I have a highly redundant four isp internet access design with four independent perimeter routes.
Each router is configured with a public /24 network between itself and an upstream ISP router.
Each of the routers is configured for PAT for outgoing internet traffic which is load-balanced by a 4 node firewall cluster, which routes outbound traffic through 1 of the 4 perimeter routers.
One of the 4 routers has static nat entries to allow incoming traffic to a selection of internal resources.
I want as the next step to allow incoming traffic to the internal resources via nat statements configured on each of the four routers to provide link redundancy.
The issue is that traffic returning through the perimeter routers doesn?t necessarily egress through the same router is it ingresses through, and is therefore not correctly natted.
To initially to correct this, policy based routing has been employed to forward egressing traffic returning to the client from a internal resource to the first router which will have handled the ingressing traffic.
I.e. I need to be able to allow access to an individual internal site via a nat statement configured on each of the four routers.
I therefore ideally need to employ stateful nat across the four routers to correctly handle egressing traffic which ingresses and egresses through different routers (asymmetric traffic through 4 routers performing nat).
So far with phase 2 of SNAT it still appears to only be able to configure a pair of routers i.e. one primary and a backup?
Thanks for the links, unfortunately I'd already reviewed these, and although asymmetric routing support is possible, it only supports either hsrp integrated mode, (which we don't use) or only a single master and slave, where as we have 4 routers which need to share nat information.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :