Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

NAT Box to Box High Availability Overview

    Introduction

    This document explains the NAT Box to Box High Availability feature overview of ISRG2 Router.

    Background of This Feature

    The Stateful NAT was available with IOS as a redundancy feature of the router that uses Dynamic NAT.

    However, the IOS versions after 15.0M no longer support the Stateful NAT.

     

    In addition, the Stateful NAT feature will reach End-Of-Support on January 31, 2014.

     

     

    End-of-Sale and End-of-Life Announcement for the Cisco IOS Stateful Failover of Network Address Translation (SNAT)

    http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6640/end_of_life_notice_c51-611706.html

     

    The above link introduces the Cisco ASA Adaptive Security Appliance high availability as Migration Options of the Stateful NAT.

     

    Later on, the NAT Box-to-Box High-Availability feature has been newly added to IOS 15.3(2)T or later.

    You can realize high-availability with NAT on ISR G2 Routers by using this feature as the Stateful NAT did.

     

    I will explain the feature overview, basic configuration/settings, and troubleshooting of NAT Box-to-Box High-Availability in the following sections.

    Feature Overview

    NAT Box to Box High Availability (NAT BtoB HA, hereinafter) is the feature designed to enhance the fault tolerance of the NAT router links or router itself in case of unexpected problems.

    In addition, asymmetric routing with Dynamic NAT is also supported.

    The NAT BtoB HA consists of two components: a function called Redundancy Group (RG) to control active-standby state and the Network Address Translation (NAT) function.

    Thus, you need to configure the two components (RG and NAT) for NAT BtoB HA.

    Due to the restrictions currently applicable, for example, ALG is only supported for the FTP application,
    please refer to the following document and verify the behavior thoroughly when you implement this feature.

    Restrictions for NAT Box-to-Box High-Availability Support

    http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/15-mt/iadnat-b2b-ha.html#reference_C93828C500774EA1A6C8C19313220C27

    As of now, NAT BtoB HA supports the following NAT features:

    Please note that interface overload options are not supported.

    -Simple Static NAT configuration

    -Extended Static NAT configuration

    -Network Static NAT configuration

    -Dynamic NAT and Port Address Translation (PAT) configuration

    -NAT inside source, outside source, and inside destination rules

    -NAT rules for Virtual Routing and Forwarding (VRF) instances to IP

    -NAT rules for VRF-VRF (within same VRF)

    Key Configuration Element for NAT BtoB HA

    You need to configure the following interfaces with NAT BtoB HA.

    Figure. 1 shows the conceptual diagram of the configuration.

    -NAT inside/outside interface

    -RG control interface (for exchange control information by RG)

    -RG data interface (for exchange NAT session data, etc.)

    -RG Asymmetric Routing (AR) interface (for forwarding AR packets from Standby to Active; optional)

    You can define RG Control/Data/AR interfaces in the same physical interface.

    Figure. 1

    pic1.jpg

     

    NAT BtoB HA supports the (LAN-LAN) configuration that makes both the inside and outside NAT redundant as well as the (WAN-LAN) configuration that makes only the inside redundant. 
    Figure. 2 is the topology of each configuration.

    Figure. 2

    pic2.jpg

    Return to Top

    Basic Configuration

    This section introduces an example of basic configuration for LAN-LAN and WAN-LAN configuration respectively.

    Example: LAN-LAN Configuration

    This is a configuration example based on the topology shown at Figure. 3.

    Please note that you do not need to configure the HSRP settings (standby ip command, etc.) unlike the case of Stateful NAT.

    Figure. 3

    pic3.jpg

    /// Router1 ///
    redundancy
     application redundancy
      group 1
       name RG1
       preempt
       priority 105
       control Ethernet0/1 protocol 1
       data Ethernet0/1
    
    interface Ethernet0/0
     ip address 192.168.1.1 255.255.255.0
     ip nat inside
     ip virtual-reassembly in
     redundancy rii 100
     redundancy group 1 ip 192.168.1.254 exclusive decrement 100
    
    interface Ethernet0/1
     ip address 192.168.3.1 255.255.255.0
    
    interface Ethernet1/0
     ip address 192.168.2.1 255.255.255.0
     ip nat outside
     ip virtual-reassembly in
     redundancy rii 101
     redundancy group 1 ip 192.168.2.254 exclusive decrement 100
    
    ip nat inside source static 192.168.1.3 192.168.2.3 redundancy 1 mapping-id 120
    /// Router2 ///
    redundancy
     application redundancy
      group 1
       name RG1
       preempt
       control Ethernet0/1 protocol 1
       data Ethernet0/1
    
    interface Ethernet0/0
     ip address 192.168.1.2 255.255.255.0
     ip nat inside
     ip virtual-reassembly in
     redundancy rii 100
     redundancy group 1 ip 192.168.1.254 exclusive decrement 100
    
    interface Ethernet0/1
     ip address 192.168.3.2 255.255.255.0
     
    interface Ethernet1/0
     ip address 192.168.2.2 255.255.255.0
     ip nat outside
     ip virtual-reassembly in
     redundancy rii 101
     redundancy group 1 ip 192.168.2.254 exclusive decrement 100
    
    ip nat inside source static 192.168.1.3 192.168.2.3 redundancy 1 mapping-id 120

     

    Example: WAN-LAN Configuration

    This is a configuration example based on the topology shown at Figure. 4.

