11-04-2011 02:23 PM - edited 03-07-2019 03:14 AM
Hi,
Currently I am configuring two cisco 3925 with the feature static nat with HSRP integration adding the stand by group to the nat configuration.
The topologies I am working on is setting up two edge router and I have a firewall after the routers. The routers are connected to the outside interface of the firewall. What I am doing on the edge routers is receiving the internets and I am doing some load balancing with PBR and I am exposing other services to the internet on the routers. All firewall do is to block traffic coming from the internet to the lan network. The routers have HSRP enabled on the interface that faces the firewalls and the feature of hsrp and nat is enabled on this.
All the time I see the duplicated address message on both routers and when I put all the load on them they start behaving king of estrange.
I lose connectivity to the internet and it gets really slow.
So I would like to know if this feature is a good practice to use it or should I do something different.
I also would like to know if this interferes with some other features I have running on this routers like vrf lite and eigrp.
Best regards.
11-04-2011 02:27 PM
Hi,
can you post config of routers as well as the message you see.
Alain
11-09-2011 07:58 AM
yes here is the configuration:
EDGE-ROUTER-BUP#show run
Building configuration...
Current configuration : 17474 bytes
!
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname EDGE-ROUTER-BUP
!
boot-start-marker
boot-end-marker
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
aaa session-id common
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip vrf INTANET
rd 65355:10
route-target export 65355:10
route-target import 65355:10
!
!
ip dhcp pool INVITADOS
network 192.168.108.0 255.255.255.0
default-router 192.168.108.1
domain-name conconcreto.com
dns-server 208.67.222.222 208.67.220.220
lease 0 2
!
!
no ip bootp server
no ip domain lookup
login block-for 300 attempts 5 within 60
multilink bundle-name authenticated
!
!
!
class-map match-any voip
match access-group 122
class-map match-any Videoconferencia
match access-group 120
class-map match-any PBR
match protocol http host "*mail.google.com*"
match protocol http host "*gmail*"
match protocol http host "*google*"
match protocol http host "*conconcreto*"
match protocol http host "*youtube*"
match access-group name PBR-list
class-map match-all SAP
match access-group 121
class-map match-any http-out
match protocol http
match protocol dns
match protocol ssh
match protocol smtp
match protocol pop3
match protocol imap
match protocol ipsec
match protocol isakmp
class-map match-any Routing
match protocol eigrp
match protocol rsvp
class-map match-all SAP-return
match access-group 127
!
!
policy-map QoS
class Videoconferencia
bandwidth remaining percent 45
class SAP
bandwidth remaining percent 15
class Routing
bandwidth remaining percent 2
set dscp cs6
class voip
priority percent 20
class class-default
fair-queue
policy-map shape-all-telmex
class class-default
shape average 10000000
service-policy QoS
policy-map shape-all
class class-default
shape average 3000000
service-policy QoS
policy-map qos-girardota-une
class voip
priority 16
class SAP-return
bandwidth remaining percent 15
class class-default
fair-queue
random-detect
policy-map shape-all-girardota-une
class class-default
shape average 900000
service-policy qos-girardota-une
policy-map QoS-out
class http-out
priority percent 60
class class-default
fair-queue
random-detect
policy-map qos-girardota
class voip
priority 320
class SAP-return
bandwidth remaining percent 15
class class-default
fair-queue
random-detect
policy-map shape-all-20M
class class-default
shape average 45000000
service-policy QoS
policy-map shape-all-bog-telmex
class class-default
shape average 4000000
service-policy QoS
policy-map shape-all-sao-telmex
class class-default
shape average 6000000
service-policy QoS
policy-map marking-in
class PBR
set dscp af31
policy-map marcado
class voip
set dscp ef
class SAP
set dscp af21
class Videoconferencia
set dscp af41
policy-map shape-all-girardota
class class-default
police 2000000 conform-action transmit exceed-action drop violate-action drop
shape average 2000000
service-policy qos-girardota
!
!
!
!
!
interface GigabitEthernet0/0
description internet vffvf
bandwidth 10000
ip address 190.0.Y.X 255.255.255.252
ip access-group bogons in
no ip redirects
no ip unreachables
no ip proxy-arp
ip load-sharing per-packet
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex full
speed 100
!
interface GigabitEthernet0/1
description internet SDD
bandwidth 6000
ip address 201.234.W.R 255.255.255.248
ip access-group bogons in
no ip redirects
no ip unreachables
no ip proxy-arp
ip load-sharing per-packet
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex full
speed auto
media-type rj45
!
interface GigabitEthernet0/2
description internet ghh
bandwidth 8000
ip address 190.144.SS.EE 255.255.255.248
ip access-group bogons in
no ip redirects
no ip unreachables
no ip proxy-arp
ip load-sharing per-packet
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex full
speed 100
media-type rj45
!
