04-30-2017 05:42 AM - edited 03-08-2019 10:23 AM
Hi All,
We have customers that we will soon NAT for. These customers connect to an aggregate switch, with dual up link (aggregate) routers running HSRP on the inside interface. The outside interface is OSPF up to our border routers.
At the aggregate routers, I plan to use the below code to nat the inside to the outside interface for each customer, ie there will be CUST1 -> CUST100 scenarios .
This will work fine I believe although still thinking about how best to place the NAT POOL (public IPs) supernet into the routing table (eg a /25 block). I am thinking its best to redistribute this into OSPF with a tracking object on the HSRP interface. This way if the router fails, the upstream router will lose the route, and also, if the HSRP drops, the route should also be removed.
What I am trying to wrap my head around, is how this will work in a fail over scenario. Ie I want to have CUST1 be able to fail over to the other aggregate HSRP router when the primary aggregate router fails. As mentioned above, the 'outside' interfaces of these aggregate routers are still inside our network - the purpose of the aggregate routers is for redundancy. Do I configure the exact same NAT pools on the backup aggregate routers as well, and have the NAT supernet prefix redistribute with a tracking object of the HSRP interface?.
I supect we need to align the tracking object time, to match that of the HSRP active/stanby preemption - if these times are mismatched, traffic is blackholed.
Any comments welcome as I gloss over this conundrum!
ip nat pool CUST1 212.XXX.XXX.1 212.XXX.XXX.1 netmask 255.255.255.252
access-list standard CUST1
permit 192.168.201.0 0.0.0.255
ip nat inside source list CUST1 pool CUST1 overload
interface gi 0/0
ip nat outside
interface gi 0/1
ip nat inside
Solved! Go to Solution.
04-30-2017 12:09 PM
Hello,
not sure if this is what you are after, but in an HSRP and NAT scenario, you would need to configure Stateful NAT, as described in the document below:
http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/15-2mt/iadnat-ha.html#GUID-0BD7C34A-ADD0-451F-9443-1F0969CF98A0
04-30-2017 12:09 PM
Hello,
not sure if this is what you are after, but in an HSRP and NAT scenario, you would need to configure Stateful NAT, as described in the document below:
http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/15-2mt/iadnat-ha.html#GUID-0BD7C34A-ADD0-451F-9443-1F0969CF98A0
05-01-2017 05:39 AM
Hello Georg,
Many thanks for your suggestion.
A couple of points I want to clarify:
1) I notice this feature is almost deprecated - is there a replacement feature?
2) should we require a port map translation, ie a customer wants their internal server open externally I assume this would need configuring on both the HSRP routers?
Would it be best that the public block of NAT IP addresses be redistributed into OSPF such that upstream routers are aware of the path to the public NAT IPs? and should these be redistributed at different costs with a tracking object? How best will this function?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide