Nat on Backup interfaces

matt-long · ‎05-13-2005

I have a client who is has a requirement to run nat on their router and needs a backup interface to dial out if the the primary goes down.

I have tryed this out in the lab and have got this configuration working.

(NB, using all ethernet on this test router)

!

interface FastEthernet0/0

backup interface FastEthernet0/1

ip address 10.0.1.254 255.255.255.0

ip access-group 111 in

ip nat outside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.0.1.254 255.255.255.0

ip access-group 111 in

duplex auto

speed auto

!

interface FastEthernet1/0

ip address 10.0.2.254 255.255.255.0

ip nat inside

duplex auto

speed auto

!

ip nat translation timeout 5

ip nat translation tcp-timeout 5

ip nat translation pptp-timeout 5

ip nat translation udp-timeout 5

ip nat translation finrst-timeout 5

ip nat translation syn-timeout 5

ip nat translation dns-timeout 5

ip nat translation icmp-timeout 5

ip nat translation max-entries 5

ip nat pool NATPOOL 10.0.1.250 10.0.1.250 netmask 255.255.255.0

ip nat inside source list 100 pool NATPOOL

ip nat inside source static 10.0.2.1 10.0.254.1

!

access-list 100 permit ip 10.0.2.0 0.0.0.255 any

access-list 111 permit icmp any any

access-list 111 permit tcp any host 10.0.254.1 eq telnet

!

All works fin, except on failover the nat breaks and takes about 90-120secs to timeout and then starts working again. If any data is sent within that time the timeout starts again. This is with all timers set to 5 seconds. Dos anyone have any pointers on how to avoid this?

Georg Pauwen · ‎05-15-2005

Hello Matt,

there is a feature called Stateful NAT which addresses that problem. Not knowing which IOS version and platform you have, you might want to check this document:

CISCO IOS SOFTWARE RELEASES 12.2 T

NAT Stateful Failover of Network Address Translation

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00801124ad.html

Regards,

GP