Re: Policy NAT - Redundany Circuits

lxcollin1 · ‎04-04-2006

Hello,

I am looking for a solution for my network in which I have 2 circuits terminating into one router. BGP is not an option...

I have one circuit connected to Serial 0/0 (Service Provider-A), and another connected to Serial 1/0 (Service Provider-B). SP-A has a static route (1.1.1.0/30) for a route that connected to Fa0/0. 1.1.1.1 is used for my users NAT address.

Serial 1/0 (SP-B) has the same setup... static route from ISP to Fa1/0 (2.2.2.1/30).

here is the question, is it possible to give my users different NAT addresses depending on whether the circuit is up/down. I want users to use 1.1.1.1/30 when Serial0/0 is up, but if it fails they should use Serial1/0. Is this possible?

Thanks for your help!!!!

pkhatri · ‎04-04-2006

Hi,

Let me see if I understand you correctly - you want your traffic to be sent out via serial0/0 as a primary link. When that is done, you want to NAT the traffic to 1.1.1.1 If serial0/0 is down, you want to use serial1/0, NATing the traffic to 2.2.2.1.

If that is what you want, here is how you could do it:

interface fast0/0

ip nat inside

!

interface fast1/0

ip nat inside

!

int serial0/0

ip address 1.1.1.1 255.255.255.252

ip nat outside

!

int serial1/0

ip address 2.2.2.1 255.255.255.252

ip nat outside

!

ip route 0.0.0.0 0.0.0.0 serial0/0

ip route 0.0.0.0 0.0.0.0 serial1/0 250

!

ip nat inside source route-map ISP1-map interface serial0/0 overload

ip nat inside source route-map ISP2-map interface serial1/0 overload

!

route-map ISP1-map permit 10

match ip address 1

match interface serial0/0

!

route-map ISP2-map permit 10

match ip address 1

match interface serial1/0

!

access-list 1 permit

Pls do remember to rate posts.

Paresh

ankurbhasin · ‎04-04-2006

Hi Paresh,

I am sure this will work but just want to confirm something on this setup.

If ser0/0 is up it will nat with that interface ip and there will a nat trans entry in nat table.Lets say ser0 went down will the nat entry also dissapear automatically cause it gets clear after its idle time period which is 4 hrs by default.

Regards,

Ankur

pkhatri · ‎04-04-2006

Hi Ankur,

I'm pretty sure the NAT entries do not disappear as soon as the interface goes down. They will expire as per the expiry time for the type of connection. It's up to 24 hours for TCP connections and much less for UDP connections (5 minutes).

So you should get most of the non-TCP translations expiring in about 5 minutes. As for the TCP connections, they are irrelevant. The applications will have to time out the TCP connections themselves and re-connect. There is no graceful way to switch a TCP connection from one source address to another.

Hope I answered your question ... let me know if I did not.

Cheers,

Paresh

ankurbhasin · ‎04-04-2006

Hi Paresh,

Yes this is what I thaught. So if the NAT entry for first translation entry is already present and route will get removed as interafce is down will there not be a problem?

Regards,

Ankur

lxcollin1 · ‎04-04-2006

Hi Paresh,

I made a bonehead error in my question... the users segment is connected to one interface (Fa0/0). Will this same scenario still work?

I want users to use a NAT address of ISP-1 if Serial0/0 is up. If Serial 0/0 goes down, they should use a NAT address of ISP-2.

Thanks and sorry for the typo.

pkhatri · ‎04-04-2006

Absolutely... just ignore the config for the second ethernet interface. Everything else stays the same.

Paresh

pkhatri · ‎04-04-2006

Ankur,

To answer your question.. no, there will not be a problem at all with these obsolete entries in the translation table, apart from the fact that they will use up a bit of memory. Any new connections established after the link goes down will result in new translations being created and used.

Paresh

aashish.c · ‎04-04-2006

Hi paresh,

but incase one NAT table is already created for an inside host with a pool of ISP1. and ISP1 goes down, will IOS create another NAT table as per second NAT statement?

I have experienced the same instance on 2600 with IOS version 12.0 and it didnt work. lets wait for the reply of this case owner to confirm this.

regards

aashish C

pkhatri · ‎04-04-2006

Aashish,

It will. Because any new connections will use a new source port (since it is dynamically chosen), the router will find that there are no matching NAT translation entries in the translation table and it will create a new one. There will, of course, be certain cases where the above does not hold true and you need to wait for the entries to clear out or clear the translation table manually.

Paresh

lxcollin1 · ‎04-04-2006

Great!! I will give this a try tomorrow morning. One more question... does the "match interface serial0/0" statement only match if the interface is "UP"?

pkhatri · ‎04-04-2006

The way the static route is configured, you will only route out the serial0/0 interface if it is up. NAT is only done after the routing decision, therefore, if the router has decided to route the packet out serial0/0, it must be up. So the 'match interface serial0/0' command will only come in play when the interface is up.

Pls do remember to rate posts.

Paresh