interface GigabitEthernet0/1/0
description conexion interna
!
interface GigabitEthernet0/1/1
description Conexion ASA INTRANET
switchport access vlan 7
load-interval 30
!
interface GigabitEthernet0/1/2
description Conexion Radio Gerencia-Sao-Paulo
switchport access vlan 100
load-interval 30
!
interface GigabitEthernet0/1/3
description conexion Gerencia-Mantenimiento GC
switchport mode trunk
load-interval 30
speed 100
!
interface GigabitEthernet0/1/4
description conexion telmex Gerencia-BOG Gerencia-Sao
switchport access vlan 110
load-interval 30
!
interface GigabitEthernet0/1/5
description Conexion UNE Gerencia-Mantenimiento
switchport access vlan 120
load-interval 30
speed 100
!
interface GigabitEthernet0/1/6
description Conexion GC Gerencia-BOG
switchport access vlan 130
load-interval 30
speed 100
!
interface GigabitEthernet0/1/7
description Salida Invitados
switchport access vlan 108
load-interval 30
speed 100
!
interface Vlan1
ip address 192.168.200.252 255.255.255.0
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly in
standby 10 ip 192.168.200.254
standby 10 preempt delay minimum 10
standby 10 name HA
load-interval 30
!
interface Vlan108
ip address 192.168.108.3 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip load-sharing per-packet
ip nbar protocol-discovery
ip flow ingress
ip nat inside
ip virtual-reassembly in
standby 2 ip 192.168.108.1
standby 2 priority 200
standby 2 name HAG
load-interval 30
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip flow-export source GigabitEthernet0/2
ip flow-export version 9
ip flow-export destination 190.29.25.195 9998
!
ip nat Stateful id 1
redundancy HA
mapping-id 50
protocol udp
ip nat pool telmex 190.144.136.130 190.144.136.133 netmask 255.255.255.248
ip nat pool gc 201.234.180.114 201.234.180.117 netmask 255.255.255.248
ip nat pool une 190.0.33.74 190.0.33.74 netmask 255.255.255.252
ip nat inside source route-map GC pool gc mapping-id 50 overload
ip nat inside source route-map TELMEX pool telex mapping-id 50 overload
ip nat inside source route-map UNE pool une overload
ip nat inside source static tcp 10.1.1.34 80 190.144.136.132 80 redundancy HA extendable
ip nat inside source static tcp 10.1.1.36 80 190.144.136.134 80 redundancy HA extendable
ip nat inside source static tcp 10.1.1.41 21 201.234.180.116 21 redundancy HA extendable
ip nat inside source static tcp 10.1.1.41 80 201.234.180.116 80 redundancy HA extendable
ip nat inside source static tcp 10.1.1.41 1433 201.234.180.116 1433 redundancy HA extendable
ip nat inside source static tcp 10.1.1.41 3389 201.234.180.116 3389 redundancy HA extendable
ip nat inside source static tcp 10.1.1.41 4263 201.234.180.116 4263 redundancy HA extendable
ip nat inside source static tcp 10.1.1.32 80 201.234.180.118 80 redundancy HA extendable
ip route 0.0.0.0 0.0.0.0 201.234.180.113
ip route 0.0.0.0 0.0.0.0 190.144.136.129
ip route 0.0.0.0 0.0.0.0 190.0.33.73
ip route 4.2.2.2 255.255.255.255 190.144.136.129
ip route 10.0.0.0 255.0.0.0 192.168.200.1
ip route 172.24.0.0 255.255.0.0 192.168.200.1
ip route 190.29.25.195 255.255.255.255 190.144.136.129
ip route 200.13.224.254 255.255.255.255 190.0.33.73
ip route 200.13.249.101 255.255.255.255 190.0.33.73
!
ip access-list standard bogons
deny 0.0.0.0 0.255.255.255 log
deny 5.0.0.0 0.255.255.255
deny 10.0.0.0 0.255.255.255
deny 23.0.0.0 0.255.255.255
deny 37.0.0.0 0.255.255.255
deny 39.0.0.0 0.255.255.255
deny 100.0.0.0 0.255.255.255
deny 102.0.0.0 1.255.255.255
deny 104.0.0.0 0.255.255.255
deny 106.0.0.0 0.255.255.255
deny 127.0.0.0 0.255.255.255
deny 169.254.0.0 0.0.255.255
deny 172.16.0.0 0.15.255.255
deny 179.0.0.0 0.255.255.255
deny 185.0.0.0 0.255.255.255
deny 192.0.2.0 0.0.0.255
deny 192.168.0.0 0.0.255.255
deny 198.18.0.0 0.1.255.255
deny 198.51.100.0 0.0.0.255
deny 203.0.113.0 0.0.0.255
deny 224.0.0.0 31.255.255.255
permit any
!
