Table Of Contents
Stateful Failover of Network Address Translation (SNAT) Phase 1
Restrictions for Stateful Fail-over of Network Address Translation (SNAT) Phase 1
Information About Stateful Fail-over of Network Address Translation (SNAT) Phase 1
Configuring SNAT Primary/Backup
Configuration Examples for SNAT
Configuring SNAT Primary/Backup
clear ip snat translation distributed
clear ip snat translation peer
Stateful Failover of Network Address Translation (SNAT) Phase 1
There is an increasing need to provide highly resilient IP networks where application connectivity continues unaffected by potential failures to links and routers at the NAT border. The Stateful Fail-over of Network Address Translation (SNAT) Phase 1 feature introduces support for two or more network address translators to function as a translation group. A backup router running NAT provides translation services in the event of failure of the active translator. Protocols that do not need payload translations, such as HTTP and telnet, are supported by SNAT.
Feature Specifications for the NAT Stateful Failover of Network Address Translation Feature
12.2(13)T
This feature was introduced.
For platforms supported in Cisco IOS Release 12.2(13)T, consult Cisco Feature Navigator.
Determining Platform Support Through Cisco Feature Navigator
Cisco IOS software is packaged in feature sets that are supported on specific platforms. To obtain updated information about platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Cisco Feature Navigator is a web-based tool that enables you to determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. In the release section, you can compare releases side by side to display both the features unique to each software release and the features that releases have in common.
To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions at http://www.cisco.com/register.
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:
Availability of Cisco IOS Software Images
Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or, if supported, Cisco Feature Navigator.
Contents
•
Restrictions for Stateful Fail-over of Network Address Translation (SNAT) Phase 1
•
•
Restrictions for Stateful Fail-over of Network Address Translation (SNAT) Phase 1
The following applications and protocols are not supported in Phase I.
•
•
•
•
•
•
•
•
Information About Stateful Fail-over of Network Address Translation (SNAT) Phase 1
Before you configure SNAT, you should understand the following concepts:
SNAT Feature Design
Stateful NAT applies a more global context to the task of forwarding a particular datagram. Consideration is given to understanding the application state along with forwarding. Devices can take action to avoid potential failures that will have less impact on the flow and to the application that is transmitting data. Multiple NAT routers that share stateful context can work cooperatively and thus increase service availability.
Two or more Network Address Translators function as a translation group. One member of the group handles traffic requiring translation of IP address information. It also informs the backup translator of active flows as they occur. The backup translator can then use information from the active translator to prepare duplicate translation table entries, and in the event that the active translator is hindered by a critical failure, the traffic can rapidly be switched to the backup. The traffic flow continues since the same network address translations are used, and the state of those translations has been previously defined.
Only sessions that are statically defined already receive the benefit of redundancy without the need for this feature. In the absence of SNAT, sessions that use dynamic NAT mappings would be severed in the event of a critical failure and would have to be reestablished. Stateful NAT enables continuous service for dynamically mapped NAT sessions.
Interaction with HSRP
SNAT can be configured to operate with the Hot Standby Routing Protocol (HSRP) to provide redundancy. Active and Standby state changes are managed by HSRP.
How to Configure SNAT
This section contains the following procedures:
•
•
•
Configuring SNAT with HSRP
To configure your HSRP router with SNAT, use the following commands:
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Configuring SNAT Primary/Backup
To manually configure your primary and backup SNAT router, use the following commands:
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Verifying SNAT Configuration
To verify your configuration, perform the following optional step:
SUMMARY STEPS
1.
2.
DETAILED STEPS
Configuration Examples for SNAT
This section provides the following configuration example:
Configuring SNAT Primary/Backup
Configuring SNAT with HSRP
!ip nat Stateful id 1redundancy SNATHSRPmapping-id 10ip nat pool SNATPOOL1 11.1.1.1 11.1.1.9 prefix-length 24ip nat inside source route-map rm-101 pool SNATPOOL1 mapping-id 10 overloadip classlessip route 11.1.1.0 255.255.255.0 Null0no ip http serverip pim bidir-enableConfiguring SNAT Primary/Backup
!ip nat Stateful id 1primary 10.88.194.17peer 10.88.194.18mapping-id 10!ip nat Stateful id 2backup 10.88.194.17peer 10.88.194.17mapping-id 10Additional References
For additional information related to Network Address Translation and HSRP, refer to the following references:
Related Documents
Standards
MIBs
None
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
1 Not all supported MIBs are listed.
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
RFCs
Technical Assistance
Command Reference
This section documents new and modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.
New Commands
•
•
•
•
•
•
Modified Commands
•
•
clear ip snat sessions
To clear dynamic Stateful Network Address Translation (SNAT) sessions from the translation table, use the clear ip snat sessions EXEC command.
clear ip snat sessions [* | ip-address-peer]
Syntax Description
*
(Optional) Clears all dynamic translations.
ip-address-peer
(Optional) Clears SNAT sessions of the peer translator.
