Star-crossed Lovers: HSRP/VRRP and NAT

I was doing an HSRP lab the other day, and a project from the past popped into my head. A customer had a host on a network that was separated from the rest of the network by a 1700 with a couple of FEs. They wanted that host to be NATted to a local address so that they didn’t have to do any routing, which makes sense, I guess. This is just your standard 1-to-1 NAT, so we plunked down a quick config.

The setup had two networks with 192.168.0.0/24 on the customer’s local network and 192.168.1.0/24 on the “DMZ” (Yes, I know it’s not really a DMZ). We want to NAT 192.168.1.100 to 192.168.0.100.

interface FastEthernet0/0
ip address 192.168.0.10 255.255.255.0
ip nat inside
!
interface FastEthernet0/1
ip address 192.168.1.10 255.255.255.0
ip nat outside
!
ip nat inside source static 192.168.1.100 192.168.0.100

This works great, but then the customer asked for some redundancy. He wanted a second router inline that could take over in case of failure on the original. “Piece of cake,” I thought and went about setting up the HSRP stuff on both the original and new second routers.

interface FastEthernet0/0
standby ip 192.168.0.1
standby preempt
standby name MYHSRP

But what about that NAT thing? If the primary router goes down, the NAT goes down with it. If I configure the secondary router for the NAT, we get an IP conflict. I looked around for a while and found a feature introduced in IOS version 12.2(4) that allows a NAT to follow an HSRP or VRRP active member. If a router is the active member of an HSRP or VRRP cluster, the NAT is with that box; if it fails over, the standby IP and the NAT move. Isn’t that cool? The only caveat is that it keys off the name/description of the HSRP/VRRP cluster instead of the ID, so you have to have that configured as we do above.

ip nat inside source static 192.168.1.100 192.168.0.100 redundancy MYHSRP

Let’s test to be sure it works. On the active member (a router called NAT0), we can look at the ARP table and see that this router is speaking for the NAT address of 192.168.0.100 as well as the HSRP IP of 192.168.0.1. The secondary member (NAT1) only has ARP entries for its interface IPs. Looks good so far.

NAT0#show standby brief
Interface Grp Prio P State Active Standby Virtual IP
Fa0/0 0 100 P Active local 192.168.0.11 192.168.0.1
NAT0#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.0.100 - c800.12bc.0000 ARPA FastEthernet0/0
Internet 192.168.0.10 - c800.12bc.0000 ARPA FastEthernet0/0
Internet 192.168.1.10 - c800.12bc.0001 ARPA FastEthernet0/1
Internet 192.168.0.1 - 0000.0c07.ac00 ARPA FastEthernet0/0
...
NAT1#show standby brief
Interface Grp Prio P State Active Standby Virtual IP
Fa0/0 0 100 P Standby 192.168.0.10 local 192.168.0.1
NAT1#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.1.11 - c801.12bc.0001 ARPA FastEthernet0/1
Internet 192.168.0.11 - c801.12bc.0000 ARPA FastEthernet0/0

When I shut down F0/0 on NAT0, the HSRP and NAT both roll over to NAT1.

AT0(config)#int f0/0
NAT0(config-if)#shut
*Mar 1 00:30:25.248: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 0 state Active -> Init
*Mar 1 00:30:27.263: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
*Mar 1 00:30:28.265: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
NAT0#
NAT0#sh stand b
Interface Grp Prio P State Active Standby Virtual IP
Fa0/0 0 100 P Init unknown unknown 192.168.0.1
NAT0#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.1.10 - c800.12bc.0001 ARPA FastEthernet0/1
...
NAT1#sh stand b
Interface Grp Prio P State Active Standby Virtual IP
Fa0/0 0 100 P Active local unknown 192.168.0.1
NAT1#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.0.100 - c801.12bc.0000 ARPA FastEthernet0/0
Internet 192.168.1.11 - c801.12bc.0001 ARPA FastEthernet0/1
Internet 192.168.0.11 - c801.12bc.0000 ARPA FastEthernet0/0
Internet 192.168.0.1 - 0000.0c07.ac00 ARPA FastEthernet0/0

Now we have redundancy and NAT on the same cluster. Sweet. I also did the same lab for VRRP, but I’ll spare you the innards. When you configure VRRP, you can give it a description, which is the same as the name in HSRP. You use that string as the redundancy name to have a NAT move with VRRP. Yes, you can do both an HSRP- and VRRP-based NAT at the same time.

*I labbed this out on a Dyanmips/Dynagen instance of two 2651XM routers running 12.4(19) Advanced Enterprise. Like all the configs here, your mileage may vary if you have different versions or feature sets on your routers.

Edit:  I wanted to make a not on GLBP and NAT.  Since all the nodes in a GLBP cluster actually route traffic and are routed to, you can’t use this type of NAT solution with it.  I don’t know what the best practice would be, but I imagine it would involve running HSRP on a few routers as we talked about above.

