Star-crossed Lovers: HSRP/VRRP and NAT
I was doing an HSRP lab the other day, and a project from the past popped into my head. A customer had a host on a network that was separated from the rest of the network by a 1700 with a couple of FEs. They wanted that host to be NATted to a local address so that they didn’t have to do any routing, which makes sense, I guess. This is just your standard 1-to-1 NAT, so we plunked down a quick config.
The setup had two networks with 192.168.0.0/24 on the customer’s local network and 192.168.1.0/24 on the “DMZ” (Yes, I know it’s not really a DMZ). We want to NAT 192.168.1.100 to 192.168.0.100.
interface FastEthernet0/0
ip address 192.168.0.10 255.255.255.0
ip nat inside
!
interface FastEthernet0/1
ip address 192.168.1.10 255.255.255.0
ip nat outside
!
ip nat inside source static 192.168.1.100 192.168.0.100
This works great, but then the customer asked for some redundancy. He wanted a second router inline that could take over in case of failure on the original. “Piece of cake,” I thought and went about setting up the HSRP stuff on both the original and new second routers.
interface FastEthernet0/0
standby ip 192.168.0.1
standby preempt
standby name MYHSRP
But what about that NAT thing? If the primary router goes down, the NAT goes down with it. If I configure the secondary router for the NAT, we get an IP conflict. I looked around for a while and found a feature introduced in IOS version 12.2(4) that allows a NAT to follow an HSRP or VRRP active member. If a router is the active member of an HSRP or VRRP cluster, the NAT is with that box; if it fails over, the standby IP and the NAT move. Isn’t that cool? The only caveat is that it keys off the name/description of the HSRP/VRRP cluster instead of the ID, so you have to have that configured as we do above.
ip nat inside source static 192.168.1.100 192.168.0.100 redundancy MYHSRP
Let’s test to be sure it works. On the active member (a router called NAT0), we can look at the ARP table and see that this router is speaking for the NAT address of 192.168.0.100 as well as the HSRP IP of 192.168.0.1. The secondary member (NAT1) only has ARP entries for its interface IPs. Looks good so far.
NAT0#show standby brief
Interface Grp Prio P State Active Standby Virtual IP
Fa0/0 0 100 P Active local 192.168.0.11 192.168.0.1
NAT0#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.0.100 - c800.12bc.0000 ARPA FastEthernet0/0
Internet 192.168.0.10 - c800.12bc.0000 ARPA FastEthernet0/0
Internet 192.168.1.10 - c800.12bc.0001 ARPA FastEthernet0/1
Internet 192.168.0.1 - 0000.0c07.ac00 ARPA FastEthernet0/0
...
NAT1#show standby brief
Interface Grp Prio P State Active Standby Virtual IP
Fa0/0 0 100 P Standby 192.168.0.10 local 192.168.0.1
NAT1#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.1.11 - c801.12bc.0001 ARPA FastEthernet0/1
Internet 192.168.0.11 - c801.12bc.0000 ARPA FastEthernet0/0
When I shut down F0/0 on NAT0, the HSRP and NAT both roll over to NAT1.
AT0(config)#int f0/0
NAT0(config-if)#shut
*Mar 1 00:30:25.248: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 0 state Active -> Init
*Mar 1 00:30:27.263: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
*Mar 1 00:30:28.265: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
NAT0#
NAT0#sh stand b
Interface Grp Prio P State Active Standby Virtual IP
Fa0/0 0 100 P Init unknown unknown 192.168.0.1
NAT0#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.1.10 - c800.12bc.0001 ARPA FastEthernet0/1
...
NAT1#sh stand b
Interface Grp Prio P State Active Standby Virtual IP
Fa0/0 0 100 P Active local unknown 192.168.0.1
NAT1#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.0.100 - c801.12bc.0000 ARPA FastEthernet0/0
Internet 192.168.1.11 - c801.12bc.0001 ARPA FastEthernet0/1
Internet 192.168.0.11 - c801.12bc.0000 ARPA FastEthernet0/0
Internet 192.168.0.1 - 0000.0c07.ac00 ARPA FastEthernet0/0
Now we have redundancy and NAT on the same cluster. Sweet. I also did the same lab for VRRP, but I’ll spare you the innards. When you configure VRRP, you can give it a description, which is the same as the name in HSRP. You use that string as the redundancy name to have a NAT move with VRRP. Yes, you can do both an HSRP- and VRRP-based NAT at the same time.
*I labbed this out on a Dyanmips/Dynagen instance of two 2651XM routers running 12.4(19) Advanced Enterprise. Like all the configs here, your mileage may vary if you have different versions or feature sets on your routers.
Edit: I wanted to make a not on GLBP and NAT. Since all the nodes in a GLBP cluster actually route traffic and are routed to, you can’t use this type of NAT solution with it. I don’t know what the best practice would be, but I imagine it would involve running HSRP on a few routers as we talked about above.
- Generating Network Diagrams from Netbox with Pynetbox - August 23, 2023
- Out-of-band Management – Useful Beyond Catastrophe - July 13, 2023
- Overlay Management - July 12, 2023
I am having this exact problem… HSRP on 2 routers, and same NAT on both. Getting IP conflicts. Will attemp to set this up and see. Hopefully this will fix my issues…
Thanks
Let us know if it works out. If not, we’ll try to find another solution for you.
I need to configure HSRP on WAN links, i am hosting servers (Web server, Citrix, App severs, etc). i have IPs from ISPs. I am also using IP SLA for Internet Failover on router. now i want to setup Routers failover using HSRP. my both routers config as below.
track 10 ip sla 1 reachability
delay down 1 up 1
!
track 20 ip sla 2 reachability
delay down 1 up 1
!
!
!
!
interface GigabitEthernet0/0
no ip address
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/0.7
description Voice-Vlan
encapsulation dot1Q 7
ip address 192.168.7.3 255.255.255.0
ip helper-address 192.168.10.15
ip helper-address 192.168.10.16
!
interface GigabitEthernet0/0.8
description IT-Vlan
encapsulation dot1Q 8
ip address 192.168.8.3 255.255.255.0
ip helper-address 192.168.10.15
ip helper-address 192.168.10.16
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.9
description Regency-Vlan
encapsulation dot1Q 9
ip address 192.168.9.3 255.255.255.0
ip helper-address 192.168.10.15
ip helper-address 192.168.10.16
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.10
description Servers-&-Switches-Vlan
encapsulation dot1Q 10
ip address 192.168.10.7 255.255.255.0
ip helper-address 192.168.10.16
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
ip policy route-map PBR
!
interface FastEthernet0/0/1
ip address 50.x.x.14 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
crypto map vpn
!
interface FastEthernet0/1/0
ip address 162.x.x.34 255.255.255.224
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source route-map ISP1 interface FastEthernet0/0/1 overload
ip nat inside source route-map ISP2 interface FastEthernet0/1/0 overload
ip nat inside source static tcp 192.168.10.53 80 50.x.x.52 80 route-map ISP1 extendable
ip nat inside source static tcp 192.168.10.53 80 162.x.x.35 80 route-map ISP2 extendable
ip route 0.0.0.0 0.0.0.0 50.x.x.13 track 10
ip route 0.0.0.0 0.0.0.0 162.x.x.62 200
!
ip access-list extended acl_internet
deny ip 192.168.0.0 0.0.255.255 10.10.10.0 0.0.0.255
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended acl_natisp1
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended acl_natisp2
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended acl_ncsvpn
permit ip 192.168.0.0 0.0.255.255 192.168.4.0 0.0.0.255
ip access-list extended acl_vpn
permit ip 192.168.0.0 0.0.255.255 10.10.10.0 0.0.0.255
!
ip sla 1
icmp-echo 50.x.x.13
threshold 500
timeout 500
frequency 1
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 162.x.x.62
threshold 500
timeout 500
frequency 1
ip sla schedule 2 life forever start-time now
!
!
!
!
route-map PBR permit 10
match ip address acl_natisp1
set ip next-hop verify-availability 50.x.x.13 1 track 10
!
route-map PBR permit 20
match ip address acl_natisp2
set ip next-hop verify-availability 162.x.x.62 2 track 20
!
route-map ISP2 permit 20
match ip address acl_internet
match interface FastEthernet0/1/0
!
route-map ISP1 permit 10
match ip address acl_internet
match interface FastEthernet0/0/1