Sateful NAT using HSRP

Unanswered Question
Jul 25th, 2009
User Badges:

HI experts,


While configuring NATing I am confused with the following commands in NAT. I

request you to help me in clarifying this


"ip nat inside source static x.x.x.x y.y.y.y redundancy HSRP-1


What does this " redundancy" command do in stateful Nating. I also noticed

that when i used this command NAT translation entry is not exchanged between active / standby HSRP router.


How it differs from *mapping-id 100* command.


Hope you will help me on this and thanks in advance


SAIRAM

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
snarayanaraju Sat, 07/25/2009 - 10:09
User Badges:

Hi,


I tried to search whether any other post were made raising the same doubt.To my surprise it is here. The link is below


http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&topicID=.ee71a04&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc0da60


The answer was provided by Mr.Mark, the exerpts is below:


"Replied by: mark.yeates - Network Engineer, NGIT - Jun 10, 2008, 3:03pm PST



The command enables the router to respond to ARP queries using BIA MAC if HSRP is configured on the NAT inside interface.The goal is to statefully keep track of the ARP queries between the active and standby routers. The difference between using the virtual IP vs the HSRP redundancy command in the static map is the MAC address that is used. Hope this helps


Mark


But I donot understand why the router has to BIA MAC if HSRP is enabled on NAT enabled interface


What is the need of it and advantage. Can anybody help me on this


Sairam

Giuseppe Larosa Sat, 07/25/2009 - 10:20
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Sairam,

I tried to look at configuration examples and the command you mention looks like incomplete missing the mapping-id.



see


http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_scale_stnat_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1047659


http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtsnatay.html#wp1054514


the redundancy name has to be shared between the standby group and the NAT stateful instance.


According to 12.4 IP Addressing command reference the redundancy parameter has the following meaning:


redundancy group-name


(Optional) Establishes NAT redundancy.


see


http://www.cisco.com/en/US/partner/docs/ios/ipaddr/command/reference/iad_nat.html#wp1011696


or


http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_nat.html#wp1011696


NAT redundancy and stateful NAT can be two different strategies and this could explain why you don't see exchange of NAT entries between the two routers.


You need to configure it as explained in first links and as you noted.


I remember we tested SNAT three years ago and it was working correctly.



Edit:

about Mark's note my guess is the following:


in stateful NAT with HSRP the HSRP active device has to play the role of active NAT device.

The command may help the active device to perform the correct NAT translations on packets sent to HSRP vip's MAC address.


However, I'm under the impression that a NAT stateless redundancy could be possible and that for stateful a logical link between the standby group name and the stateful nat object has to be done with the mapping-id parameter.


Hope to help

Giuseppe


snarayanaraju Sat, 07/25/2009 - 10:49
User Badges:

Hi Giuseppe,


your post developed confidence in me with the concept. But can you please explain further the why and what is the behaviour of "redundancy CCIE"


"ip nat inside source static x.x.x.x y.y.y.y redundancy CCIE"


I noticed that this keyword "redundancy CCIE" is not used in configuration when Stateful NAT is enabled.


The link you refered are useful, But i have made thorough study before writing here.


Please help


sairam

Giuseppe Larosa Sat, 07/25/2009 - 11:05
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Sairam,

see the redundancy CCIE as a pointer to another object that has an attribute /name "CCIE"


the same is used for Stateful IPSec


we have a paif of C7200 NPE G2 with stateful ipsec


on internal network there is


standby 20 ip 10.98.144.20

standby 20 priority 90

standby 20 preempt

standby 20 name HA-ins


then the redundancy inter-device object in config points to the name


redundancy inter-device

scheme standby HA-ins

!


Commands are slightly different but the concept is the same a name is used like a label to put in relationship two objects like NAT and HSRP in your case.


Hope to help

Giuseppe


snarayanaraju Sat, 07/25/2009 - 11:21
User Badges:

Hi Giuseppe,


Very good explanation. I got it.


Now another point raised in my mind.


If so, then how it differs from stateful nat command


ip nat stateful 1

redundancy CCIE

mapping 10


What is the difference. I tried this in lab yesterday. I found to be similar.


I may be refering some thing wrong. Please clarify this point.


Sairam

Giuseppe Larosa Sat, 07/25/2009 - 11:59
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Sairam,

thanks for your kind remarks.

very similar indeed.

in stateful NAT as I wrote the syntax is slightly different and you assign the label "CCIE" to both the standby group name and to the ip nat stateful instance 1.


Here the same label is used in the two objects that have to be linked

so redundancy CCIE says points to whatever object has an attribute with this string.


From a conceptual point of view I think it is very similar.


Hope to help

Giuseppe


snarayanaraju Sat, 07/25/2009 - 20:34
User Badges:

Hi Giuseppe,


This topic picked the interest. I tested the setup using "redundancy HSRP-GROUP" keyword in "ip nat inside source" command. The result is as below:


Two Routers running HSRP

R2 - ACTIVE

R3 - STANDY

Configurations are attached for your kind reference.


1. I created static one to one NAT in both the routers R2 & R3 (as shown in attached configuration)


2. when i telnet an outside host from an inside host, NAT table is formed in R2. But it is not replicated in R3.


3. When i made the R2 inside port down, R3 router become active and new nat translation is created in R3. Where is the connection is statefull here??


Then i read somewhere that it is very useful only in PAT scenario. So started to configure PAT in routers


But, I donot see "redundancy" key word. (see the attachment for output)


Please tell me where I am deviating from the point?


Thanks in advance and I am scrathing my head for the past one day. please help


Sairam



snarayanaraju Sun, 07/26/2009 - 04:26
User Badges:

Hi experts,


do you find any clues, why and what for ir is like this. I will look forward to hear from you


Sairam

snarayanaraju Mon, 07/27/2009 - 02:25
User Badges:

Hi,


I tried to take this details. No where it is available clearly, Seems CISCO has not documented this to the depth.


Shall i wait for your comments


SAIRAM

Giuseppe Larosa Mon, 07/27/2009 - 05:34
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Sairam,

your results confirm this is a stateless redundancy not able to pass nat entries states between the two devices.


>> 3. When i made the R2 inside port down, R3 router become active and new nat translation is created in R3. Where is the connection is statefull here??


Practical usage of this is zero and everyone is going to use real stateful NAT in real world networks.


This can be the residual of old times pre -SNAT support.


Hope to help

Giuseppe



Actions

This Discussion