IP Addressing: NAT Configuration Guide, Cisco IOS Release 15M&T
NAT Box-to-Box High-Availability Support
Downloads: This chapterpdf (PDF - 1.71MB) The complete bookPDF (PDF - 4.46MB) | The complete bookePub (ePub - 1.09MB) | Feedback

NAT Box-to-Box High-Availability Support

Contents

NAT Box-to-Box High-Availability Support

The NAT Box-to-Box High-Availability Support feature enables network-wide protection by making an IP network more resilient to potential link and router failures at the Network Address Translation (NAT) border.

NAT box-to-box high-availability functionality is achieved when you configure two NAT translators that reside across different devices as part of a redundancy group (RG) and function as a translation group. One member of the translation group acts as an active translator and the other member in the group acts as a standby translator. The standby translator takes over as the active translator in the event of any failures to the current active translator.

This module provides information about NAT box-to-box high-availability support and describes how to configure this feature.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for NAT Box-to-Box High-Availability Support

  • Network Address Translation (NAT)-related configurations must be manually configured and the configuration must be identical on both devices, and associated to the same redundancy group (RG).
  • RG must be shut down on both peer devices before you configure NAT.
  • If devices are already in active/standby states, you must apply any additional configuration changes first on the standby device and then on the active device. To delete NAT configuration rules, you must apply the changes first on the active device and then on the standby device.

Restrictions for NAT Box-to-Box High-Availability Support

  • Network Address Translation (NAT) configurations with the interface overload option are not supported.
  • Both application redundancy (using redundancy groups [RG]) and box-level redundancy cannot be configured on the same device.
  • Multiprotocol Label Switching (MPLS) with Layer 3 VPN (L3VPN) configuration is not supported.
  • NAT Virtual Interface (NVI) configuration is not supported.
  • Only FTP application layer gateway (ALG) is supported. You must disable all other ALGs using the no ip nat service command.
  • RG infrastructure with more than one RG peer is not supported.

Information About NAT Box-to-Box High-Availability Support

NAT Box-to-Box High-Availability Overview

The NAT Box-to-Box High-Availability Support feature enables network-wide protection by making an IP network resilient to potential link and router failures at the Network Address Translation (NAT) border.

The NAT Box-to-Box High-Availability Support feature leverages services provided by the redundancy group (RG) infrastructure present on the device to implement the high-availability functionality. The RG infrastructure defines multiple RGs to which applications can subscribe to and function in an active-standby mode across different devices. NAT box-to-box high-availability functionality is achieved when you configure two NAT translators, residing across different devices, to an RG and function as a translation group. One member of the translation group acts as an active translator and the other members of the translation group acts as a standby translator. The active translator is responsible for handling traffic that requires address translation. Additionally, the active translator informs the standby translator about packet flows that are being translated. The standby translator uses this information to create a duplicate translation database that equips the standby translator to take over as the active translator in the event of any failures to the active translator. Therefore, the application traffic flow continues unaffected as the translations tables are backed up in a stateful manner across the active and standby translators.

The NAT Box-to-Box High-Availability Support feature supports active-standby high-availability failover and asymmetric routing. The NAT Box-to-Box High-Availability Support feature supports the following NAT features:

  • Simple Static NAT configuration
  • Extended Static NAT configuration
  • Network Static NAT configuration
  • Dynamic NAT and Port Address Translation (PAT) configuration
  • NAT inside source, outside source, and inside destination rules
  • NAT rules for Virtual Routing and Forwarding (VRF) instances to IP
  • NAT rules for VRF-VRF (within same VRF)

Reasons for Active Device Failover

The following are some of the reasons for the failover of an active device:

  • Power loss or reload on the active device.
  • Control interface for the redundancy group (RG) is shut down or the link to the interface is down.
  • Data interface for the RG is shut down or the link to the interface is down.
  • Tracked object failure.
  • Protocol keepalive failure.
  • The run-time priority of the active device is below the configured threshold. Run-time priority can go down in the following scenarios:
    • Traffic interface, that is assigned a Redundancy Interface Identifier (RII) value, is down.
    • Object tracked by the RG is down.
  • RG on an active device is reloaded using the redundancy application reload group command in privileged EXEC mode.
  • RG on an active device is shut down using the group command in redundancy application configuration mode.

