Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
593
Views
0
Helpful
2
Replies

Dual Routers, NAT Failover between routers

Go to solution
switched switch
Level 1
Level 1

‎04-30-2017 05:42 AM - edited ‎03-08-2019 10:23 AM

Hi All,

We have customers that we will soon NAT for. These customers connect to an aggregate switch, with dual up link (aggregate) routers running HSRP on the inside interface. The outside interface is OSPF up to our border routers.

At the aggregate routers, I plan to use the below code to nat the inside to the outside interface for each customer, ie there will be CUST1 -> CUST100 scenarios .

This will work fine I believe although still thinking about how best to place the NAT POOL (public IPs) supernet into the routing table (eg a /25 block). I am thinking its best to redistribute this into OSPF with a tracking object on the HSRP interface. This way if the router fails, the upstream router will lose the route, and also, if the HSRP drops, the route should also be removed.

What I am trying to wrap my head around, is how this will work in a fail over scenario. Ie I want to have CUST1 be able to fail over to the other aggregate HSRP router when the primary aggregate router fails. As mentioned above, the 'outside' interfaces of these aggregate routers are still inside our network - the purpose of the aggregate routers is for redundancy. Do I configure the exact same NAT pools on the backup aggregate routers as well, and have the NAT supernet prefix redistribute with a tracking object of the HSRP interface?.

I supect we need to align the tracking object time, to match that of the HSRP active/stanby preemption - if these times are mismatched, traffic is blackholed.

Any comments welcome as I gloss over this conundrum! 

ip nat pool CUST1 212.XXX.XXX.1 212.XXX.XXX.1 netmask 255.255.255.252
access-list standard CUST1 
permit 192.168.201.0 0.0.0.255 

ip nat inside source list CUST1 pool CUST1 overload 

interface gi 0/0
  ip nat outside 
interface gi 0/1
  ip nat inside
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP

‎04-30-2017 12:09 PM

Hello,

not sure if this is what you are after, but in an HSRP and NAT scenario, you would need to configure Stateful NAT, as described in the document below:

http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/15-2mt/iadnat-ha.html#GUID-0BD7C34A-ADD0-451F-9443-1F0969CF98A0

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Georg Pauwen
VIP
VIP

‎04-30-2017 12:09 PM

Hello,

not sure if this is what you are after, but in an HSRP and NAT scenario, you would need to configure Stateful NAT, as described in the document below:

http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/15-2mt/iadnat-ha.html#GUID-0BD7C34A-ADD0-451F-9443-1F0969CF98A0

0 Helpful

Go to solution
switched switch
Level 1
Level 1
In response to Georg Pauwen

‎05-01-2017 05:39 AM

Hello Georg,

Many thanks for your suggestion.

A couple of points I want to clarify:

1) I notice this feature is almost deprecated - is there a replacement feature?

2) should we require a port map translation, ie a customer wants their internal server open externally I assume this would need configuring on both the HSRP routers?

Would it be best that the public block of NAT IP addresses be redistributed into OSPF such that upstream routers are aware of the path to the public NAT IPs? and should these be redistributed at different costs with a tracking object? How best will this function?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card