Command Modes
EXEC
Command History
Usage Guidelines
Use this command to clear entries from the translation table before they time out.
Examples
The following example shows the SNAT entries before and after using the clear ip snat sessions command.
Router# show ip snat distributedSNAT:Mode PRIMARY:State READY:Local Address 192.168.123.2:Local NAT id 100:Peer Address 192.168.123.3:Peer NAT id 200:Mapping List 10Router# clear ip snat sessions *Closing TCP session to peer:192.168.123.3Router# shop ip snat distributed
clear ip snat translation distributed
To clear dynamic Stateful Network Address Translation (SNAT) translations from the translation table, use the clear ip nat translation EXEC command.
clear ip snat translation distributed *
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
Use this command to clear entries from the translation table before they time out.
Examples
Router# clear ip snat translations distributedclear ip snat translation peer
To clear peer Stateful Network Address Translation (SNAT) translations from the translation table, use the clear ip snat translation peer EXEC command.
clear ip snat translation peer ip-address-peer [refresh]
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
Use this command to clear peer entries from the translation table before they time out.
Examples
The following examples shows the SNAT entries before and after the peer entry is cleared.
Router# show ip snat peerPro Inside global Inside local Outside local Outside global--- 192.168.25.20 192.168.122.20 --- ---tcp 192.168.25.20:33528 192.168.122.20:33528 192.168.24.2:21 192.168.24.2:21Router# clear ip snat translation peerRouter# show ip snat peer 192.168.123.3Pro Inside global Inside local Outside local Outside globalRouter#debug ip snat
Use the debug ip snat privileged EXEC command to display information about IP packets translated by the IP stateful network address translation (SNAT) feature. The no form of this command disables debugging output.
debug ip snat [detailed]
no debug ip snat [detailed]
Syntax Description
Defaults
Disabled
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The SNAT feature allows two or more network address translators to function as a translation group. One member of the translation group handles traffic requiring translation of IP address information. It informs the backup translator of active flows as they occur. The backup translator can then use information from the active translator to prepare duplicate translation table entries enabling the backup translator to become the active translator in the event of a critical failure. Traffic continues to flow without interruption since the same network address translations are used and the state of those translation has been previously defined.
Caution
Examples
The following is sample output from the debug ip snat command.
Router# debug ip snat detailed2w6d:SNAT:Establish TCP peers for PRIMARY2w6d:SNAT (Send):Enqueuing SYNC Message for Router-Id 1002w6d:SNAT(write2net):192.168.123.2 <---> 192.168.123.3 send message2w6d:SNAT(write2net):ver 2, id 100, opcode 1, len 682w6d:SNAT (Send):Enqueuing DUMP-REQUEST Message for Router-Id 1002w6d:SNAT(write2net):192.168.123.2 <---> 192.168.123.3 send message2w6d:SNAT(write2net):ver 2, id 100, opcode 6, len 682w6d:SNAT (readfromnet):Enqueuing SYNC Message msg to readQ2w6d:SNAT (Receive):Processed SYNC Message from Router-Id:0 for Router-Id:200's entry/entries2w6d:SNAT (readfromnet):Enqueuing DUMP-REQUEST Message msg to readQ2w6d:SNAT (Receive):Processed DUMP-REQUEST Message from Router-Id:200 for Router-Id:200's entry/entries2w6d:SNAT(sense):Send SYNC message2w6d:SNAT (Send):Enqueuing SYNC Message for Router-Id 1002w6d:SNAT(write2net):192.168.123.2 <---> 192.168.123.3 send message2w6d:SNAT(write2net):ver 2, id 100, opcode 1, len 682w6d:SNAT (readfromnet):Enqueuing SYNC Message msg to readQ2w6d:SNAT (Receive):Processed SYNC Message from Router-Id:200 for Router-Id:200's entry/entriesTable 1 describes the significant fields shown in the display.
ip nat inside source
To enable Network Address Translation (NAT) of the inside source address, use the ip nat inside source command in global configuration mode. To remove the static translation or remove the dynamic association to a pool, use the no form of this command.
ip nat inside source {list {access-list-number | access-list-number} | route-map name} {interface type-number | pool pool-name} [mapping-id map-number [overload]
no ip nat inside source {list {access-list-number | access-list-number} | route-map name} {interface type-number | pool pool-name} [mapping-id map-number [overload]
Static NAT
ip nat inside source {static {local-ip global-ip} [extendable] [no-alias] [no-payload] [route-map] [redundancy group-name]}
no ip nat inside source {static {local-ip global-ip} [extendable] [no-alias] [no-payload] [route-map] [redundancy group-name}
Port Static NAT
ip nat inside source {static {tcp | udp local-ip local-port global-ip global-port} [extendable] [no-alias] [no-payload]
no ip nat inside source {static {tcp | udp local-ip local-port global-ip global-port} [extendable] [no-alias] [no-payload]
Network Static NAT
ip nat inside source {static {network local-network global-network mask} [extendable] [no-alias] [no-payload]
no ip nat inside source {static {network local-network global-network mask} [extendable] [no-alias] [no-payload]
Syntax Description
Defaults
No NAT translation of inside source addresses occurs.