NAT in Active-Standby Mode

In active-standby mode, the redundancy group (RG) that Network Address Translation (NAT) is part of remains in the standby mode on one device and active on a peer device. NAT in an RG that is in active mode translates the traffic according the configured translation rules.

NAT does not actively perform any translations on the device where its RG is in the standby mode. In an RG, only one peer is in active mode at a given instance and the other peer is in standby mode. Applications that belong to the RG are active only on the device on which the RG is active. On all other devices, applications that belong to the RG are in the standby mode.


Note


In a group of RG peers, only one peer can be active for a specific RG. Currently, the NAT Box-to-Box High-Availability Support feature supports only two peers in an RG and one RG in the RG infrastructure.

NAT Box-to-Box High-Availability Operation

The following figure illustrates the NAT box-to-box high-availability operation in a LAN-LAN topology. The green color represents an active device and the yellow color represents a standby device.

Figure 1. NAT Box-to-Box High Availability Operation

NAT Box-to-Box High-Availability LAN-LAN Topology

In a LAN-LAN topology, all participating devices are connected to each other through LAN interfaces on both the inside and the outside. The figure below shows the NAT box-to-box LAN-LAN topology. Network Address Translation (NAT) is in the active-standby mode and the peers are in one redundancy group (RG). All traffic or a subset of this traffic undergoes NAT translation.


Note


Failover is caused by only those failures that the RG infrastructure listens to.
Figure 2. NAT Box-to-Box High-Availability LAN-LAN Topology

NAT Box-to-Box High-Availability WAN-LAN Topology

In a WAN-LAN topology, two devices are connected through LAN interfaces on the inside and WAN interfaces on the outside. There is no control on the routing of return traffic received through WAN links. In most cases, WAN links are provided by different service providers. To utilize WAN links to the maximum, configure an external device to provide a failover.

In the following figure, inside interfaces are connected to a LAN while outside interfaces are connected to a WAN. The WAN interfaces cannot be made part of a redundancy group (RG) according to the current RG infrastructure. However, WAN interfaces may be configured in such a way that any failure on the WAN interfaces reduces the priority for the RG that is configured on that node, thereby triggering a failover.

Figure 3. NAT Box-to-Box High-Availability WAN-LAN Topology

Exclusive Virtual IP Addresses and Exclusive Virtual MAC Addresses

Virtual IP (VIP) addresses and virtual MAC (VMAC) addresses are used by security applications to control interfaces that receive traffic. An interface is paired with another interface, and these interfaces are associated with the same redundancy group (RG). The interface that is associated with an active RG exclusively owns the VIP and VMAC addresses.

The Address Resolution Protocol (ARP) process on the active device sends ARP replies for any ARP request for the VIP, and the Ethernet controller for the interface is programmed to receive packets destined for the VMAC.

When an RG failover occurs, the ownership of the VIP and VMAC changes. The interface that is associated with the newly active RG sends a gratuitous ARP message and programs the interface’s Ethernet controller to accept packets destined for the VMAC.

NAT Asymmetric Routing

In asymmetric routing, packets of a single connection or session flow through different routes in the forward and reverse directions. Asymmetric routing could occur due to link failures in the network, load balancing, a specific network configuration, and so on. Network Address Translation (NAT) provides session termination services and the associated dynamic session information. For NAT, if the return TCP segments are not forwarded to the same device that receives the initial synchronization (SYN) segment, the packet is dropped because it does not belong to any known session.

NAT Box-to-Box High Availability on Asymmetric-Routing Topology

The following figure shows asymmetrically routed packets being received on a standby device:
Figure 4. NAT Box-to-Box High Availability on Asymmetric-Routing Topology

Each routing device has an asymmetric routing (AR) module, which forwards the traffic received by the standby redundancy group (RG) using the module’s AR interface. In the above illustration, the standby RG is RG1, on Router 1 with the Redundancy Interface Identifier (RII) configured as RII-1. The packet traffic that is received by RG1 is forwarded over the AR interface configured on Router 1 towards Router 2. This traffic is received by the AR module for RII-1 on Router 2 and is forwarded to RG1, which is active on Router 2.

Disabling NAT High Availability on Asymmetric-Routing Topology

When a packet ingresses Router 1 through the Redundancy Interface Identifier (RII), RII-1, Network Address Translation (NAT) identifies that packet as belonging to redundancy group (RG) RG1, which is in the standby state. If the asymmetric routing support is disabled, packets are not redirected to the active device by the standby device. Therefore, packets are dropped by default on the standby peer device.

Key Configuration Elements for NAT Box-to-Box High Availability Support

  • Redundancy group (RG) Asymmetric Routing (AR) interface: A dedicated physical interface that provides connectivity between two peer devices. The redundancy infrastructure uses this interface to redirect AR packets from a standby device to an active device. The AR, control, and data interfaces can be configured on the same physical interface.
  • Redundancy number: A unique identification number for each interface that is part of the RG infrastructure.
  • RG priority: A numeric value that you can configure on the active or standby devices to control the switchover behavior. Each potential fault or error decrements the priority of the active device. The system switches over to the standby device when the priority value reaches the configured limit.
  • RG control interface: A dedicated physical interface that provides connectivity between the two peer devices. The redundancy infrastructure uses this interface to exchange control information between the devices.
  • RG data interface: A dedicated physical interface that provides connectivity between two peer devices. This interface is used by the redundancy infrastructure for data information exchange between devices, such as session information for NAT. Control and data interfaces can be configured on the same physical interface.
  • Virtual IP address and virtual MAC address: The active device owns the virtual IP address and the virtual MAC address. Hosts or servers on the LAN that use the virtual IP address to reach the device which is currently in RG active state.
  • RG decrement number: The priority value of an RG in local peer is decremented by the specified priority decrement number if the interface on which this configuration is applied goes down.
  • RG infrastructure: Defines multiple RGs to which applications can subscribe and function in an active-standby mode across different routing devices. Currently, Network Address Translation (NAT) supports only one RG with an RG ID value of either 1 or 2.
  • NAT mapping ID: A numeric value that is attached to all NAT rules that are associated to an RG. This value must be unique across different NAT rules and must be the same across NAT configurations on active and standby devices.

How to Configure NAT Box-to-Box High-Availability Support

  • Perform configurations listed in this section on both the active and standby devices.
  • The redundancy group (RG) ID must be the same for both devices.
  • A unique redundancy interface identifier (RII) must be configured for each interface on a device that is part of the RG infrastructure.
  • An RG ID and virtual IP address must be configured on each interface on a LAN.
  • An RG ID and mapping ID must be configured for each Network Address Translation (NAT) statement.
  • After configuring all NAT statements, you must enable RG.

Configuring a Redundancy Application Group

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    redundancy

    4.    application redundancy

    5.    group id

    6.    name group-name

    7.    shutdown

    8.    priority value [failover threshold value]

    9.    preempt

    10.    track object-number {decrement value | shutdown}

    11.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Device> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 redundancy


    Example:
    Device(config)# redundancy
     

    Enters redundancy configuration mode.

     
    Step 4 application redundancy


    Example:
    Device(config-red)# application redundancy
     

    Enters redundancy application configuration mode.

     
    Step 5 group id


    Example:
    Device(config-red-app)# group 1
     

    Enters redundancy application group configuration mode.

     
    Step 6 name group-name


    Example:
    Device(config-red-app-grp)# name group1
     

    (Optional) Specifies an optional alias for the protocol instance.

     
    Step 7 shutdown


    Example:
    Device(config-red-app-grp)# shutdown
     

    (Optional) Shuts down a redundancy group manually.

     
    Step 8 priority value [failover threshold value]


    Example:
    Device(config-red-app-grp)# priority 100 failover threshold 50 
     

    (Optional) Specifies the initial priority and failover threshold for a redundancy group.

     
    Step 9 preempt


    Example:
    Device(config-red-app-grp)# preempt
     

    Enables preemption on the group and enables the standby device to preempt the active device regardless of the priority.

     
    Step 10 track object-number {decrement value | shutdown}


    Example:
    Device(config-red-app-grp)# track 200 decrement 200
     

    Specifies the priority value of a redundancy group that will be decremented if an event occurs.

     
    Step 11 end


    Example:
    Device(config-red-app-grp)# end
     

    Exits redundancy application group configuration mode and enters privileged EXEC mode.

     

    Configuring Data, Control, and Asymmetric Routing Interfaces

    In this task, you configure the following redundancy group (RG) elements:
    • The interface that is used as the control interface.
    • The interface that is used as the data interface.
    • The interface that is used for asymmetric routing. This is an optional task. Perform this task only if you are configuring asymmetric routing for Network Address Translation (NAT).

    Note


    Asymmetric routing, data, and control must be configured on separate interfaces for zone-based firewall. However, for Network Address Translation (NAT), asymmetric routing, data, and control can be configured on the same interface.


    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    redundancy

      4.    application redundancy

      5.    group id

      6.    data interface-type interface-number

      7.    control interface-type interface-number protocol id

      8.    timers delay seconds [reload seconds]

      9.    asymmetric-routing interface type number

      10.    asymmetric-routing always-divert enable

      11.    end


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Device> enable 
       
      Enables privileged EXEC mode.
      • Enter your password if prompted.
       
      Step 2 configure terminal


      Example:
      Device# configure terminal 
       

      Enters global configuration mode.

       
      Step 3 redundancy


      Example:
      Device(config)# redundancy 
       

      Enters redundancy configuration mode.

       
      Step 4 application redundancy


      Example:
      Device(config-red)# application redundancy 
       

      Configures application redundancy and enters redundancy application configuration mode.

       
      Step 5 group id


      Example:
      Device(config-red-app)# group 1 
       

      Configures a redundancy group (RG) and enters redundancy application group configuration mode.

       
      Step 6 data interface-type interface-number


      Example:
      Device(config-red-app-grp)# data GigabitEthernet 0/0/1 
       

      Specifies the data interface that is used by the RG.

       
      Step 7 control interface-type interface-number protocol id


      Example:
      Device(config-red-app-grp)# control GigabitEthernet 1/0/0 protocol 1 
       
      Specifies the control interface that is used by the RG.
      • The control interface is also associated with an instance of the control interface protocol.
       
      Step 8 timers delay seconds [reload seconds]


      Example:
      Device(config-red-app-grp)# timers delay 100 reload 400 
       

      Specifies the time required for an RG to delay role negotiations that start after a fault occurs or the system is reloaded.

       
      Step 9 asymmetric-routing interface type number


      Example:
      Device(config-red-app-grp)# asymmetric-routing interface GigabitEthernet 0/1/1 
       

      Specifies the asymmetric routing interface that is used by the RG.

       
      Step 10 asymmetric-routing always-divert enable


      Example:
      Device(config-red-app-grp)# asymmetric-routing always-divert enable 
       

      Always diverts packets received from the standby RG to the active RG.

       
      Step 11 end


      Example:
      Device(config-red-app-grp)# end 
       

      Exits redundancy application group configuration mode and enters privileged EXEC mode.

       

      Enabling Data, Control and Asymmetric Routing Interfaces

      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    interface type number

        4.    ip address ip-address mask

        5.    no shutdown

        6.    exit

        7.    interface type number

        8.    ip address ip-address mask

        9.    no shutdown

        10.    exit

        11.    interface type number

        12.    ip address ip-address mask

        13.    no shutdown

        14.    exit


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 enable


        Example:
        Device> enable 
         
        Enables privileged EXEC mode.
        • Enter your password if prompted.
         
        Step 2 configure terminal


        Example:
        Device# configure terminal 
         

        Enters global configuration mode.

         
        Step 3 interface type number


        Example:
        Device(config)# interface GigabitEthernet 0/0/1 
         

        Enters interface configuration mode for the data interface.

         
        Step 4 ip address ip-address mask


        Example:
        Device(config-if)# ip address 10.2.3.2 255.255.255.0
         

        Assigns an IP address for the data interface.

