estrange behavior with HSRP and NAT

lucas restrepo · ‎11-04-2011

Hi,

Currently I am configuring two cisco 3925 with the feature static nat with HSRP integration adding the stand by group to the nat configuration.

The topologies I am working on is setting up two edge router and I have a firewall after the routers. The routers are connected to the outside interface of the firewall. What I am doing on the edge routers is receiving the internets and I am doing some load balancing with PBR and I am exposing other services to the internet on the routers. All firewall do is to block traffic coming from the internet to the lan network. The routers have HSRP enabled on the interface that faces the firewalls and the feature of hsrp and nat is enabled on this.

All the time I see the duplicated address message on both routers and when I put all the load on them they start behaving king of estrange.

I lose connectivity to the internet and it gets really slow.

So I would like to know if this feature is a good practice to use it or should I do something different.

I also would like to know if this interferes with some other features I have running on this routers like vrf lite and eigrp.

Best regards.

cadet alain · ‎11-04-2011

Hi,

can you post config of routers as well as the message you see.

Alain

Don't forget to rate helpful posts.

lucas restrepo · ‎11-09-2011

yes here is the configuration:

EDGE-ROUTER-BUP#show run

Building configuration...

Current configuration : 17474 bytes

!

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname EDGE-ROUTER-BUP

!

boot-start-marker

boot-end-marker

!

aaa new-model

!

aaa authentication login default local

!

aaa session-id common

!

no ipv6 cef

ip source-route

ip cef

!

ip vrf INTANET

rd 65355:10

route-target export 65355:10

route-target import 65355:10

!

ip dhcp pool INVITADOS

network 192.168.108.0 255.255.255.0

default-router 192.168.108.1

domain-name conconcreto.com

dns-server 208.67.222.222 208.67.220.220

lease 0 2

!

no ip bootp server

no ip domain lookup

login block-for 300 attempts 5 within 60

multilink bundle-name authenticated

!

class-map match-any voip

match access-group 122

class-map match-any Videoconferencia

match access-group 120

class-map match-any PBR

match protocol http host "*mail.google.com*"

match protocol http host "*gmail*"

match protocol http host "*google*"

match protocol http host "*conconcreto*"

match protocol http host "*youtube*"

match access-group name PBR-list

class-map match-all SAP

match access-group 121

class-map match-any http-out

match protocol http

match protocol dns

match protocol ssh

match protocol smtp

match protocol pop3

match protocol imap

match protocol ipsec

match protocol isakmp

class-map match-any Routing

match protocol eigrp

match protocol rsvp

class-map match-all SAP-return

match access-group 127

!

policy-map QoS

class Videoconferencia

bandwidth remaining percent 45

class SAP

bandwidth remaining percent 15

class Routing

bandwidth remaining percent 2

set dscp cs6

class voip

priority percent 20

class class-default

fair-queue

policy-map shape-all-telmex

class class-default

shape average 10000000

service-policy QoS

policy-map shape-all

class class-default

shape average 3000000

service-policy QoS

policy-map qos-girardota-une

class voip

priority 16

class SAP-return

bandwidth remaining percent 15

class class-default

fair-queue

random-detect

policy-map shape-all-girardota-une

class class-default

shape average 900000

service-policy qos-girardota-une

policy-map QoS-out

class http-out

priority percent 60

class class-default

fair-queue

random-detect

policy-map qos-girardota

class voip

priority 320

class SAP-return

bandwidth remaining percent 15

class class-default

fair-queue

random-detect

policy-map shape-all-20M

class class-default

shape average 45000000

service-policy QoS

policy-map shape-all-bog-telmex

class class-default

shape average 4000000

service-policy QoS

policy-map shape-all-sao-telmex

class class-default

shape average 6000000

service-policy QoS

policy-map marking-in

class PBR

set dscp af31

policy-map marcado

class voip

set dscp ef

class SAP

set dscp af21

class Videoconferencia

set dscp af41

policy-map shape-all-girardota

class class-default

police 2000000 conform-action transmit exceed-action drop violate-action drop

shape average 2000000

service-policy qos-girardota

!

interface GigabitEthernet0/0

description internet vffvf

bandwidth 10000

ip address 190.0.Y.X 255.255.255.252

ip access-group bogons in

no ip redirects

no ip unreachables

no ip proxy-arp

ip load-sharing per-packet

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

load-interval 30

duplex full

speed 100

!

interface GigabitEthernet0/1

description internet SDD

bandwidth 6000

ip address 201.234.W.R 255.255.255.248

ip access-group bogons in

no ip redirects

no ip unreachables

no ip proxy-arp

ip load-sharing per-packet

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

load-interval 30

duplex full

speed auto

media-type rj45

!

