Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1151
Views
10
Helpful
9
Replies

NAT HSRP and RouteMap

Go to solution
m-haddad
Level 5
Level 5

‎07-18-2006 02:44 PM - last edited on ‎02-11-2022 01:40 AM by Community Manager

Hello,

 

We have site to site VPNs. We also have HSRP between two routers and static NAT for one of our servers.

 

Before HSRP we were using NAT with route-map to deny NATing traffic from the server to remote site-to-site VPNs. As you can see below:

ip nat inside source static 192.168.3.14 62.84.64.x route-map MSExchange_NAT




route-map MSExchange_NAT permit 1

match ip address 110




access-list 110 remark For Exchange Outbound NAT Rule




access-list 110 deny ip host 192.168.3.14 192.168.30.0 0.0.0.255

access-list 110 deny ip host 192.168.3.14 192.168.4.0 0.0.0.255

access-list 110 deny ip host 192.168.3.14 192.168.10.0 0.0.0.255

access-list 110 deny ip host 192.168.3.14 10.11.0.0 0.0.31.255

access-list 110 permit ip host 192.168.3.14 any


Now we still have the same scenario but with HSRP. IN order to make NAT with HSRP works you have to use the redundancy key word in the NAT command. However, using the redundancy key word would not allow us to enter the

router-map

. It is either

route-map or the redundancy

. Entering the redundancy without route-map will coz site to site traffic to also be NATed.

 

Any ideas how to overcome the above problem.

 

Regards,

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
omadrid
Cisco Employee
Cisco Employee
In response to m-haddad

‎07-20-2006 01:04 PM - last edited on ‎02-11-2022 01:34 AM by Community Manager

Hi,

It should work just the same. I did not specify both translations in the quick sample, but the sintax and functionality is the same...

 

interface Ethernet0/0

...

standby 1 name HSRPNAME

...

ip nat Stateful id 2

redundancy HSRPNAME

mapping-id 10

protocol tcp

ip nat inside source static 1.1.1.1 2.2.2.2 route-map BLAH mapping-id 10

ip nat inside source static 1.1.1.1 3.3.3.3 route-map BLAH2 mapping-id 10

...


And within each route-map used, you specify the conditions under which the static translation will take effect.

 

ROUTER#sh ip nat trans

Pro Inside global Inside local Outside local Outside global

--- 2.2.2.2 1.1.1.1 --- ---

--- 3.3.3.3 1.1.1.1 --- ---

View solution in original post

9 Replies 9

Go to solution
omadrid
Cisco Employee
Cisco Employee

‎07-18-2006 04:50 PM - last edited on ‎02-11-2022 01:33 AM by Community Manager

Depending on the platform/version you are using, but you can use Statefull NAT (SNAT)

(I am going from memory here, so please parse out the sintax)

 

R1

==

interface Ethernet 0/0

...

standby name SNATHSRP




ip nat stateful id 1

redundancy SNATHSRP

mapping-ip 10




ip nat inside source static 1.1.1.1 2.2.2.2 route-map BLAH mapping-id 10







R2

==

interface Ethernet 0/0

...

standby name SNATHSRP




ip nat stateful id 2

redundancy SNATHSRP

mapping-ip 10




ip nat inside source static 1.1.1.1 2.2.2.2 route-map BLAH mapping-id 10


 

More info...

 

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_white_paper09186a0080118b04.shtml

 

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00801124ad.html

 

 

Best Regards,

 

 

Oscar

Go to solution
m-haddad
Level 5
Level 5
In response to omadrid

‎07-19-2006 07:57 AM

Hello Oscar,

Thanks for the above links. However, I have two NATs for the server because I have to ISPs and two HSRP groups running one for each ISP. Using the above method allows to have one stateful NAT and redundancy group.

Any ideas?

Regards,

0 Helpful

Go to solution
m-haddad
Level 5
Level 5
In response to m-haddad

‎07-20-2006 08:08 AM

Hello Oscar,

Thanks for the above links. However, I have two NATs for the server because I have two ISPs and two HSRP groups running, one for each ISP. Using the above method allows to have one stateful NAT and redundancy group.

Any ideas?

Regards,

0 Helpful

Go to solution
m-haddad
Level 5
Level 5
In response to m-haddad

‎07-20-2006 09:45 AM

Hello Oscar,

The SNAT can work for dynamic NAT. However, I have as I said before static NATs for same server to two ISPs and also site-to-site VPNs.

Regards,

0 Helpful

Go to solution
omadrid
Cisco Employee
Cisco Employee
In response to m-haddad

‎07-20-2006 01:04 PM - last edited on ‎02-11-2022 01:34 AM by Community Manager

Hi,

It should work just the same. I did not specify both translations in the quick sample, but the sintax and functionality is the same...

 

interface Ethernet0/0

...

standby 1 name HSRPNAME

...

ip nat Stateful id 2

redundancy HSRPNAME

mapping-id 10

protocol tcp

ip nat inside source static 1.1.1.1 2.2.2.2 route-map BLAH mapping-id 10

ip nat inside source static 1.1.1.1 3.3.3.3 route-map BLAH2 mapping-id 10

...


And within each route-map used, you specify the conditions under which the static translation will take effect.

 

ROUTER#sh ip nat trans

Pro Inside global Inside local Outside local Outside global

--- 2.2.2.2 1.1.1.1 --- ---

--- 3.3.3.3 1.1.1.1 --- ---

Go to solution
m-haddad
Level 5
Level 5
In response to omadrid

‎07-20-2006 01:16 PM - last edited on ‎02-11-2022 01:35 AM by Community Manager

Hello,

 

Thanks for the above feedback. However, I already did the same however I still got IP Address conflict between the HSRP routers. I read on Cisco that the SNAT is applicable for dynamic NATing and not static NATing. Static NAting requires using the

Redundancy

keyword with the HSRP group name however not + route map.

 

Waiting for your feedback,

 

Regards,

 

0 Helpful

Go to solution
m-haddad
Level 5
Level 5
In response to m-haddad

‎07-20-2006 01:38 PM - last edited on ‎02-11-2022 01:36 AM by Community Manager

Hello,

 

I figured out that when I issue the command

show ip snat distributed

I can see the local ID correct but the remote ID is 0 which incorrect

I hae an access lists on the interfaces. What does the SNAT uses as TCP Port?

 

Regards,

 

0 Helpful

Go to solution
m-haddad
Level 5
Level 5
In response to m-haddad

‎07-20-2006 01:40 PM

Hello It worked correctly when I removed the access list. Do you know which TCP port is required to open on the access list?

Regards,

0 Helpful

Go to solution
m-haddad
Level 5
Level 5
In response to m-haddad

‎07-20-2006 02:34 PM

Hello,

I discovered the port it is TCP 15555., Thanks for the help.

Regards,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card