         
        Step 5 no shutdown


        Example:
        Device(config-if)# no shutdown
         

        Enables the interface.

         
        Step 6exit


        Example:
        Device(config-if)# exit 
         

        Exits interface configuration mode and enters global configuration mode.

         
        Step 7 interface type number


        Example:
        Device(config)# interface gigabitethernet 1/0/0 
         

        Enters interface configuration mode for the control interface.

         
        Step 8 ip address ip-address mask


        Example:
        Device(config-if)# ip address 10.10.2.5 255.255.255.255.0
         

        Assigns an IP address to the control interface.

         
        Step 9 no shutdown


        Example:
        Device(config-if)# no shutdown
         

        Enables the interface.

         
        Step 10exit


        Example:
        Device(config-if)# exit 
         

        Exits interface configuration mode and enters global configuration mode.

         
        Step 11 interface type number


        Example:
        Device(config)# interface gigabitethernet 0/1/1
         
         

        (Optional) Enters interface configuration mode for the asymmetric routing (AR) interface.

         
        Step 12ip address ip-address mask


        Example:
        Device(config-if)# ip address 10.5.1.5 255.255.255.255.0
         

        (Optional) Assigns an IP address to the AR interface.

         
        Step 13 no shutdown


        Example:
        Device(config-if)# no shutdown
         

        (Optional) Enables the interface.

         
        Step 14exit


        Example:
        Device(config-if)# exit 
         

        (Optional) Exits interface configuration mode and enters global configuration mode.

         

        Configuring NAT Box-to-Box Interface Redundancy

        Perform this task on the active and standby devices in the redundancy group to configure the Network Address Translation (NAT) box-to-box high-availability support.

        SUMMARY STEPS

          1.    enable

          2.    configure terminal

          3.    interface type number

          4.    ip address ip-address mask

          5.    ip nat inside

          6.    redundancy rii id

          7.    redundancy group id ip virtual-ip [exclusive] [decrement value]

          8.    exit

          9.    interface type number

          10.    ip address ip-address mask

          11.    ip nat outside

          12.    redundancy rii id [decrement number]

          13.    redundancy group id ip virtual-ip [exclusive] [decrement value]

          14.    exit

          15.    ip nat inside source static local-ip global-ip [redundancy rg-id mapping-id map-id]

          16.    end


        DETAILED STEPS
           Command or ActionPurpose
          Step 1 enable


          Example:
          Device> enable
           

          Enables privileged EXEC mode.

          • Enter your password if prompted.
           
          Step 2 configure terminal


          Example:
          Device# configure terminal
           

          Enters global configuration mode.

           
          Step 3 interface type number


          Example:
          Device(config)# interface gigabitethernet 2/0/2 
           

          Configures an interface and enters interface configuration mode.

           
          Step 4 ip address ip-address mask


          Example:
          Device(config-if)# ip address 192.168.1.27 255.255.255.0
           

          Assigns a virtual IP (VIP) address on the interface.

           
          Step 5 ip nat inside


          Example:
          Device(config-if)# ip nat inside
           

          Designates that traffic originating from the interface is subject to Network Address Translation (NAT).

           
          Step 6 redundancy rii id


          Example:
          Device(config-if)# redundancy rii 100
           

          Configures a Redundancy Interface Identifier (RII) for redundancy group-protected traffic interfaces.

           
          Step 7redundancy group id ip virtual-ip [exclusive] [decrement value]


          Example:
          Device(config-if)# redundancy group 1 ip 192.168.1.20 exclusive decrement 100
           

          Enables the redundancy group (RG) traffic interface configuration.

           
          Step 8exit


          Example:
          Device(config-if)# exit 
           

          Exits interface configuration mode and enters global configuration mode.

           
          Step 9 interface type number


          Example:
          Device(config)# interface gigabitethernet 0/0/0 
           

          Configures an interface and enters interface configuration mode.

           
          Step 10 ip address ip-address mask


          Example:
          Device(config-if)# ip address 192.168.5.54 255.255.255.255.0
           

          Assigns a virtual IP (VIP) address on the interface.