interface GigabitEthernet0/2

description internet ghh

bandwidth 8000

ip address 190.144.SS.EE 255.255.255.248

ip access-group bogons in

no ip redirects

no ip unreachables

no ip proxy-arp

ip load-sharing per-packet

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

load-interval 30

duplex full

speed 100

media-type rj45

!

interface GigabitEthernet0/1/0

description conexion interna

!

interface GigabitEthernet0/1/1

description Conexion ASA INTRANET

switchport access vlan 7

load-interval 30

!

interface GigabitEthernet0/1/2

description Conexion Radio Gerencia-Sao-Paulo

switchport access vlan 100

load-interval 30

!

interface GigabitEthernet0/1/3

description conexion Gerencia-Mantenimiento GC

switchport mode trunk

load-interval 30

speed 100

!

interface GigabitEthernet0/1/4

description conexion telmex Gerencia-BOG Gerencia-Sao

switchport access vlan 110

load-interval 30

!

interface GigabitEthernet0/1/5

description Conexion UNE Gerencia-Mantenimiento

switchport access vlan 120

load-interval 30

speed 100

!

interface GigabitEthernet0/1/6

description Conexion GC Gerencia-BOG

switchport access vlan 130

load-interval 30

speed 100

!

interface GigabitEthernet0/1/7

description Salida Invitados

switchport access vlan 108

load-interval 30

speed 100

!

interface Vlan1

ip address 192.168.200.252 255.255.255.0

ip nbar protocol-discovery

ip nat inside

ip virtual-reassembly in

standby 10 ip 192.168.200.254

standby 10 preempt delay minimum 10

standby 10 name HA

load-interval 30

!

interface Vlan108

ip address 192.168.108.3 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip load-sharing per-packet

ip nbar protocol-discovery

ip flow ingress

ip nat inside

ip virtual-reassembly in

standby 2 ip 192.168.108.1

standby 2 priority 200

standby 2 name HAG

load-interval 30

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

ip flow-export source GigabitEthernet0/2

ip flow-export version 9

ip flow-export destination 190.29.25.195 9998

!

ip nat Stateful id 1

redundancy HA

mapping-id 50

protocol udp

ip nat pool telmex 190.144.136.130 190.144.136.133 netmask 255.255.255.248

ip nat pool gc 201.234.180.114 201.234.180.117 netmask 255.255.255.248

ip nat pool une 190.0.33.74 190.0.33.74 netmask 255.255.255.252

ip nat inside source route-map GC pool gc mapping-id 50 overload

ip nat inside source route-map TELMEX pool telex mapping-id 50 overload

ip nat inside source route-map UNE pool une overload

ip nat inside source static tcp 10.1.1.34 80 190.144.136.132 80 redundancy HA extendable

ip nat inside source static tcp 10.1.1.36 80 190.144.136.134 80 redundancy HA extendable

ip nat inside source static tcp 10.1.1.41 21 201.234.180.116 21 redundancy HA extendable

ip nat inside source static tcp 10.1.1.41 80 201.234.180.116 80 redundancy HA extendable

ip nat inside source static tcp 10.1.1.41 1433 201.234.180.116 1433 redundancy HA extendable

ip nat inside source static tcp 10.1.1.41 3389 201.234.180.116 3389 redundancy HA extendable

ip nat inside source static tcp 10.1.1.41 4263 201.234.180.116 4263 redundancy HA extendable

ip nat inside source static tcp 10.1.1.32 80 201.234.180.118 80 redundancy HA extendable

ip route 0.0.0.0 0.0.0.0 201.234.180.113

ip route 0.0.0.0 0.0.0.0 190.144.136.129

ip route 0.0.0.0 0.0.0.0 190.0.33.73

ip route 4.2.2.2 255.255.255.255 190.144.136.129

ip route 10.0.0.0 255.0.0.0 192.168.200.1

ip route 172.24.0.0 255.255.0.0 192.168.200.1

ip route 190.29.25.195 255.255.255.255 190.144.136.129

ip route 200.13.224.254 255.255.255.255 190.0.33.73

ip route 200.13.249.101 255.255.255.255 190.0.33.73

!

ip access-list standard bogons

deny 0.0.0.0 0.255.255.255 log

deny 5.0.0.0 0.255.255.255

deny 10.0.0.0 0.255.255.255

deny 23.0.0.0 0.255.255.255

deny 37.0.0.0 0.255.255.255

deny 39.0.0.0 0.255.255.255

deny 100.0.0.0 0.255.255.255

deny 102.0.0.0 1.255.255.255

deny 104.0.0.0 0.255.255.255

deny 106.0.0.0 0.255.255.255

deny 127.0.0.0 0.255.255.255

deny 169.254.0.0 0.0.255.255

deny 172.16.0.0 0.15.255.255

deny 179.0.0.0 0.255.255.255

deny 185.0.0.0 0.255.255.255

deny 192.0.2.0 0.0.0.255

deny 192.168.0.0 0.0.255.255

deny 198.18.0.0 0.1.255.255

deny 198.51.100.0 0.0.0.255

deny 203.0.113.0 0.0.0.255

deny 224.0.0.0 31.255.255.255

permit any

!

