Solved: Re: Nat with WAN VRRP IP?

weathermon · ‎07-24-2018

Hi guys,

I've got a tricky one I'm trying to work out. I have 2x Cisco 2851's to provide redundancy to clients - I've configured VRRP for the LAN side as follows for both routers:

r1:

interface GigabitEthernet0/0.1

description Gi0/0.1 Office GW

encapsulation dot1Q 1 native

ip address 192.168.1.154 255.255.255.0

ip nat inside

ip virtual-reassembly

vrrp 1 description Office GW

vrrp 1 ip 192.168.1.254

vrrp 1 timers advertise msec 300

vrrp 1 preempt delay minimum 10

vrrp 1 priority 200

!

r2:

interface GigabitEthernet0/0.1

description Gi0/0.1 Office Gateway

encapsulation dot1Q 1 native

ip address 192.168.1.153 255.255.255.0

ip nat inside

ip virtual-reassembly

vrrp 1 description Office Gateway

vrrp 1 ip 192.168.1.254

vrrp 1 timers advertise msec 300

vrrp 1 preempt delay minimum 10

end

All client pc's have their gateway set as 192.168.1.254 which is working nicely. The problem I am trying to work out is with the WAN ip address. Let's say for example we have a public WAN ip of 123.123.123.123:

I've been reading up that you can cheat with VRRP and use a private IP with VRRP and then just put an ip route in for the public IP. The problem here is that NAT is trying to come from the primary ip instead of 123.123.123.123. I can ping 123.123.123.123 from any of the workstations but because it's trying to use NAT with 172.15.5.1, it's not a routeable subnet so I get no internet:

r1:

interface GigabitEthernet0/0.5

description Gi0/0.5 Office WAN

encapsulation dot1Q 5

ip address 172.17.5.254 255.255.255.0

ip flow ingress

ip nat outside

ip virtual-reassembly

vrrp 5 description Office WAN

vrrp 5 ip 172.17.5.1

vrrp 5 ip 123.123.123.123 secondary

vrrp 5 timers advertise msec 300

vrrp 5 preempt delay minimum 10

vrrp 5 priority 200

no cdp enable

!

ip route 123.123.123.120 255.255.255.248 GigabitEthernet0/0.5

access-list 1 permit 192.168.1.0 0.0.0.255

ip nat inside source list 1 interface GigabitEthernet0/0.5 overload

r2:

interface GigabitEthernet0/0.5

description Gi0/0.5 Office WAN

encapsulation dot1Q 5

ip address 172.17.5.253 255.255.255.0

ip flow ingress

ip nat outside

ip virtual-reassembly

vrrp 5 description Office WAN

vrrp 5 ip 172.17.5.1

vrrp 5 ip 123.123.123.123 secondary

vrrp 5 timers advertise msec 300

vrrp 5 preempt delay minimum 10

vrrp 5 priority 200

no cdp enable

!

ip route 123.123.123.120 255.255.255.248 GigabitEthernet0/0.5

access-list 1 permit 192.168.1.0 0.0.0.255

ip nat inside source list 1 interface GigabitEthernet0/0.5 overload

Basically I want to use VRRP with NAT so that both routers will always use the same WAN IP of 123.123.123.123. I did try changing the config to the following which worked but the problem here is that NAT wanted to use 123.123.123.121 as the NAT source instead of 123.123.123.123. Is there any way to get it to use 123.123.123.123 as the NAT source while still using VRRP or is this too complicated for what I'm after?

interface GigabitEthernet0/0.5

description Gi0/0.5 Office WAN

encapsulation dot1Q 5

ip address 123.123.123.121 255.255.255.248

ip flow ingress

ip nat outside

ip virtual-reassembly

vrrp 5 description Office WAN

vrrp 5 ip 123.123.123.123

vrrp 5 timers advertise msec 300

vrrp 5 preempt delay minimum 10

vrrp 5 priority 200

no cdp enable

Cheers, Mike

Calin C. · ‎07-26-2018

The problem is that the next hop router (which is the L3 on your private subnet used for transport) knows the path back to respond to packets (just because it will have a L3 interface in the same transport subnet which you use actually for NAT), however the next hop (of 123.123.123.123) has no idea of a route to your private subnet (172.17.5.x).

You would need either try to NAT to a public (routable) IP or to have your ISP do a second NAT of 172.17.5.x to a public IP (which I don't think it will happen).

Another solution is to use a public subnet for your transport (like a /29 or something to accommodate all your devices involved in routing).

Does this helps?

Calin

View solution in original post

a.alekseev · ‎07-25-2018

https://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/15-2mt/iadnat-ha.html

Calin C. · ‎07-25-2018

This resource will help you with the HA NAT, however this part "Basically I want to use VRRP with NAT so that both routers will always use the same WAN IP of 123.123.123.123" I see it as a problem.

Obviously I don't know how your WAN is connected but this will pose some challenges, first at L2 and the L3.

Do you have another switch on the the WAN side so you have L2 communication? The at L3 same ISP or different ISPs?

Seems to me that you want to have L3 HA on LAN and WAN plus SNAT.

Calin

weathermon · ‎07-25-2018

Hi Calin,

both connections are through the same ISP with 2 different usernames. Radius is passing the subnet route through on both connections. There is a Cisco 3750 switch on the WAN side which takes the incoming connection from the NTD which I hand off via a vlan to both 2851's.

Cheers, Mike

Calin C. · ‎07-26-2018

The problem is that the next hop router (which is the L3 on your private subnet used for transport) knows the path back to respond to packets (just because it will have a L3 interface in the same transport subnet which you use actually for NAT), however the next hop (of 123.123.123.123) has no idea of a route to your private subnet (172.17.5.x).

You would need either try to NAT to a public (routable) IP or to have your ISP do a second NAT of 172.17.5.x to a public IP (which I don't think it will happen).

Another solution is to use a public subnet for your transport (like a /29 or something to accommodate all your devices involved in routing).

Does this helps?

Calin

weathermon · ‎07-26-2018

Hi Calin,

No worries mate, yeah I thought this was the case. I ended up just using VRRP for the WAN ip for the exchange server's default gateway and left the single IP on each router that's part of the /29

Cheers, Mike