Saturday, June 2, 2012

Configuring NAT - NAT Stateful Failover with HSRP

If you work in a high availability environment (largest options exchange in the world) like I do, then you know the value of redundant design. I dislike being caught off-guard and putting out fires. Therefore, I try to make redundancy a part of my design and when "it" hits the fan users aren't breathing down on my neck. And I can actually concentrate on fixing the issue rather than grabbing a bucket of water to put out a house fire. That is the basis for this blogtorial which is how do we configure NAT Stateful Failover with HSRP.

Please read my previous NAT posts if you need a refresher on NAT. At this point, I am assuming you are fairly familiar with NAT and its concepts, so I will get right down to business and spare you the usual 'abc' of NAT'ng. 

Consider this simple topology and let's get started.


First let's get the easiest router configured (R5).


  • Set the interface IP
  • Description
  • A static route to the default gateway (HSRP ADDRESS) 
Next let's get the interfaces configured on R2 and R3.

  1. Set the IP of R2.
  2. Define fast1/0 as NAT inside. 
  3. Configure the HSRP floating address. 
  4. Set the timers so HSRP can converge faster. The default timer is 3 and 10 (keepalive and hold time). 
  5. Set the priority to 120 so it can be the primary HSRP router. Default is 100. 
  6. Configure preempt which is not on by default.Technically you don't need it but might as well configure it.  
  7. Configure the HSRP group name. 
  8. Configure track so when fast1/1 (nat outside) interface goes down priority can be decremented by 30 therefore allowing R3 take over the HSRP address. 
  9. Set the IP of R3.
  10. Define fast1/0 as NAT inside.
  11. Configure the HSRP floating address.
  12. Once again adjust the timers so HSRP can converge faster. 
  13. Configure preempt which is not on by default. 
  14. Configure the HSRP group name. 
  15. Configure track and priority. The priority will be decremented by 10 if fast1/1 goes down. 
Time to get the outside interfaces configured. 

  1. Set the IP address of the outside interface R2.
  2. Define R2 fast1/1 as the NAT outside interface.
  3. Set the IP address of the outside interface of R3.
  4. Define R3 fast1/1 as the NAT outside interface.
Do a show command just to verify HSRP is working as expected. 


We are going to be configuring BGP later to advertise our NAT POOL to R4 so let's get a 'discard route' in our routing table. 


Now let's move on to the NAT statements.

  1. Assign the Stateful ID. This has to be unique to the router and must be different on both routers. 
  2. Create the redundancy and attach the HSRP group name. We defined RED earlier in the HSRP configuration. 
  3. Assign the mapping-id which will be used in the NAT statement. This must match on both routers. 
  4. Assign the protocol used for conversations between the routers. TCP is also available.
  5. Create the NAT pool.
  6. Configure the NAT statement. Note that the mapping-id is 100 which we defined earlier. 
  7. Create the access-list to match the traffic that is to be NAT'd
  8. Assign the Stateful ID. Must be different than the other router. 
  9. Create the redundancy and attach the HSRP group name. We defined RED earlier in the HSRP configuration. 
  10. Assign the mapping-id which will be used in the NAT statement. This must match on both routers.
  11. Assign the protocol used for conversations between the routers. TCP is also available.
  12. Create the NAT pool.
  13. Configure the NAT statement. Note that the mapping-id is 100 which we defined earlier. 
  14. Create the access-list to match the traffic that is to be NAT'd
Now let's get our R4 configured and it is fairly straight forward. 

  1. Set the IP of this interface. 
  2. Create a new instance of BGP. 
  3. Set the timers so BGP can converge quickly. 
  4. Create the R2 neighbor. 
  5. Set the weight so R2 will be preferred to reach the NAT POOL. 
  6. Create the R3 neighbor. 
Let's get BGP configured our R2 and R3. 

  1. Create a new instance of BGP. 
  2. Advertise the NAT POOL with the network statement. 
  3. Configure the neighbor statement with remote-as 2. 
Show command to verify that Stateful NAT is configured and working as expected. 

  • Note that both of the routers show the state as being ready. 
  • We can also see that R2 is Active and R3 is Standby as expected. 
  • As of right now we do not have any NAT translations which you can verify by typing 'show ip nat translations'.
Now let's ping R4 (1.1.1.4) from R5 and see what happens on R2 and R3. 

  1. Ping R4 (1.1.1.4)
  2. R2 has the translations.
  3. And R3 has the same translations. 
As you can see both routers have the same NAT translations.

Troubleshooting

  • debug ip nat detail
  • debug ip snat detail
  • debug standby 
  • show ip nat translations 
  • show ip snat distributed
  • show ip nat statistics
  • Email arwinatgmail.com :) 
Conclusion 

NAT Stateful Failover with HSRP is a great high availability solution. However, with any solution careful considerations must be given to designing it efficiently or else you maybe spending time polishing your resume. 

If you like my blogtorials, please subscribe/comment/+1/spread the word :) 

Thank you.