           
          Step 11 ip nat outside


          Example:
          Device(config-if)# ip nat outside
           

          Designates that traffic destined for the interface is subject to NAT.

           
          Step 12 redundancy rii id [decrement number]


          Example:
          Device(config-if)# redundancy rii 101
           

          Configures an RII for redundancy group-protected traffic interfaces.

           
          Step 13redundancy group id ip virtual-ip [exclusive] [decrement value]


          Example:
          Device(config-if)# redundancy group 1 ip 192.168.5.10 exclusive decrement 100
           

          Enables the redundancy group (RG) traffic interface configuration and specifies the decrement value number that is decremented from the priority when the state of the interface goes down.

           
          Step 14exit


          Example:
          Device(config-if)# exit 
           

          Exits interface configuration mode and enters global configuration mode.

           
          Step 15 ip nat inside source static local-ip global-ip [redundancy rg-id mapping-id map-id]


          Example:
          Device(config)# ip nat inside source static 10.2.2.1 10.3.4.6 redundancy 1 mapping-id 120
           

          Enables NAT redundancy of the inside source and associates the mapping ID to NAT high-availability redundancy.

           
          Step 16end


          Example:
          Device(config-if)# end 
           

          Exits interface configuration mode and enters privileged EXEC mode.

           

          Configuring Asymmetric Routing for NAT Box-to-Box High-Availability Support

          Perform this task on the active and standby devices in the redundancy group to configure asymmetric routing support on Network Address Translation (NAT) Box-to-Box high availability.

          SUMMARY STEPS

            1.    enable

            2.    configure terminal

            3.    interface type number

            4.    ip address ip-address mask

            5.    ip nat outside

            6.    redundancy rii id [decrement number]

            7.    redundancy asymmetric routing enable

            8.    exit

            9.    ip nat inside source static local-ip global-ip [redundancy RG-id mapping-id map-id]

            10.    end


          DETAILED STEPS
             Command or ActionPurpose
            Step 1 enable


            Example:
            Device> enable
             

            Enables privileged EXEC mode.

            • Enter your password if prompted.
             
            Step 2 configure terminal


            Example:
            Device# configure terminal
             

            Enters global configuration mode.

             
            Step 3 interface type number


            Example:
            Device(config)# interface serial 0/0/1
             

            Configures an interface and enters interface configuration mode.

             
            Step 4 ip address ip-address mask


            Example:
            Device(config-if)# ip address 192.168.1.27 255.255.255.0
             

            Assigns a virtual IP (VIP) address on the interface.

             
            Step 5 ip nat outside


            Example:
            Device(config-if)# ip nat outside
             

            Designates that traffic destined for the interface is subject to Network Address Translation (NAT).

             
            Step 6 redundancy rii id [decrement number]


            Example:
            Device(config-if)# redundancy rii 101
             

            Configures a Redundancy Interface Identifier (RII) for redundancy group-protected traffic interfaces.

             
            Step 7redundancy asymmetric routing enable


            Example:
            Device(config-if)# redundancy asymmetric-routing enable
             

            Establishes an asymmetric flow diversion tunnel for each redundancy group (RG).

             
            Step 8exit


            Example:
            Device(config-if)# exit 
             

            Exits interface configuration mode and enters global configuration mode.

             
            Step 9 ip nat inside source static local-ip global-ip [redundancy RG-id mapping-id map-id]


            Example:
            Device(config)# ip nat inside source static 10.2.2.1 10.3.4.6 redundancy 1 mapping-id 120
             

            Enables NAT redundancy of the inside source and associates the mapping ID to NAT high-availability redundancy.

             

            Step 10end


            Example:
            Device(config-if)# end 
             

            Exits interface configuration mode and enters privileged EXEC mode.

             

            Configuration Examples for NAT Box-to-Box High-Availability Support

            Example: Configuring a Redundancy Application Group

            The following example shows how to configure a redundancy group named group1 with priority and preempt attributes:

            Device# configure terminal
            Device(config)# redundancy
            Device(config-red)# application redundancy
            Device(config-red-app)# group 1
            Device(config-red-app-grp)# name group1
            Device(config-red-app-grp)# priority 100 failover-threshold 50
            Device(config-red-app-grp)# preempt
            Device(config-red-app-grp)# track 200 decrement 200
            Device(config-red-app-grp)# end

            Example: Configuring Data, Control, and Asymmetric Routing Interfaces

            Device# configure terminal
            Device(config)# redundancy 
            Device(config-red)# application redundancy
            Device(config-red-app)# group 1
            Device(config-red-app-grp)# data GigabitEthernet 0/0/1
            Device(config-red-app-grp)# control GigabitEthernet 1/0/0 protocol 1
            Device(config-red-app-grp)# timers delay 100 reload 400 
            Device(config-red-app-grp)# asymmetric-routing interface GigabitEthernet 0/1/1 
            Device(config-red-app-grp)# asymmetric-routing always-divert enable
            Device(config-red-app-grp)# end 

            Example: Enabling Data, Control and Asymmetric Routing Interfaces

            Device# configure terminal
            Device(config)# interface GigabitEthernet 0/0/1
            Device(config-if)# ip address 10.2.3.2 255.255.255.0
            Device(config-if)# no shutdown
            Device(config-if)# exit
            Device(config)# interface Gigabitethernet 1/0/0 
            Device(config-if)# ip address 10.10.2.5 255.255.255.255.0
            Device(config-if)# no shutdown
            Device(config-if)# exit
            Device(config)# interface Gigabitethernet 0/1/1 
            Device(config-if)# ip address 10.5.1.5 255.255.255.255.0
            Device(config-if)# no shutdown
            Device(config-if)# end 

            Example: Configuring a NAT Box-to-Box High-Availability Support

            Device> enable
            Device# configure terminal
            Device(config)# interface gigabitethernet 2/0/2 
            Device(config-if)# ip address 192.168.1.27 255.255.255.0
            Device(config-if)# ip nat inside
            Device(config-if)# redundancy rii 100
            Device(config-if)# redundancy group 1 ip 192.168.1.20 exclusive decrement 100
            Device(config-if)# exit  
            Device(config)# interface gigabitethernet 0/0/0 
            Device(config-if)# ip address 192.168.5.54 255.255.255.255.0
            Device(config-if)# ip nat outside
            Device(config-if)# redundancy rii 101
            Device(config-if)# redundancy group 1 ip 192.168.5.10 exclusive decrement 100
            Device(config-if)# exit 
            Device(config)# ip nat inside source static 10.2.2.1 10.3.4.6 redundancy 1 mapping-id 120
            Device(config-if)# end 

            Example: Configuring Asymmetric Routing for NAT Box-to-Box High-Availability Support

            Device> enable
            Device# configure terminal
            Device(config)# interface serial 0/0/1 
            Device(config-if)# ip address 192.168.1.27 255.255.255.0
            Device(config-if)# ip nat outside
            Device(config-if)# redundancy rii 101
            Device(config-if)# exit 
            Device(config)# ip nat inside source static 10.2.2.1 10.3.4.6 redundancy 1 mapping-id 120
            Device(config-if)# end 

            Additional References for NAT Box-to-Box High-Availability Support

            Related Documents

            Technical Assistance

            Description

            Link

            The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

            http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

            Feature Information for NAT Box-to-Box High-Availability Support

            The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

            Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

            Table 1 Feature Information for NAT Box-to-Box High Availability Support

            Feature Name

            Releases

            Feature Configuration Information

            NAT Box-to-Box High Availability Support

            15.3(2)T

            NAT Box-to-Box High-Availability Support feature makes an IP network more resilient to potential link and routing device failures at the Network Address Translation (NAT) border.

            NAT box-to-box high-availability functionality is achieved when you configure two NAT translators that reside across different devices as part of a redundancy group (RG) and function as a translation group. One member of the translation group acts as an active translator and the other member in the group acts as a standby translator. The standby translator takes over as the active translator in the event of any failures to the current active translator.

            The following commands were introduced or modified: ip nat inside source, ip nat outside source, show ip nat redundancy, show ip nat translations redundancy, show redundancy application group.