While configuring NATing I am confused with the following commands in NAT. I
request you to help me in clarifying this
"ip nat inside source static x.x.x.x y.y.y.y redundancy HSRP-1
What does this " redundancy" command do in stateful Nating. I also noticed
that when i used this command NAT translation entry is not exchanged between active / standby HSRP router.
How it differs from *mapping-id 100* command.
Hope you will help me on this and thanks in advance
I tried to search whether any other post were made raising the same doubt.To my surprise it is here. The link is below
The answer was provided by Mr.Mark, the exerpts is below:
"Replied by: mark.yeates - Network Engineer, NGIT - Jun 10, 2008, 3:03pm PST
The command enables the router to respond to ARP queries using BIA MAC if HSRP is configured on the NAT inside interface.The goal is to statefully keep track of the ARP queries between the active and standby routers. The difference between using the virtual IP vs the HSRP redundancy command in the static map is the MAC address that is used. Hope this helps
But I donot understand why the router has to BIA MAC if HSRP is enabled on NAT enabled interface
What is the need of it and advantage. Can anybody help me on this
I tried to look at configuration examples and the command you mention looks like incomplete missing the mapping-id.
the redundancy name has to be shared between the standby group and the NAT stateful instance.
According to 12.4 IP Addressing command reference the redundancy parameter has the following meaning:
(Optional) Establishes NAT redundancy.
NAT redundancy and stateful NAT can be two different strategies and this could explain why you don't see exchange of NAT entries between the two routers.
You need to configure it as explained in first links and as you noted.
I remember we tested SNAT three years ago and it was working correctly.
about Mark's note my guess is the following:
in stateful NAT with HSRP the HSRP active device has to play the role of active NAT device.
The command may help the active device to perform the correct NAT translations on packets sent to HSRP vip's MAC address.
However, I'm under the impression that a NAT stateless redundancy could be possible and that for stateful a logical link between the standby group name and the stateful nat object has to be done with the mapping-id parameter.
Hope to help
your post developed confidence in me with the concept. But can you please explain further the why and what is the behaviour of "redundancy CCIE"
"ip nat inside source static x.x.x.x y.y.y.y redundancy CCIE"
I noticed that this keyword "redundancy CCIE" is not used in configuration when Stateful NAT is enabled.
The link you refered are useful, But i have made thorough study before writing here.
see the redundancy CCIE as a pointer to another object that has an attribute /name "CCIE"
the same is used for Stateful IPSec
we have a paif of C7200 NPE G2 with stateful ipsec
on internal network there is
standby 20 ip 10.98.144.20
standby 20 priority 90
standby 20 preempt
standby 20 name HA-ins
then the redundancy inter-device object in config points to the name
scheme standby HA-ins
Commands are slightly different but the concept is the same a name is used like a label to put in relationship two objects like NAT and HSRP in your case.
Hope to help
Very good explanation. I got it.
Now another point raised in my mind.
If so, then how it differs from stateful nat command
ip nat stateful 1
What is the difference. I tried this in lab yesterday. I found to be similar.
I may be refering some thing wrong. Please clarify this point.
thanks for your kind remarks.
very similar indeed.
in stateful NAT as I wrote the syntax is slightly different and you assign the label "CCIE" to both the standby group name and to the ip nat stateful instance 1.
Here the same label is used in the two objects that have to be linked
so redundancy CCIE says points to whatever object has an attribute with this string.
From a conceptual point of view I think it is very similar.
Hope to help
This topic picked the interest. I tested the setup using "redundancy HSRP-GROUP" keyword in "ip nat inside source" command. The result is as below:
Two Routers running HSRP
R2 - ACTIVE
R3 - STANDY
Configurations are attached for your kind reference.
1. I created static one to one NAT in both the routers R2 & R3 (as shown in attached configuration)
2. when i telnet an outside host from an inside host, NAT table is formed in R2. But it is not replicated in R3.
3. When i made the R2 inside port down, R3 router become active and new nat translation is created in R3. Where is the connection is statefull here??
Then i read somewhere that it is very useful only in PAT scenario. So started to configure PAT in routers
But, I donot see "redundancy" key word. (see the attachment for output)
Please tell me where I am deviating from the point?
Thanks in advance and I am scrathing my head for the past one day. please help
I tried to take this details. No where it is available clearly, Seems CISCO has not documented this to the depth.
Shall i wait for your comments
your results confirm this is a stateless redundancy not able to pass nat entries states between the two devices.
>> 3. When i made the R2 inside port down, R3 router become active and new nat translation is created in R3. Where is the connection is statefull here??
Practical usage of this is zero and everyone is going to use real stateful NAT in real world networks.
This can be the residual of old times pre -SNAT support.
Hope to help