Thank you Giuslar for your response,

My goal is to have outside clients accesing the internal servers via any of the two routers via any of the two ISP connections.

Clearly, I am not controlling how the users get in, since I only have static routes (not BGP or any routing protocol) with the ISPs...

So my question is....

With the scenario that I have, is there a way to assure that incoming traffic enters the primary router? (without BGP)?

If not.... then traffic from outside clients will enter either router, and then the reply will always go through the active HSRP router... this would cause a problem? Could not be solve with SNAT?  How can be solved?

Thank you again,

Federico.

Hello Federico,

without BGP I don't see a way to influence return path without adding routers.

NAT translations have a state: if packets in the two directions go via different routers this can be a problem, R2 can see packets for a NAT entry that it is aware of if stateful NAT is implemented.

Only way, I see would be to add two other routers acting as border routers that points to an HSRP VIP (to reach the public IP block) on outside interface of SNAT pair R1 and R2 (current routers).  HSRP group on outside interface has to be in sync with the group on the inside interface so that the same router is active for both at a given time.

On this idea are based both stateful NAT and stateful IPsec.

This schema provides routing symmetry on both directions.

This is the way we tested and deployed Stateful NAT and later stateful IPSec (on different devices).

the following document can be of help:

enteprise multihoming with NAT:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0080091c8a.shtml

SNAT phase2 for 12.4T:

http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_cfg_ha_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1047478

>> Two or more network address translators function as a translation group. One member of the group handles traffic requiring translation of IP address information. It also informs the backup translator of active flows as they occur. The backup translator can then use information from the active translator to prepare duplicate translation table entries, and in the event that the active translator is hindered by a critical failure, the traffic can rapidly be switched to the backup. The traffic flow continues since the same network address translations are used, and the state of those translations has been previously defined.

That is one device is active and the other is standby traffic has to be processed by active device like it happens on a failover firewalls pair.

Hope to help

Giuseppe

Hi Giuslar

Thank you very much!!

One question... can I configure HSRP on the outside ISP interfaces on the same both routers? And synchronize the HSRPs so that the active router is the one handling both incoming and outgoing traffic?

Do you have a configuration example, if this is feassible?

Thank you!

Federico.

Hello Federico,

it is enough to have HSRP priority higher on R1 with cross referenced tracking of other interface

int gi0/1

ip address 10.10.10.2 255.255.255.0

standby 1 address 10.10.10.1

standby 1 priority 105

standby 1 track interface gi0/2

standby 1 preempt

int gi0/2

ip addres 100.10.100.2 255.255.255.248

standby 2 address 100.10.10.1

standby 2 priority 105

standby 2 track interface gi0/1

standby 2 preempt

you will to add the standby name to each group as explained in link to Stateful NAT

Hope to help

Giuseppe

Hello Giuseppe,

I am going over the documents and try the configuration tomorrow and let you know...

Thank you,

Federico.

Hello Giuseppe,

I've tried the HSRP configuration that you mentioned on the outside and it seems that the problem persisted.

I am wondering if its because the incoming traffic is sent to specific NATed IP addresses (instead than to a single virtual IP as the outgoing traffic).

For instance, with the outgoing traffic, all traffic is sent to a default gateway (virtual IP shared by both routers) and one router is the HSRP active one (so I have no problems controlling outbound traffic).

But, incoming traffic (even with HSRP configured on the outside interface), the traffic is not sent to a single virtual IP, instead is sent to a pool of addresses assigned by each ISP (which I used to NAT the internal servers).

For instance, the outside IP addresses of both routers are:

Primary Router -->

Primary ISP connection = 201.201.201.201/29

Secondary ISP connection = 101.101.101.101/29

Secondary Router -->

Primary ISP connection = 201.201.201.202/29

Secondary ISP connection = 101.101.101.102/29

So, I configured HSRP on both ISP connections (on both routers), but the problem persisted because incoming traffic is not sent to either of the IPs above, but instead to the static NAT addresses.

Each router has this kind of NAT statements:

ip nat inside source static 10.10.10.101 201.201.201.205

Alternatively, I have tried the SNAT configuration for the static translations (which seemed to consume a lot of resources)

ip nat inside source static 10.10.10.101 201.201.201.205 mapping-id 10 redundancy SNAT no-alias extendable

Please let me know your thoughts on this one.

Thank you!

Federico.

Hi Guiseppe,

I understand now.

So basically if I have no other routers to use as border routers and I'm not speaking BGP with the ISPs, there's no way to fix this correct?

I'm having a design problem :-(

Federico.