Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Silver

NAT HSRP and RouteMap

Hello,

We have site to site VPNs. We also have HSRP between two routers and static NAT for one of our servers.

Before HSRP we were using NAT with route-map to deny NATing traffic from the server to remote site-to-site VPNs. As you can see below:

ip nat inside source static 192.168.3.14 62.84.64.x route-map MSExchange_NAT

route-map MSExchange_NAT permit 1

match ip address 110

access-list 110 remark For Exchange Outbound NAT Rule

access-list 110 deny ip host 192.168.3.14 192.168.30.0 0.0.0.255

access-list 110 deny ip host 192.168.3.14 192.168.4.0 0.0.0.255

access-list 110 deny ip host 192.168.3.14 192.168.10.0 0.0.0.255

access-list 110 deny ip host 192.168.3.14 10.11.0.0 0.0.31.255

access-list 110 permit ip host 192.168.3.14 any

Now we still have the same scenario but with HSRP. IN order to make NAT with HSRP works you have to use the redundancy key word in the NAT command. However, using the redundancy key word would not allow us to enter the router-map. It is either route-map or the redundancy. Entering the redundancy without route-map will coz site to site traffic to also be NATed.

Any ideas how to overcome the above problem.

Regards,

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: NAT HSRP and RouteMap

Hi,

It should work just the same. I did not specify both translations in the quick sample, but the sintax and functionality is the same...

interface Ethernet0/0

...

standby 1 name HSRPNAME

...

ip nat Stateful id 2

redundancy HSRPNAME

mapping-id 10

protocol tcp

ip nat inside source static 1.1.1.1 2.2.2.2 route-map BLAH mapping-id 10

ip nat inside source static 1.1.1.1 3.3.3.3 route-map BLAH2 mapping-id 10

...

And within each route-map used, you specify the conditions under which the static translation will take effect.

ROUTER#sh ip nat trans

Pro Inside global Inside local Outside local Outside global

--- 2.2.2.2 1.1.1.1 --- ---

--- 3.3.3.3 1.1.1.1 --- ---

9 REPLIES
Cisco Employee

Re: NAT HSRP and RouteMap

Depending on the platform/version you are using, but you can use Statefull NAT (SNAT)

(I am going from memory here, so please parse out the sintax)

R1

==

interface Ethernet 0/0

...

standby name SNATHSRP

ip nat stateful id 1

redundancy SNATHSRP

mapping-ip 10

ip nat inside source static 1.1.1.1 2.2.2.2 route-map BLAH mapping-id 10

R2

==

interface Ethernet 0/0

...

standby name SNATHSRP

ip nat stateful id 2

redundancy SNATHSRP

mapping-ip 10

ip nat inside source static 1.1.1.1 2.2.2.2 route-map BLAH mapping-id 10

More info...

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_white_paper09186a0080118b04.shtml

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00801124ad.html

Best Regards,

Oscar

Silver

Re: NAT HSRP and RouteMap

Hello Oscar,

Thanks for the above links. However, I have two NATs for the server because I have to ISPs and two HSRP groups running one for each ISP. Using the above method allows to have one stateful NAT and redundancy group.

Any ideas?

Regards,

Silver

Re: NAT HSRP and RouteMap

Hello Oscar,

Thanks for the above links. However, I have two NATs for the server because I have two ISPs and two HSRP groups running, one for each ISP. Using the above method allows to have one stateful NAT and redundancy group.

Any ideas?

Regards,

Silver

Re: NAT HSRP and RouteMap

Hello Oscar,

The SNAT can work for dynamic NAT. However, I have as I said before static NATs for same server to two ISPs and also site-to-site VPNs.

Regards,

Cisco Employee

Re: NAT HSRP and RouteMap

Hi,

It should work just the same. I did not specify both translations in the quick sample, but the sintax and functionality is the same...

interface Ethernet0/0

...

standby 1 name HSRPNAME

...

ip nat Stateful id 2

redundancy HSRPNAME

mapping-id 10

protocol tcp

ip nat inside source static 1.1.1.1 2.2.2.2 route-map BLAH mapping-id 10

ip nat inside source static 1.1.1.1 3.3.3.3 route-map BLAH2 mapping-id 10

...

And within each route-map used, you specify the conditions under which the static translation will take effect.

ROUTER#sh ip nat trans

Pro Inside global Inside local Outside local Outside global

--- 2.2.2.2 1.1.1.1 --- ---

--- 3.3.3.3 1.1.1.1 --- ---

Silver

Re: NAT HSRP and RouteMap

Hello,

Thanks for the above feedback. However, I already did the same however I still got IP Address conflict between the HSRP routers. I read on Cisco that the SNAT is applicable for dynamic NATing and not static NATing. Static NAting requires using the "Redundancy" keyword with the HSRP group name however not + route map.

Waiting for your feedback,

Regards,

Silver

Re: NAT HSRP and RouteMap

Hello,

I figured out that when I issue the command

show ip snat distributed

I can see the local ID correct but the remote ID is 0 which incorrect

I hae an access lists on the interfaces. What does the SNAT uses as TCP Port?

Regards,

Silver

Re: NAT HSRP and RouteMap

Hello It worked correctly when I removed the access list. Do you know which TCP port is required to open on the access list?

Regards,

Silver

Re: NAT HSRP and RouteMap

Hello,

I discovered the port it is TCP 15555., Thanks for the help.

Regards,

215
Views
5
Helpful
9
Replies
CreatePlease login to create content