cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2501
Views
0
Helpful
2
Replies

Dual ISP active/passive failover with Static Nat on Cisco 1941

Hi everyone,

I am working on a configuration for a client and I have everything in place right now except the static NAT'ing.  The config fails over from one ISP to another with SLA track and static weighted default routes, the PAT fails over with route-maps to each interface.  Question is, is there a way to fail over the large amount of static NAT entries to the backup ISP?  So far everything I have read says no because you can only have one static NAT entry per ip/port combo, other than configuring another duplicate server with a different IP.  I just want to be sure before I make my recommendations, any thoughts are greatly appreciated.

 

Thanks,

Brandon

1 Accepted Solution

Accepted Solutions

ghostinthenet
Level 7
Level 7

Actually, you can as long as you're using standard NAT ("ip nat inside source static") and not using NVI ("ip nat source static") for your forwards. You apply the route-map at the end of the static NAT statement to indicate which interface it should apply to. So, if you have something like this:

ip access-list extended ACL_NAT
permit ip 192.168.0.0 255.255.255.0 any

!
route-map RM_NAT_ISP1
 match ip address ACL_NAT
 match interface GigabitEthernet0/1
!
route-map RM_NAT_ISP2
 match ip address ACL_NAT
 match interface GigabitEthernet0/2

Using port 80/tcp as an example, you can do this:

ip nat inside source static tcp x.x.x.x 80 y.y.y.y 80 route-map RM_NAT_ISP1
ip nat inside source static tcp x.x.x.x 80 z.z.z.z 80 route-map RM_NAT_ISP2

Just substitute x.x.x.x with the LAN address of the machine you're forwarding to, y.y.y.y with the WAN address you're forwarding from on ISP1 and z.z.z.z with the WAN address of the ISP you're forwarding from on ISP2. The static NAT will be conditional on the route-map at this point.

This works with TCP, UDP and IP forwarding but does require that you use an IPv4 address for your WAN address. For whatever reason, it doesn't work if you use an interface... so if you're using dynamic addresses, this will be more complicated.

View solution in original post

2 Replies 2

ghostinthenet
Level 7
Level 7

Actually, you can as long as you're using standard NAT ("ip nat inside source static") and not using NVI ("ip nat source static") for your forwards. You apply the route-map at the end of the static NAT statement to indicate which interface it should apply to. So, if you have something like this:

ip access-list extended ACL_NAT
permit ip 192.168.0.0 255.255.255.0 any

!
route-map RM_NAT_ISP1
 match ip address ACL_NAT
 match interface GigabitEthernet0/1
!
route-map RM_NAT_ISP2
 match ip address ACL_NAT
 match interface GigabitEthernet0/2

Using port 80/tcp as an example, you can do this:

ip nat inside source static tcp x.x.x.x 80 y.y.y.y 80 route-map RM_NAT_ISP1
ip nat inside source static tcp x.x.x.x 80 z.z.z.z 80 route-map RM_NAT_ISP2

Just substitute x.x.x.x with the LAN address of the machine you're forwarding to, y.y.y.y with the WAN address you're forwarding from on ISP1 and z.z.z.z with the WAN address of the ISP you're forwarding from on ISP2. The static NAT will be conditional on the route-map at this point.

This works with TCP, UDP and IP forwarding but does require that you use an IPv4 address for your WAN address. For whatever reason, it doesn't work if you use an interface... so if you're using dynamic addresses, this will be more complicated.

Thanks you so much for the great input, worked like a charm, so while I have you I'd like to run this by you as well.  I have this network mocked up in GNS3 before I take it live and I know GNS3 can be buggy so I just want to get an opinion.  As I described in my first post everything fails over from one static route to another and everything is working great now, thanks to your help, except the VPN failover.  The VPN works perfect establishing from the main site to the branch on the primary, both sites can communicate via the VPN, if I run a show crypto isakmp sa I see the correct source and destination points for the tunnel.  But if I clear that association and shut down the Primary port at the main site, I can only establish the tunnel if I try to connect from the main site to the branch, if I try to establish the tunnel from the branch to the main site through the secondary connection pings timeout and running the same show commands shows that addresses backwards ie. the source address is the destination and the destination address is the source.  Is this a bug in GNS3 or do I have an error in my configs.  I have attached both configs if anyone would like to comment.  I appreciate the help.

 

Brandon

Review Cisco Networking for a $25 gift card