ip access-list extended PBR-list
permit ip any 72.14.192.0 0.0.63.255
permit ip any 74.125.0.0 0.0.255.255
permit ip any 216.239.0.0 0.0.255.255
permit ip any 209.0.0.0 0.255.255.255
permit ip any 74.0.0.0 0.255.255.255
ip access-list extended lista-DNS
permit ip any host 4.2.2.2
permit ip any host 208.67.220.220
permit ip any host 208.67.222.222
ip access-list extended lista-GOOGLE
permit ip 192.168.200.64 0.0.0.31 any
permit ip any 72.14.192.0 0.0.63.255
permit ip any 74.125.0.0 0.0.255.255
permit ip any 216.239.0.0 0.0.255.255
permit ip any 209.0.0.0 0.255.255.255
permit ip any 74.0.0.0 0.255.255.255
permit ip any 190.248.0.0 0.0.255.255
permit ip any 66.132.0.0 0.0.255.255
permit ip any host 200.13.249.101
permit ip any host 200.13.224.254
ip access-list extended lista-NAVEGACION
deny ip 192.168.200.32 0.0.0.31 any dscp af31
permit ip 192.168.200.32 0.0.0.31 any
permit ip 192.168.108.0 0.0.0.255 any
permit ip 10.0.0.0 0.255.255.255 any
ip access-list extended lista-VPN
permit udp host 192.168.200.1 eq isakmp any
permit udp host 192.168.200.1 eq non500-isakmp any
permit esp host 192.168.200.1 any
permit ip 192.168.200.96 0.0.0.31 any
permit ip any host 200.26.137.100
permit ip 10.0.0.0 0.255.255.255 host 190.144.136.133
ip access-list extended lista-serexp-GC
permit ip host 192.168.200.15 any
permit ip host 192.168.200.16 any
permit ip host 192.168.200.17 any
permit ip host 192.168.200.18 any
ip access-list extended lista-serexp-TELMEX
permit ip host 192.168.200.19 any
permit ip host 10.1.1.34 any
!
access-list 1 permit 192.168.200.0 0.0.0.255
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 2 permit 190.29.25.195
access-list 2 permit 192.168.100.151
access-list 2 permit 10.0.0.0 0.255.255.255
access-list 2 permit 192.168.200.0 0.0.0.255
access-list 2 permit 192.168.100.0 0.0.0.255
access-list 101 deny ip 10.0.0.0 0.255.255.255 host 190.144.136.133
access-list 101 deny ip 192.168.200.0 0.0.0.255 host 190.144.136.133
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 101 permit ip 192.168.200.0 0.0.0.255 any
access-list 101 permit ip 192.168.108.0 0.0.0.255 any
access-list 120 permit ip 10.1.253.0 0.0.0.15 any
access-list 120 permit ip any 10.1.62.0 0.0.0.255
access-list 120 permit ip any 10.2.253.0 0.0.0.255
access-list 121 permit ip 10.0.0.0 0.255.255.255 172.24.3.0 0.0.0.255
access-list 121 permit tcp 10.0.0.0 0.255.255.255 host 200.74.143.135 range 3200 3399
access-list 121 permit ip 172.24.3.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 121 permit tcp host 200.74.143.135 range 3200 3399 10.0.0.0 0.255.255.255
access-list 122 permit ip 10.1.150.0 0.0.0.255 any
access-list 122 permit ip any any dscp ef
access-list 122 permit ip any any precedence critical
access-list 122 permit ip any 10.1.65.0 0.0.0.255
access-list 127 permit ip 172.24.3.0 0.0.0.255 10.0.0.0 0.255.255.255
!
route-map GC permit 10
match ip address 101
match interface GigabitEthernet0/1
!
route-map TELMEX permit 10
match ip address 101
match interface GigabitEthernet0/2
!
route-map ISP permit 5
match ip address lista-GOOGLE
set ip next-hop 190.0.33.74
!
route-map ISP permit 10
match ip address lista-VPN lista-serexp-TELMEX lista-DNS
set ip next-hop 190.144.136.129
!
route-map ISP permit 15
match ip address lista-NAVEGACION lista-serexp-GC
set ip next-hop 201.234.180.113
!
route-map UNE permit 10
match ip address 101
match interface GigabitEthernet0/0
!
!
As you can see i have a HSRP group to configure nat on HA but i get a message duplicated IP all the time and when i put all the traffic the router gets stock.
regards.
11-12-2011 06:47 AM
Any help on this case.
i am still having the same problem.
regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide