07-18-2006 02:44 PM - last edited on 02-11-2022 01:40 AM by Translator
Hello,
We have site to site VPNs. We also have HSRP between two routers and static NAT for one of our servers.
Before HSRP we were using NAT with route-map to deny NATing traffic from the server to remote site-to-site VPNs. As you can see below:
ip nat inside source static 192.168.3.14 62.84.64.x route-map MSExchange_NAT
route-map MSExchange_NAT permit 1
match ip address 110
access-list 110 remark For Exchange Outbound NAT Rule
access-list 110 deny ip host 192.168.3.14 192.168.30.0 0.0.0.255
access-list 110 deny ip host 192.168.3.14 192.168.4.0 0.0.0.255
access-list 110 deny ip host 192.168.3.14 192.168.10.0 0.0.0.255
access-list 110 deny ip host 192.168.3.14 10.11.0.0 0.0.31.255
access-list 110 permit ip host 192.168.3.14 any
Now we still have the same scenario but with HSRP. IN order to make NAT with HSRP works you have to use the redundancy key word in the NAT command. However, using the redundancy key word would not allow us to enter the
router-map
. It is either
route-map or the redundancy
. Entering the redundancy without route-map will coz site to site traffic to also be NATed.
Any ideas how to overcome the above problem.
Regards,
Solved! Go to Solution.
07-20-2006 01:04 PM - last edited on 02-11-2022 01:34 AM by Translator
Hi,
It should work just the same. I did not specify both translations in the quick sample, but the sintax and functionality is the same...
interface Ethernet0/0
...
standby 1 name HSRPNAME
...
ip nat Stateful id 2
redundancy HSRPNAME
mapping-id 10
protocol tcp
ip nat inside source static 1.1.1.1 2.2.2.2 route-map BLAH mapping-id 10
ip nat inside source static 1.1.1.1 3.3.3.3 route-map BLAH2 mapping-id 10
...
And within each route-map used, you specify the conditions under which the static translation will take effect.
ROUTER#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
--- 2.2.2.2 1.1.1.1 --- ---
--- 3.3.3.3 1.1.1.1 --- ---
07-18-2006 04:50 PM - last edited on 02-11-2022 01:33 AM by Translator
Depending on the platform/version you are using, but you can use Statefull NAT (SNAT)
(I am going from memory here, so please parse out the sintax)
R1
==
interface Ethernet 0/0
...
standby name SNATHSRP
ip nat stateful id 1
redundancy SNATHSRP
mapping-ip 10
ip nat inside source static 1.1.1.1 2.2.2.2 route-map BLAH mapping-id 10
R2
==
interface Ethernet 0/0
...
standby name SNATHSRP
ip nat stateful id 2
redundancy SNATHSRP
mapping-ip 10
ip nat inside source static 1.1.1.1 2.2.2.2 route-map BLAH mapping-id 10
More info...
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_white_paper09186a0080118b04.shtml
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00801124ad.html
Best Regards,
Oscar
07-19-2006 07:57 AM
Hello Oscar,
Thanks for the above links. However, I have two NATs for the server because I have to ISPs and two HSRP groups running one for each ISP. Using the above method allows to have one stateful NAT and redundancy group.
Any ideas?
Regards,
07-20-2006 08:08 AM
Hello Oscar,
Thanks for the above links. However, I have two NATs for the server because I have two ISPs and two HSRP groups running, one for each ISP. Using the above method allows to have one stateful NAT and redundancy group.
Any ideas?
Regards,
07-20-2006 09:45 AM
Hello Oscar,
The SNAT can work for dynamic NAT. However, I have as I said before static NATs for same server to two ISPs and also site-to-site VPNs.
Regards,
07-20-2006 01:04 PM - last edited on 02-11-2022 01:34 AM by Translator
Hi,
It should work just the same. I did not specify both translations in the quick sample, but the sintax and functionality is the same...
interface Ethernet0/0
...
standby 1 name HSRPNAME
...
ip nat Stateful id 2
redundancy HSRPNAME
mapping-id 10
protocol tcp
ip nat inside source static 1.1.1.1 2.2.2.2 route-map BLAH mapping-id 10
ip nat inside source static 1.1.1.1 3.3.3.3 route-map BLAH2 mapping-id 10
...
And within each route-map used, you specify the conditions under which the static translation will take effect.
ROUTER#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
--- 2.2.2.2 1.1.1.1 --- ---
--- 3.3.3.3 1.1.1.1 --- ---
07-20-2006 01:16 PM - last edited on 02-11-2022 01:35 AM by Translator
Hello,
Thanks for the above feedback. However, I already did the same however I still got IP Address conflict between the HSRP routers. I read on Cisco that the SNAT is applicable for dynamic NATing and not static NATing. Static NAting requires using the
Redundancy
keyword with the HSRP group name however not + route map.
Waiting for your feedback,
Regards,
07-20-2006 01:38 PM - last edited on 02-11-2022 01:36 AM by Translator
Hello,
I figured out that when I issue the command
show ip snat distributed
I can see the local ID correct but the remote ID is 0 which incorrect
I hae an access lists on the interfaces. What does the SNAT uses as TCP Port?
Regards,
07-20-2006 01:40 PM
Hello It worked correctly when I removed the access list. Do you know which TCP port is required to open on the access list?
Regards,
07-20-2006 02:34 PM
Hello,
I discovered the port it is TCP 15555., Thanks for the help.
Regards,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: