NAT translation at HSRP group

teymur azimov · ‎10-10-2011

Hi dears

this is my configuration at router.

i know hsrp configuration but i want you to help me how to apply hsrp config to my nat translations??

interface GigabitEthernet0/0

ip address x.x.x.62 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface GigabitEthernet0/1

description connect to ASA outside

ip address 10.0.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat pool Internet x.x.x.2 x.x.x.4 netmask 255.255.255.240

ip nat inside source list NAT pool Internet overload

ip nat inside source static tcp 10.0.0.10 25 x.x.x.5 25 extendable

ip nat inside source static udp 10.0.0.2 500 x.x.x.6 500 extendable

ip nat inside source static udp 10.0.0.2 4500 x.x.x.6 4500 extendable

ip nat inside source static tcp 10.0.0.11 80 x.x.x.7 80 extendable

ip nat inside source static tcp 10.0.0.11 443 x.x.x.7 443 extendable

ip nat inside source static 192.168.193.252 x.x.x.8

ip nat inside source static 192.168.193.254 x.x.x.9

ip nat inside source static 10.0.0.254 x.x.x.10

ip route 0.0.0.0 0.0.0.0 x.x.x.61

ip route 10.10.1.0 255.255.255.0 10.0.0.2

cadet alain · ‎10-10-2011

Hi,

1) For dynamic NAT:

Active HSRP Router

interface g0/1

ip address 10.0.0.1 255.255.255.0

standby 1 ip 10.0.0.x

standby 1 priority 105

standby 1 preempt

standby name HSRP-1

ip nat stateful id 1

redundancy HSRP-1

mapping-id 50

no ip nat inside source list NAT pool Internet overload

ip nat inside source list 1 pool internet mapping-id 50 overload

Standby HSRP Router

interface g0/1

ip address 10.0.0.2 255.255.255.0

standby 1 ip 10.0.0.x

standby 1 preempt

standby name HSRP-1

ip nat stateful id 2

redundancy HSRP-1

mapping-id 50

ip nat inside source list 1 pool internet mapping-id 50 overload

2) for static NAT:

just add the redundancy HSRP-1 to your static NAT commands

Regards.

Alain.

Don't forget to rate helpful posts.

Latchum Naidu · ‎10-10-2011

Hi Teymur,

Here is the example config as per best practice.

ACTIVE ROUTER CONFIG:

interface GigabitEthernet0/0
ip address xxxxxxxxxxxxx
standby delay minimum 20 reload 20
standby 10 ip xxxxxxxxxxxx
standby 10 priority 110
standby 10 preempt delay minimum 20 reload 20 sync 10
standby 10 name WanHSRP
crypto map vpn redundancy WanHSRP

ip nat Stateful id 1
redundancy WanHSRP
mapping-id 1
protocol udp

ip nat pool nonat xxx.xxx.xxx.xx xxx.xxx.xxx.xx netmask 255.255.255.0
ip nat inside source route-map nonat pool nonat mapping-id 1 overload

ip nat inside source static tcp xx.xx.xx.xx 21 xxx.xxx.xxx.xx redundancy WanHSRP mapping-id 1 extendable
ip nat inside source static tcp xx.xx.xx.xx 80 xxx.xxx.xxx.xx 80 redundancy WanHSRP mapping-id 1 extendable

STANDBY ROUTER CONFIG:

interface GigabitEthernet0/0
ip address xxxxxxxxxxxxxxxxx
standby delay minimum 20 reload 20
standby 10 ip xxxxxxxxxxxxxx
standby 10 priority 90
standby 10 preempt delay minimum 20 reload 20 sync 10
standby 10 name WanHSRP
crypto map vpn redundancy WanHSRP
!

ip nat Stateful id 2
redundancy WanHSRP
mapping-id 1
protocol udp

ip nat pool nonat xxx.xxx.xxx.xx xxx.xxx.xxx.xx netmask 255.255.255.0

ip nat inside source route-map nonat pool nonat mapping-id 1 overload

ip nat inside source static tcp xxx.xxx.xxx.xx 80 xxx.xxx.xxx.xx 80 redundancy WanHSRP mapping-id 1 extendable
ip nat inside source static tcp xx.xx.xx.xx 389 xxx.xxx.xxx.xx 389 redundancy WanHSRP mapping-id 1 extendable

Please rate the helpful posts.
Regards,
Naidu.

teymur azimov · ‎10-10-2011

thansk to reply me.

i have one questions.

1. when i configurated standby router must i write different ip address at intefaces????

this mean that:

interface GigabitEthernet0/0

ip address x.x.x.63 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface GigabitEthernet0/1

description connect to ASA outside

ip address 10.0.0.2 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

2. must i write same default route to isp site at standby router?

ip route 0.0.0.0 0.0.0.0 x.x.x.61

3 is it need a isp site write a route to my standby router?

Latchum Naidu · ‎10-10-2011

Hi,

1. when i configurated standby router must i write different ip address at intefaces????
The physical interface IP should be different from the same subnet but the satndby ip must be same.

2. must i write same default route to isp site at standby router?
Yes, if you have same provider then the default route must be pointing to the same ip what you have in primary router.

3 is it need a isp site write a route to my standby router?
You only need to point your default route to your ISP router.

Please rate the helpful posts.
Regards,
Naidu.

teymur azimov · ‎10-10-2011

Thanks Naidu to help me.

i want to know exatly:

you write to do static nat this way:

ip nat inside source static tcp xxx.xxx.xxx.xx 80 xxx.xxx.xxx.xx 80 redundancy WanHSRP mapping-id 1 extendable

ip nat inside source static tcp xx.xx.xx.xx 389 xxx.xxx.xxx.xx 389 redundancy WanHSRP mapping-id 1 extendable

if i do not write mapping-id 1command at the end of static nat this mean that the static nat translation is not working??? or it is not necessary to add mapping-id 1 command??

why we need to add mapping-id 1 command ??

cadet alain · ‎10-10-2011

Hi,

the mapping-id command is needed so active translations on the active router can be taken by the standby router without disruption of the traffic.

Alain.

Don't forget to rate helpful posts.

Latchum Naidu · ‎10-10-2011

Hi,

Good question Teymur..

HSRP NAT means we are doing Statefull nating which is SNAT, which means like a statefull failover kind of thing....

When you added mapping id command the current NAT translations will be handover to standby router when the active router connection is gone so that you wont see any distrub or connection loss while NAT translation handing over from active rotuer to standby router.

Please rate the helpful posts.
Regards,
Naidu.