Skip to main content

Stateful NAT

Stateful NAT allows you to configure routers to synchronise their NAT tables.  It is useful in situations where you have redundant gateways and need the traffic to flow uninterrupted in the event of a failover.


The first thing to setup is the stateful NAT mapping id.  This determines how the routers communicate their NAT information.  You can configure the synchronisation to use either UDP or TCP.  The redundancy name should be used in the HSRP configuration later.





ip nat Stateful id 1
redundancy HSRP_IN
mapping-id 1
as-queuing disable
protocol udp

We now need to create the NAT and HSRP settings on the interfaces.  Obviously we are setting the NAT inside and outside.  The HSRP is tracking the opposite interface so that the priority is reduced if it fails triggering a failover. 

interface FastEthernet0/0
ip address 10.44.0.2 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
standby ip 10.44.0.1
standby priority 110
standby preempt
standby name HSRP_IN
standby track FastEthernet0/1 20

interface FastEthernet0/1
ip address 10.159.12.152 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
standby ip 10.159.12.151
standby priority 110
standby preempt
standby track FastEthernet0/0 20

Next we setup a NAT rule to translate the correct traffic.  Note that the mapping-id number in the inside NAT statement refers to our mapping-id we setup earlier.

access-list 100 permit ip 10.44.0.0 0.0.0.255 any
ip nat pool test 10.159.12.154 10.159.12.155 netmask 255.255.255.0

ip nat inside source list 100 pool test mapping-id 1 overload

You need to put the config on both the routers.  The stateful information is transferred on the HSRP interfaces.

If you issue a show nat translations you will now see that the NAT translations are synchronised between the two routers.

If a link goes down the HSRP fails over and due to the NAT tables already being synced the traffic can continue to flow uninterrupted.  The only issue we did notice was that when the failed link came up after a stateful failover the traffic flow stopped.  We determined that this was because whilst the link was down the NAT sync was not able to work.  When the link is restored the HSRP switchover happens before the stateful info can be transferred.  To fix this we need to introduce a delay to the HSRP failover to allow the routers enough time to sync up before switching over.

The first command below prevents the HSRP process from starting up until the timer has expired.  The second prevents the router from preempting the active router until the timer expires.

standby delay minimum 60 reload 60
standby 1 preempt delay minimum 60 reload 60 sync 60
Labels:

Comments

Post a Comment

Popular posts from this blog

Error Message %DUAL-6-NBRINFO: EIGRP-IPv4 34256

If you see the error  %DUAL-6-NBRINFO: EIGRP-IPv4 xxxx  is blocked: not on common subnet then it simply means that there are EIGRP devices sending multicast hellos on an interface which have a different IP Range configured to the receiving router.  160617: .Feb 22 15:11:05.194 GMT: %DUAL-6-NBRINFO: EIGRP-IPv4 34256: Neighbor 17 2.31.253.1 (Vlan43) is blocked: not on common subnet                                                     (172.31.252.1/31) 160618: .Feb 22 15:11:12.770 GMT: %DUAL-6-NBRINFO: EIGRP-IPv4 34256: Neighbor 19 2.168.205.0 (Vlan44) is blocked: not on common subnet (192.168.204.1/31)                                                                                          This is most likely to occur by accident when two subnets are configured on the same VLAN, with EIGRP running on the interface.
Post a Comment
Read more

Moving the SSH port on a CISCO router

If you admin your routers over the internet you probably know you should be using SSH. Telnet being sent in clear text is easily sniffed and your passwords captured. However Cisco routers use the standard TCP port 22 for their SSH service. As soon as you open this up to the world and turn on SSH access logging you will start to see hundreds of IP's connecting to your device and running dictionary attacks against you using standard username and password combinations. The majority of these IP's seem to originate from China or Russia and they find your open port extremely quickly. This is very anoying it fills up your log files with these attacks and uses up your system resources dealing with them. I believe they are simply running scans for any open TCP port 22. For this reason I decided I could cut down the amount of attacks by moving the SSH port to a different number. One thing you should know before we start is that there is no way to actually change the SSH port number o
Post a Comment
Read more

Shutting Cisco 3750 Stackwise ports

Today I came across a customers 3750 switch stack which had a flapping stackwise link. The stackwise link was transitioning up/down around 3 times a second and causing massive issues with connectivity and EIGRP routing for the site. Previously I believed that I would need to physically remove the Stackwise cable in order to restore service by shutting the flapping link. It seems it is possible to shut the Stackwise port from the CLI although it is done from enable mode rather than Configure terminal. The command is.. Switch#switch 1 stack port 1 ? disable Disable stack port enable Enable stack port The first number 1 would indicate the switch number in the stack and the second number 1 after the port is the Stackwise port number you want to shut. Make a note of which switch and port you shut as it will not show up in the config or the show outputs which could prove tricky when you want to reenable it.. You can determine the status of the ports using the command below but not how
Post a Comment
Read more