SNAT with HSRP and Two Internet connections

Answered Question
Aug 17th, 2010

Greetings, i am going to be deploying a new site with two internet connections terminated on two ISR routers. Each one will be running HSRP and ill be using IP SLA object tracking to determine the active member and default route.


I would also like to try and achieve a more stateful configuration, as such i am considering using the SNAT feature within the HSRP group however i would like to just use PAT and overload all outbound connections onto the interface IP address rather than creating NAT pools which from the examples i have seen is how this is configured.


Has anyone deployed this just using PAT or do you have to use NAT pools w/ PAT?


Regards



I have this problem too.
0 votes
Correct Answer by Giuseppe Larosa about 6 years 3 months ago

Hello Mark,

I'm afraid that using a pool may be required by the SNAT solution as the idea is that the backup router if takes over has to be able to route traffic for current NAT sessions, if you would use the WAN interface of router1 as public IP address, when R1 fails (or just its WAN link fails)  packets cannot be sent back and so it cannot be translated by the backup router.

So SNAT feature  requires to get a small public pool from ISP or it would not be effective.

see figure 1 in

http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_cfg_ha_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1047478

Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Giuseppe Larosa Tue, 08/17/2010 - 03:56

Hello Mark,

I'm afraid that using a pool may be required by the SNAT solution as the idea is that the backup router if takes over has to be able to route traffic for current NAT sessions, if you would use the WAN interface of router1 as public IP address, when R1 fails (or just its WAN link fails)  packets cannot be sent back and so it cannot be translated by the backup router.

So SNAT feature  requires to get a small public pool from ISP or it would not be effective.

see figure 1 in

http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_cfg_ha_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1047478

Hope to help

Giuseppe

Mark Rigby Wed, 08/18/2010 - 08:35

Thank you for the reply Giuseppe, the explanation makes perfect sense

Regards

Actions

This Discussion