Aaron Conaway

I shake my head around sometimes and see what falls out. That's what lands on these pages.

More Posts

Follow Me:
Twitter

3 comments for “Star-crossed Lovers: HSRP/VRRP and NAT

  1. November 20, 2008 at 9:30 am

    I am having this exact problem… HSRP on 2 routers, and same NAT on both. Getting IP conflicts. Will attemp to set this up and see. Hopefully this will fix my issues…

    Thanks

  2. November 20, 2008 at 2:15 pm

    Let us know if it works out. If not, we’ll try to find another solution for you.

  3. Khan
    November 5, 2013 at 12:14 pm

    I need to configure HSRP on WAN links, i am hosting servers (Web server, Citrix, App severs, etc). i have IPs from ISPs. I am also using IP SLA for Internet Failover on router. now i want to setup Routers failover using HSRP. my both routers config as below.

    track 10 ip sla 1 reachability
    delay down 1 up 1
    !
    track 20 ip sla 2 reachability
    delay down 1 up 1
    !
    !
    !
    !
    interface GigabitEthernet0/0
    no ip address
    ip virtual-reassembly in
    duplex auto
    speed auto
    media-type rj45
    !
    interface GigabitEthernet0/0.7
    description Voice-Vlan
    encapsulation dot1Q 7
    ip address 192.168.7.3 255.255.255.0
    ip helper-address 192.168.10.15
    ip helper-address 192.168.10.16
    !
    interface GigabitEthernet0/0.8
    description IT-Vlan
    encapsulation dot1Q 8
    ip address 192.168.8.3 255.255.255.0
    ip helper-address 192.168.10.15
    ip helper-address 192.168.10.16
    ip nat inside
    ip virtual-reassembly in
    !
    interface GigabitEthernet0/0.9
    description Regency-Vlan
    encapsulation dot1Q 9
    ip address 192.168.9.3 255.255.255.0
    ip helper-address 192.168.10.15
    ip helper-address 192.168.10.16
    ip nat inside
    ip virtual-reassembly in
    !
    interface GigabitEthernet0/0.10
    description Servers-&-Switches-Vlan
    encapsulation dot1Q 10
    ip address 192.168.10.7 255.255.255.0
    ip helper-address 192.168.10.16
    no ip redirects
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly in
    ip policy route-map PBR
    !
    interface FastEthernet0/0/1
    ip address 50.x.x.14 255.255.255.252
    ip nat outside
    ip virtual-reassembly in
    duplex full
    speed 100
    crypto map vpn
    !
    interface FastEthernet0/1/0
    ip address 162.x.x.34 255.255.255.224
    ip nat outside
    ip virtual-reassembly in
    duplex auto
    speed auto
    !
    !
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    !
    !
    ip nat inside source route-map ISP1 interface FastEthernet0/0/1 overload
    ip nat inside source route-map ISP2 interface FastEthernet0/1/0 overload
    ip nat inside source static tcp 192.168.10.53 80 50.x.x.52 80 route-map ISP1 extendable
    ip nat inside source static tcp 192.168.10.53 80 162.x.x.35 80 route-map ISP2 extendable
    ip route 0.0.0.0 0.0.0.0 50.x.x.13 track 10
    ip route 0.0.0.0 0.0.0.0 162.x.x.62 200
    !
    ip access-list extended acl_internet
    deny ip 192.168.0.0 0.0.255.255 10.10.10.0 0.0.0.255
    deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    permit ip 192.168.0.0 0.0.255.255 any
    ip access-list extended acl_natisp1
    deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    permit ip 192.168.0.0 0.0.255.255 any
    ip access-list extended acl_natisp2
    deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    permit ip 192.168.0.0 0.0.255.255 any
    ip access-list extended acl_ncsvpn
    permit ip 192.168.0.0 0.0.255.255 192.168.4.0 0.0.0.255
    ip access-list extended acl_vpn
    permit ip 192.168.0.0 0.0.255.255 10.10.10.0 0.0.0.255
    !
    ip sla 1
    icmp-echo 50.x.x.13
    threshold 500
    timeout 500
    frequency 1
    ip sla schedule 1 life forever start-time now
    ip sla 2
    icmp-echo 162.x.x.62
    threshold 500
    timeout 500
    frequency 1
    ip sla schedule 2 life forever start-time now
    !
    !
    !
    !
    route-map PBR permit 10
    match ip address acl_natisp1
    set ip next-hop verify-availability 50.x.x.13 1 track 10
    !
    route-map PBR permit 20
    match ip address acl_natisp2
    set ip next-hop verify-availability 162.x.x.62 2 track 20
    !
    route-map ISP2 permit 20
    match ip address acl_internet
    match interface FastEthernet0/1/0
    !
    route-map ISP1 permit 10
    match ip address acl_internet
    match interface FastEthernet0/0/1

Leave a Reply

Your email address will not be published. Required fields are marked *