    I have also configured the following features, but they are optional.

    - RG Asymmetric-routing (*1)

    - OSPF for the WAN side routing protocol (*2)

    - Tracking an existence of Virtual IP (VIP) in the routing table and Redistributing a gateway's address to the routing protocol (OSPF) for the WAN network. (*3)

    Figure. 4

    pic4.jpg

    /// Router1 ///
    redundancy
     application redundancy
      group 1
       name RG1
       preempt
       priority 105
       control Ethernet0/1 protocol 1
       data Ethernet0/1
       asymmetric-routing interface Ethernet0/1     (*1)
    
    track 100 ip route 192.168.1.254 255.255.255.255 reachability     (*3)
    
    interface Ethernet0/0
     ip address 192.168.1.1 255.255.255.0
     ip nat inside
     ip virtual-reassembly in
     redundancy rii 100
     redundancy group 1 ip 192.168.1.254 exclusive decrement 100
    
    interface Ethernet0/1
     ip address 192.168.3.1 255.255.255.0
    
    interface Ethernet1/0
     ip address 10.1.1.1 255.255.255.0
     ip nat outside
     ip virtual-reassembly in
     redundancy rii 101
     redundancy asymmetric-routing enable     (*1)
    
    router ospf 1    (*2)
     router-id 10.1.1.1
     redistribute static subnets
     network 10.0.0.0 0.255.255.255 area 0
    
    ip nat inside source static 192.168.1.3 10.10.10.10 redundancy 1 mapping-id 120
    
    ip route 10.10.10.10 255.255.255.255 Ethernet0/0 track 100    (*3)
    /// Router2 ///
    redundancy
     application redundancy
      group 1
       name RG1
       preempt
       control Ethernet0/1 protocol 1
       data Ethernet0/1
       asymmetric-routing interface Ethernet0/1     (*1)
    
    track 100 ip route 192.168.1.254 255.255.255.255 reachability    (*3)
    
    interface Ethernet0/0
     ip address 192.168.1.2 255.255.255.0
     ip nat inside
     ip virtual-reassembly in
     redundancy rii 100
     redundancy group 1 ip 192.168.1.254 exclusive decrement 100
    
    interface Ethernet0/1
     ip address 192.168.3.2 255.255.255.0
     
    interface Ethernet1/0
     ip address 10.2.2.2 255.255.255.0
     ip nat outside
     ip virtual-reassembly in
     redundancy rii 101
     redundancy asymmetric-routing enable     (*1)
    
    router ospf 1     (*2)
     router-id 10.2.2.1
     redistribute static subnets
     network 10.0.0.0 0.255.255.255 area 0
    
    ip nat inside source static 192.168.1.3 10.10.10.10 redundancy 1 mapping-id 120
    
    ip route 10.10.10.10 255.255.255.255 Ethernet0/0 track 100    (*3)

    Logs for TAC Analysis

    Please get the following logs before opening a TAC service request if possible.

    show ip nat redundancy <RG-id>

    show ip nat translations redundancy <RG-id> [verbose]

    show redundancy application group <RG-id>

    show redundancy application protocol group <RG-id>

    show ip route

    show ip alias

    show ip cef

    show tech-support

     

    Please consider its impact when you get debug logs in production networks.

    debug ip nat [detailed]

    debug ip nat redundancy errors

    debug ip nat redundancy messages [[detailed] [errors ]]

    debug ip nat redundancy packets

    debug ip nat redundancy db [errors]

    debug ip nat redundancy cf

    debug ip nat redundancy rf [errors]

     

    If you want to clear the specific RG group session, issue the following commands:

    clear ip nat translation redundancy <RG-id> *

    clear ip nat translation redundancy <RG-id> forced

     

    For further detail, please refer to the following document in Cisco.com.

    IP Addressing: NAT Configuration Guide, Cisco IOS Release 15M&T

    NAT Box-to-Box High-Availability Support

    http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/15-mt/iadnat-b2b-ha.htm

    Related Information

    Original Document:https://supportforums.cisco.com/ja/document/12049976
    Author: Toshiaki Kasakake
    Posted on January 8, 2014

    Version history
    Revision #:
    2 of 2
    Last update:
    4 weeks ago
    Updated by:
     
    Labels (1)
    Contributors
    Comments
    New Member

    This is a great article, but can HA-NAT be used to load balance traffic between two NAT routers, or can GLBP be run in conjunction with this?  If so, can you provide example configs with GLBP?

    New Member

    Hello!

    Is there any method to do Box-to-Box NAT HA with 4-5 outside NAT addresses? I just try to do so with VRRP but in such case I have only 6 Mb/s of NAT performance on ISR-4431. Is there capability to configure 4-5 HA VIP addresses to the WAN without loss of performance?

    Thank you!