Command Modes
Global configuration
Command History
Related Commands
Usage Guidelines
This command has two forms: dynamic and static address translation. The form with an access list establishes dynamic translation. Packets from addresses that match the standard access list are translated using global addresses allocated from the pool named with the ip nat pool command.
Packets that enter the router through the inside interface and packets sourced from the router are checked against the access list for possible NAT candidates. The access list is used to specify which traffic is to be translated.
Alternatively, the syntax form with the static keyword establishes a single static translation.
Examples
The following example translates between inside hosts addressed from either the 192.168.1.0 or the 192.168.2.0 network to the globally unique 171.69.233.208/28 network:
ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28ip nat inside source list 1 pool net-208!interface ethernet 0ip address 171.69.232.182 255.255.255.240ip nat outside!interface ethernet 1ip address 192.168.1.94 255.255.255.0ip nat inside!access-list 1 permit 192.168.1.0 0.0.0.255access-list 1 permit 192.168.2.0 0.0.0.255Related Commands
ip nat outside source
To enable Network Address Translation (NAT) of the outside source address, use the ip nat outside source command in global configuration mode. To remove the static entry or the dynamic association, use the no form of this command.
ip nat outside source {list {access-list-number | access-list-name} | route-map name} pool pool-name [add-route] [mapping-id map-number]
no ip nat outside source {list {access-list-number | access-list-name} | route-map name} pool pool-name [add-route] [mapping-id map-number]
Static NAT
ip nat outside source static {global-ip local-ip}[add-route] [extendable] [no-alias] [no-payload] [redundancy group-name]
no ip nat outside source static {global-ip local-ip}[add-route] [extendable] [no-alias] [no-payload] [redundancy group-name]
Port Static NAT
ip nat outside source static {tcp | udp global-ip global-port local-ip local-port} [add-route] [extendable] [no-alias] [no-payload]
no ip nat outside source static {tcp | udp global-ip global-port local-ip local-port} [add-route] [extendable] [no-alias] [no-payload]
Network Static NAT
ip nat outside source {static network global-network local-network mask} [add-route] [extendable] [no-alias] [no-payload]
no ip nat outside source {static network global-network local-network mask} [add-route] [extendable] [no-alias] [no-payload]
Syntax Description
Defaults
No translation of source addresses coming from the outside to the inside network occurs.
Command Modes
Global configuration
Command History
Usage Guidelines
You might have IP addresses that are not legal, officially assigned IP addresses. Perhaps you chose IP addresses that officially belong to another network. The case of an address used illegally and legally is called overlapping. You can use NAT to translate inside addresses that overlap with outside addresses. Use this feature if your IP addresses in the stub network happen to be legitimate IP addresses belonging to another network, and you need to communicate with those hosts or routers.
This command has two forms: dynamic and static address translation. The form with an access list establishes dynamic translation. Packets from addresses that match the standard access list are translated using global addresses allocated from the pool named with the ip nat pool command.
Alternatively, the syntax form with the static keyword establishes a single static translation.
Examples
The following example translates between inside hosts addressed from the 9.114.11.0 network to the globally unique 171.69.233.208/28 network. Further packets from outside hosts addressed from the 9.114.11.0 network (the true 9.114.11.0 network) are translated to appear to be from the 10.0.1.0/24 network.
ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28 ip nat pool net-10 10.0.1.0 10.0.1.255 prefix-length 24ip nat inside source list 1 pool net-208ip nat outside source list 1 pool net-10!interface ethernet 0ip address 171.69.232.182 255.255.255.240ip nat outside!interface ethernet 1ip address 9.114.11.39 255.255.255.0ip nat insideaccess-list 1 permit 9.114.11.0 0.0.0.255The following example shows NAT configured on the PE with a static route to the shared service for the gold and sliver VPNs. NAT is configured as inside source static 1 to 1 translations.
ip nat pool outside 4.4.4.1 4.4.4.254 netmask 255.255.255.0ip nat outside source list 1 pool mypoolaccess-list 1 permit 168.58.18.0 0.0.0.255ip nat inside source static 192.168.121.33 2.2.2.1 vrf goldip nat inside source static 192.169.121.33 2.2.2.2 vrf silverRelated Commands
Guest
