Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
471
Views
0
Helpful
2
Replies

NAT, Bridged IP addresses and HSRP

klevy
Level 1
Level 1

‎03-27-2006 11:10 AM - edited ‎03-05-2019 11:49 AM

I am relatively new to routing so please excuse what may seem like some dumb questions.

I'm trying to get my hands around what happens with my Cisco 871 router when working with a /28 subnet of public IP addresses bridged by my ISP through a DSL router. From the configuration recommendations and SDM setup, I am setting this unit up as follows:

interface FastEthernet4

description WAN INTERFACE$ETH-LAN$

ip address 11.22.33.241 255.255.255.240

ip nat outside

ip ips sdm_ips_rule in

ip access-group 101 in

interface Vlan3

description PERIMETER - FRONT RAIL

ip address 192.168.10.2 255.255.255.0

ip nat inside

ip nat pool FrontRail 192.168.10.0 192.168.10.255 netmask 255.255.255.0

ip nat inside source list 1 interface FastEthernet4 overload

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.10.0 0.0.0.255

ip nat inside source static tcp 192.168.10.11 80 11.22.33.242 80 extendable

ip nat inside source static tcp 192.168.10.11 21 11.22.33.242 21 extendable

ip nat inside source static udp 192.168.10.11 50052 11.22.33.242 50052 extendable

Now my questions:

1) Why does the router pick up the packets destined for 11.22.33.242 when it only has the address 11.22.33.241 on the FE4 (WAN) interface?

2) Can I set up, using an IP statement with "secondary", a second /28 subnet of public IP addresses (from a second ISP) on the FE4 (WAN) interface? Can I set up a separate set of NAT destinations for these and will the router sort out the traffic? What I am working towards is using DNS round robin scheduling of inbound traffic between two ISP's. I'll set up two different internal addresses to NAT to for each of the services and assign the two addresses to each of the services running in the perimeter network.

3) Can I set up a second router with HSRP to serve as backup? How does the WAN side Ethernet interface get configured in this case? Won't the active and standby routers both be picking up the incoming packets from the two ISP's? Do I set up a similar HSRP process on the WAN side as I do on the LAN interface?

Thanks in advance for any assistance.

Labels:
0 Helpful
2 Replies 2

pkhatri
Level 11
Level 11

‎03-27-2006 03:04 PM

1. Because network 11.22.33.240/255.255.255.240 and you are using NAT to use some of these addresses, the router will respond to ARPs for these other addresses. In your case, an ARP entry will automatically be created for 11.22.33.242 which the router will respond to.

2. Yes, you can. However, how will you get the first ISP to route these IPs over to you ?

3. HSRP only works on the LAN side and influences outgoing packets only. You need to enforce BGP policies etc to ensure that incoming traffic comes in over only one of the links.

Hope that helps - pls rate the post if it does.

Paresh

0 Helpful

klevy
Level 1
Level 1
In response to pkhatri

‎03-27-2006 04:21 PM

Thanks for responding Paresh. The answer on the first question helped a lot.

On question #2, the two ISP's terminate their circuits in either a DSL router or a cable modem router. Each presents their separate /28 subnets to my routers (I believe via "bridging", although I am a bit fuzzy as to how that works - I don't have any BGP type training, yet). My thought was to connect a switch in between the ISPs' routers and my two routers. Both of my routers would then have access to all the addresses forwarded by both ISP's (hence my question #3).

On your answer on #3, I understand the function of HSRP to handle hosts on the interior network which only have one gateway address. What I was hoping was that the HSRP router's NAT'ing on the standby router would ignore/drop the inbound traffic destined for the active router (i.e., not advertise the ARP resolution for on the NAT interface (which was covered in your first answer). The downstream side of HSRP is covered well in the literature. The upstream side is not, hence my questions/confusion.

I had thought of setting it up as follows:

Router 1

-------------

interface FastEthernet4

description WAN INTERFACE$ETH-LAN$

ip address 11.22.33.241 255.255.255.240

ip address 44.55.66.241 255.255.255.240

ip nat outside

ip ips sdm_ips_rule in

ip access-group 101 in

then use the nat inside static routes to map to two interior subnets, each corresponding to the addresses for one or the other ISP. These two subnets would be cross-configured in two separate HSRP groups, with each router serving as backup for the other's group. I was hoping that if a failure occurred, the NAT'ing of the other group would "turn-on" the ARP acceptance of packets on the other router's WAN ethernet interface.

My real problem is that I have "Cadillac" requirements for failover and availability but a Yugo budget. I'm working with cable and DSL links to the Internet (which gives me route diversity by terminating in two different ISP's / central offices), but they are relatively inexpensive and probably not enough margin for them to set up BGP for me. I'd love to be able to spend $10K US on a decent load balancing router, but my budget is very constrained.

Any other suggestions / comments?

Thanks again for the help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card