ip access-list extended PBR-list

permit ip any 72.14.192.0 0.0.63.255

permit ip any 74.125.0.0 0.0.255.255

permit ip any 216.239.0.0 0.0.255.255

permit ip any 209.0.0.0 0.255.255.255

permit ip any 74.0.0.0 0.255.255.255

ip access-list extended lista-DNS

permit ip any host 4.2.2.2

permit ip any host 208.67.220.220

permit ip any host 208.67.222.222

ip access-list extended lista-GOOGLE

permit ip 192.168.200.64 0.0.0.31 any

permit ip any 72.14.192.0 0.0.63.255

permit ip any 74.125.0.0 0.0.255.255

permit ip any 216.239.0.0 0.0.255.255

permit ip any 209.0.0.0 0.255.255.255

permit ip any 74.0.0.0 0.255.255.255

permit ip any 190.248.0.0 0.0.255.255

permit ip any 66.132.0.0 0.0.255.255

permit ip any host 200.13.249.101

permit ip any host 200.13.224.254

ip access-list extended lista-NAVEGACION

deny ip 192.168.200.32 0.0.0.31 any dscp af31

permit ip 192.168.200.32 0.0.0.31 any

permit ip 192.168.108.0 0.0.0.255 any

permit ip 10.0.0.0 0.255.255.255 any

ip access-list extended lista-VPN

permit udp host 192.168.200.1 eq isakmp any

permit udp host 192.168.200.1 eq non500-isakmp any

permit esp host 192.168.200.1 any

permit ip 192.168.200.96 0.0.0.31 any

permit ip any host 200.26.137.100

permit ip 10.0.0.0 0.255.255.255 host 190.144.136.133

ip access-list extended lista-serexp-GC

permit ip host 192.168.200.15 any

permit ip host 192.168.200.16 any

permit ip host 192.168.200.17 any

permit ip host 192.168.200.18 any

ip access-list extended lista-serexp-TELMEX

permit ip host 192.168.200.19 any

permit ip host 10.1.1.34 any

!

access-list 1 permit 192.168.200.0 0.0.0.255

access-list 1 permit 10.0.0.0 0.255.255.255

access-list 2 permit 190.29.25.195

access-list 2 permit 192.168.100.151

access-list 2 permit 10.0.0.0 0.255.255.255

access-list 2 permit 192.168.200.0 0.0.0.255

access-list 2 permit 192.168.100.0 0.0.0.255

access-list 101 deny ip 10.0.0.0 0.255.255.255 host 190.144.136.133

access-list 101 deny ip 192.168.200.0 0.0.0.255 host 190.144.136.133

access-list 101 permit ip 10.0.0.0 0.255.255.255 any

access-list 101 permit ip 192.168.200.0 0.0.0.255 any

access-list 101 permit ip 192.168.108.0 0.0.0.255 any

access-list 120 permit ip 10.1.253.0 0.0.0.15 any

access-list 120 permit ip any 10.1.62.0 0.0.0.255

access-list 120 permit ip any 10.2.253.0 0.0.0.255

access-list 121 permit ip 10.0.0.0 0.255.255.255 172.24.3.0 0.0.0.255

access-list 121 permit tcp 10.0.0.0 0.255.255.255 host 200.74.143.135 range 3200 3399

access-list 121 permit ip 172.24.3.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 121 permit tcp host 200.74.143.135 range 3200 3399 10.0.0.0 0.255.255.255

access-list 122 permit ip 10.1.150.0 0.0.0.255 any

access-list 122 permit ip any any dscp ef

access-list 122 permit ip any any precedence critical

access-list 122 permit ip any 10.1.65.0 0.0.0.255

access-list 127 permit ip 172.24.3.0 0.0.0.255 10.0.0.0 0.255.255.255

!

route-map GC permit 10

match ip address 101

match interface GigabitEthernet0/1

!

route-map TELMEX permit 10

match ip address 101

match interface GigabitEthernet0/2

!

route-map ISP permit 5

match ip address lista-GOOGLE

set ip next-hop 190.0.33.74

!

route-map ISP permit 10

match ip address lista-VPN lista-serexp-TELMEX lista-DNS

set ip next-hop 190.144.136.129

!

route-map ISP permit 15

match ip address lista-NAVEGACION lista-serexp-GC

set ip next-hop 201.234.180.113

!

route-map UNE permit 10

match ip address 101

match interface GigabitEthernet0/0

!

As you can see i have a HSRP group to configure nat on HA but i get a message duplicated IP all the time and when i put all the traffic the router gets stock.

regards.

lucas restrepo · ‎11-12-2011

Any help on this case.

i am still having the same problem.

regards.