I just want to know the best way to accomplish the following:
I have two routers running HSRP on the inside interface (tracking the outside interfaces)....
Both routers connect to two ISPs....
Both routers handle static NAT for inside servers...
Outgoing traffic works fine, because all traffic flow through the active router.
The problem is with incoming traffic.
Topology is like this:
Outside IP: 18.104.22.168/29 (Primary ISP)
Outside IP: 22.214.171.124/29 (Secondary ISP)
Inside IP: 10.10.10.10/24 (HSRP Active)
Outside IP: 126.96.36.199/29 (Primary ISP)
Outside IP: 188.8.131.52/29 (Secondary ISP)
Inside IP: 10.10.10.10/24 (HSRP Secondary)
Both Routers have this NAT:
ip nat inside source static 10.10.10.100 184.108.40.206
So, all outgoing traffic goes out through the HSRP active router, through the primary ISP connection (no problem here).
But, incoming access to the internal servers, can reach either router (for example if the DNS resolves the IP 220.127.116.11, the traffic can enter the Primary ISP connection via the First Router or via the Secondary Router (i have no control over this).....
So, I've tried SNAT (Stateful NAT) but it did not work. Is my solution to configure HSRP on the outside interfaces so that I can control incoming traffic?
I'm getting a duplicate address error on both routers for IP 18.104.22.168 (I think that is because both share the same Static NAT statement).
I have another post similar, but I open this one because I just need an answer for this specific issue.
Thank you All!
sorry if I've not been clear:
the idea would be to add other two routers to act as border routers (connected to ISP links) so that they use as next-hop the HSRP VIP on the outside interface of the pair of devices doing NAT.
in this way you can change your scenario to one where you can use SNAT effectively.
So, I configured HSRP on both ISP connections (on both routers),
this is not what I meant , two border routers should be added to the picture or BGP should be used as I've explained above.
Hope to help