Packet tracer: Problem redundant network (NAT - Multi area OSPF)

9K · ‎12-12-2023

Hello

A year further into exploring networks, and after creating multiple packet tracers, I've encountered a difficulty again.

I'm currently working on an exercise where I need to set up complete networks for two offices that will eventually be connected via VPN. This is currently working well.

Here's an explanation of the setup and the problem.

Office A with an internal IP range of 10.19.0.0/16.

The setup is as follows: the access switches are connected to 2 Layer 3 switches responsible for internal routing (via OSPF). There is an EtherChannel and HSRP active between the Layer 3 switches.

The Layer 3 switches are mesh-connected to 2 routers (Main and backup). These 2 routers are both connected to ISP 1 and 2 for complete redundancy. The ISPs are connected to an external webserver.

Router main to ISP 1: 83.0.19.2 -> 83.0.19.1/30 Router main to ISP 2: 63.0.19.2 -> 63.0.19.1/30

Router backup to ISP 1: 83.0.19.6 -> 83.0.19.5/30 Router backup to ISP 2: 63.0.19.6 -> 63.0.19.5/30

NAT is active on both interfaces of both routers.

However, when I disable the interfaces of router main and one of router backup to test redundancy, nothing happens. I can't browse the webserver.

A traceroute also shows that it's not working.

Can you please guide me on where the issue might be?

Kind regards

M.

Config devices:
Router-main

interface GigabitEthernet0/0/1

ip address 10.19.40.2 255.255.255.252

ip ospf priority 10

ip access-group WEB in

ip access-group estab out

ip nat inside

duplex auto

speed auto

!

interface GigabitEthernet0/0/2

ip address 10.19.40.14 255.255.255.252

ip ospf priority 10

ip access-group WEB in

ip access-group estab out

ip nat inside

duplex auto

speed auto

router ospf 2

router-id 3.3.3.3

log-adjacency-changes

network 10.19.40.0 0.0.0.3 area 1

network 10.19.40.12 0.0.0.3 area 1

network 10.19.100.8 0.0.0.3 area 1

network 83.0.19.0 0.0.0.3 area 0

network 63.0.19.0 0.0.0.3 area 0

default-information originate

!

ip nat pool EDP 63.0.19.2 63.0.19.2 netmask 255.255.255.252

ip nat pool TELENET 83.0.19.2 83.0.19.2 netmask 255.255.255.252

ip nat inside source list 1 pool TELENET overload

ip nat inside source list 2 pool EDP overload

ip classless

ip route 0.0.0.0 0.0.0.0 83.0.19.1

ip route 0.0.0.0 0.0.0.0 63.0.19.1 200

!

ip flow-export version 9

!

access-list 1 permit 10.19.0.0 0.0.255.255

access-list 2 permit 10.19.0.0 0.0.255.255

ip access-list extended WEB

permit icmp any any

permit ospf any any

permit tcp 10.19.0.0 0.0.255.255 any eq 443

permit tcp 10.19.0.0 0.0.255.255 any eq www

ip access-list extended estab

permit icmp any any

permit ospf any any

permit tcp any 10.19.0.0 0.0.255.255 established

Router-backup

interface Loopback1

ip address 10.19.100.13 255.255.255.252

!

interface GigabitEthernet0/0/0

no ip address

duplex auto

speed auto

shutdown

!

interface GigabitEthernet0/0/1

ip address 10.19.40.6 255.255.255.252

ip ospf priority 5

ip access-group WEB in

ip access-group estab out

ip nat inside

duplex auto

speed auto

!

interface GigabitEthernet0/0/2

ip address 10.19.40.10 255.255.255.252

ip ospf priority 5

ip access-group WEB in

ip access-group estab out

ip nat inside

duplex auto

speed auto

!

interface Serial0/1/0

no ip address

ip nat outside

clock rate 2000000

shutdown

!

interface Serial0/1/1

no ip address

ip nat outside

clock rate 2000000

shutdown

!

interface Serial0/2/0

ip address 83.0.19.6 255.255.255.252

ip ospf cost 5

ip ospf priority 10

ip nat outside

clock rate 2000000

shutdown

!

interface Serial0/2/1

ip address 63.0.19.6 255.255.255.252

ip ospf cost 10

ip ospf priority 5

ip nat outside

!

router ospf 2

router-id 4.4.4.4

log-adjacency-changes

network 10.19.40.4 0.0.0.3 area 1

network 10.19.40.8 0.0.0.3 area 1

network 10.19.100.12 0.0.0.3 area 1

network 63.0.19.4 0.0.0.3 area 0

network 83.0.19.4 0.0.0.3 area 0

default-information originate

!

ip nat pool EDP 63.0.19.6 63.0.19.6 netmask 255.255.255.252

ip nat pool TELENET 83.0.19.6 83.0.19.6 netmask 255.255.255.252

ip nat inside source list 1 pool TELENET overload

ip nat inside source list 2 pool EDP overload

ip classless

ip route 0.0.0.0 0.0.0.0 83.0.19.5

ip route 0.0.0.0 0.0.0.0 63.0.19.5 200

!

ip flow-export version 9

!

access-list 1 permit 10.19.0.0 0.0.255.255

access-list 2 permit 10.19.0.0 0.0.255.255

ip access-list extended WEB

permit icmp any any

permit ospf any any

permit tcp 10.19.0.0 0.0.255.255 any eq 443

permit tcp 10.19.0.0 0.0.255.255 any eq www

ip access-list extended estab

permit icmp any any

permit ospf any any

permit tcp any 10.19.0.0 0.0.255.255 established

helpcenterus · ‎12-12-2023

Hi @9K , I try help to you, it appears that the issue revolves around redundancy testing, specifically when disabling interfaces on the main router and one of the backup routers. Even though redundancy measures, such as HSRP and EtherChannel, have been implemented, browsing the webserver fails during these tests. To troubleshoot this, you may want to ensure that the HSRP state transitions are seamless and that the routing protocols, in this case, OSPF, are properly handling the changes. Additionally, reviewing the NAT configurations on the routers, especially during failover scenarios, is crucial to maintaining connectivity to external resources. Investigating any potential access list or routing discrepancies that may arise during the transition between routers could provide insights into resolving the issue and ensuring a smooth redundancy setup for the interconnected offices.