Conditional NAT

Unanswered Question
Apr 9th, 2010
User Badges:


Location A (Router A) and  Location B (Router B)  are connected to each other using GRE tunnel over internet.  All the internet destined traffic reaches to Router B from Router A and also the location B local traffic destined for internet. NAT is performed on the Location B firewall.

Due to ISP failure at Router B, GRE tunnel goes down and users from Location A are not able to access internet as there is no NAT or PAT configured on Router A.

Case 1.  GRE tunnel is up , then send all internet traffic into the GRE tunnel to Router B.  Router B will then decapsulate the packet NATs it and send to internet. This is normal working.

Case 2.  ISP at Router B has failed. GRE between Router A and Router B is down.

Check - GRE tunnel -  If down -  Do the NAT / PAT on router A and send the traffic to internet.

Check  - GRE tunnel - Tunnel has been recovered and is up --  STOP NAT / PAT on router A and start sending traffic to GRE tunnel.

Is it possible to do the NAT  with help of Track, sla, monitor, route-map or any other logic and then take the corresponding action as that of in Case1 or Case2.

Please share the experience.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ex-engineer Thu, 04/15/2010 - 05:39
User Badges:

Ryan, what does spanning-tree have to do with what he is trying to achieve? STP is a layer 2 protocol that is used to prevent bridging loops. It is not even remotely related to what he is talking about.

well, spanning trees perform the function of what he was asking for by creating a optimal path and then changing the status of the ports to the other route as "blocking".

So to review the cases I will describe what occurs if they deploy STP that is weighted for Router B.

Case 1: Everything is available

Result 1: GRE Tunnel is up and traffic flows thru Router B as per what is designed as normal.

Case 2: GRE Tunnel goes down.

Result 2: STP recalculates.  Places the port for the GRE tunnel in a blocking state and then moves the port for Router A into a forward state.  Traffic is now router thru router A.

Case 3: GRE Tunnel comes back up

Result 3: STP recalculates and moves everything to the state existiant in case 1.

From a NAT standpoint you would simply configure NAT to work on both devices.  However, ROUTER A will only be used for traffic when ROUTER B is down.  I felt that this resolved all conditions presented in the desctiption, but I could see how additional information would make Spanning Trees a poor choice.  I do feel that a conditional routing situation will be a better and more easily managed solution that trying to manage traffic routes via a NAT and that is why I made the suggestion.

ohassairi Sun, 04/18/2010 - 00:44
User Badges:
  • Silver, 250 points or more

i have one config example with the senario:

We have 2 WAN connections to one remote site. Some users connect via connection 1, some others via connection 2. But when one connection comes down all users connect via the other connection automatically

you can modify it according to your settings

hope it helps


ip sla monitor 1

type echo protocol ipIcmpEcho

ip sla monitor schedule 1 life forever start-time now

ip sla monitor 2

type echo protocol ipIcmpEcho

ip sla monitor schedule 2 life forever start-time now


track 123 rtr 1 reachability

track 321 rtr 2 reachability


interface FastEthernet0/0

ip address

ip policy route-map mymap1

ip nat inside


interface serial0/1

description connection1

ip address

ip nat outside


interface serial 0/2

description connection2

ip address

ip nat outside


access-list 1 permit

access-list 2 permit


route-map mymap1 permit 10

match ip address 1

set ip next-hop verify-availability 10 track 123

set ip next-hop verify-availability  20  track 321


route-map mymap1 permit 20

match ip address 2

set ip next-hop verify-availability    10 track 321

set ip next-hop verify-availability  20 track 123


access-list 12 permit

access-list 12 permit


route-map ISP1 permit 10

match ip address 12

match interface serial0/1


route-map ISP2 permit 10

match ip address 12

match interface serial0/2


Ip nat inside source route-map ISP1

Interface serial0/1 overload


Ip nat inside source route-map ISP2

Interface serial0/2 overload


This Discussion