.65.80.2 255.255.255.255
!

interface Multilink1
description PPP multilink group 1, link to MPLS PE
ip address xxx.xxx.37.62 255.255.255.252
ip nat outside
ip virtual-reassembly in
ppp chap hostname xxx.xxx.37.62
ppp multilink
ppp multilink group 1
ppp multilink fragment disable
service-policy output QA_CLAN
hold-queue 32768 out
!

interface GigabitEthernet0/0
description connection to LAN - SBC and Phones
ip address xx.207.6.113 255.255.255.248
ip access-group 113 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
no standby redirect
standby version 2
standby 10 ip xxx.207.6.115
standby 10 priority 110
standby 10 preempt delay minimum 60
standby 10 track 1 decrement 20
duplex auto
speed auto
service-policy output CA_OUT_MARK_PASSIVE
!

interface GigabitEthernet0/1
description B2B interface
ip address xxx.246.39.249 255.255.255.252
duplex full
speed 100
!

ip nat inside source route-map VoIP-NAT interface Loopback100 overload
ip nat inside source static 10.53.6.98 xxx.65.80.1

!

ip route 10.53.6.96 255.255.255.240 GigabitEthernet0/0 10.207.6.116
ip route xxx.65.80.1 255.255.255.255 GigabitEthernet0/0
ip route 172.23.56.0 255.255.254.0 GigabitEthernet0/0 10.207.6.116

!

ip route xxx.65.80.1 255.255.255.255 GigabitEthernet0/0

!

!
route-map VoIP-NAT permit 10
match ip address 110
!

access-list 110 remark VoIP Data ip NAT
access-list 110 permit ip 172.23.56.0 0.0.1.255 xxx.127.255.0 0.0.0.255

!

Router 2

!
interface Loopback100
description NAT address for VoIP
ip address xxx.65.80.3 255.255.255.255
!
interface Multilink1
description PPP multilink group 1, link to MPLS PE
ip address xxx.246.39.138 255.255.255.252
ip nat outside
ip virtual-reassembly in
ppp chap hostname xxx.246.39.138
ppp multilink
ppp multilink group 1
ppp multilink fragment disable
service-policy output QA_CLAN
hold-queue 32768 out

!

interface GigabitEthernet0/0
description connection to LAN - SBC and Phones
ip address 10.207.6.114 255.255.255.248
ip access-group 113 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
no standby redirect
standby version 2
standby 10 ip 10.207.6.115
standby 10 preempt
duplex auto
speed auto
service-policy output CA_OUT_MARK_PASSIVE
!

interface GigabitEthernet0/1
description B2B interface
ip address xxx.246.39.250 255.255.255.252
duplex full
speed 100
!

ip nat inside source route-map VoIP-NAT interface Loopback100 overload
ip nat inside source static 10.53.6.98 xxx.65.80.1
ip route 10.53.6.96 255.255.255.240 GigabitEthernet0/0 10.207.6.116
ip route xxx.65.80.1 255.255.255.255 GigabitEthernet0/0
ip route 172.23.56.0 255.255.254.0 GigabitEthernet0/0 10.207.6.116

!

!
route-map VoIP-NAT permit 10
match ip address 110
set as-path prepend 1 1 1 1
!

access-list 110 remark VoIP Data ip NAT
access-list 110 permit ip 172.23.56.0 0.0.1.255 xxx.127.255.0 0.0.0.255

!