Table Of Contents
NAT Stateful Failover for Asymmetric Outside-to-Inside and ALG Support —Stateful NAT Phase 2
Benefits of Stateful Failover Asymmetric Outside-to-Inside Support
How Stateful Failover for Asymmetric Outside-to-Inside Support Works
How Stateful Failover for ALGs Works
How to Configure NAT Stateful Failover for Asymmetric Outside-to-Inside and ALG Support
Configuring SNAT Primary/Backup
Configuration Examples for NAT Stateful Failover for Asymmetric Outside-to-Inside and ALG Support
Configuring SNAT with HSRP: Example
Configuring SNAT Primary/Backup: Example
NAT Stateful Failover for Asymmetric Outside-to-Inside and ALG Support —Stateful NAT Phase 2
The NAT Stateful Failover for Asymmetric Outside-to-Inside and ALG Support—Stateful NAT Phase 2 feature improves the ability to handle asymmetric paths by allowing multiple routing paths from outside-to-inside, and per-packet load balancing. This feature also provides seamless failover translated IP sessions with traffic that includes embedded IP addressing such as Voice over IP, FTP, and Domain Name System (DNS) applications.
Feature History for the NAT Stateful Failover for Asymmetric Outside-to-Inside and ALG Support Feature
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
How to Configure NAT Stateful Failover for Asymmetric Outside-to-Inside and ALG Support
•
Restrictions for Using the NAT Stateful Failover for Asymmetric Outside-to-Inside and ALG Support—Stateful NAT Phase 2 Feature
Each router must have the same Network Address Translation (NAT) configurations.
Information About the NAT Stateful Failover for Asymmetric Outside-to-Inside and ALG Support—Stateful NAT Phase 2 Feature
Before enabling the NAT Stateful Failover for Asymmetric Outside-to-Inside and ALG Support—Stateful NAT Phase 2 feature, be sure you understand the following concepts:
•
•
•
Benefits of Stateful Failover Asymmetric Outside-to-Inside Support
Stateful NAT Phase 1 required all sessions to pass through the primary NAT router that controlled the NAT translation entries unless the primary NAT router was unavailable. This requirement assured integrity of the translation information by guarding against the possibility of some packets relevant to NAT session control from traversing the backup without the primary being aware of it. Without synchronized IP sessions NAT eventually times out the IP session entries and the result is IP session states that are out of sequence.
The stateful failover asymmetric outside-to-inside enhancement provides the following benefits:
•
•
How Stateful Failover for Asymmetric Outside-to-Inside Support Works
Stateful failover for asymmetric outside-to-inside support enables two NAT routers to participate in a primary/backup design. One of the routers is elected as the primary NAT router and a second router acts as the backup router. As traffic is actively translated by the primary NAT router it updates the backup NAT router with the NAT translation state from NAT translation table entries. If the primary NAT router fails or is out of service, the backup NAT router will automatically take over. When the primary comes back into service it will take over and request an update from the backup NAT router. Return traffic is handled by either the primary or the backup NAT translator and NAT translation integrity is preserved.
When the backup NAT router receives asymmetric IP traffic and performs NAT of the packets, it will update the primary NAT router to ensure both the primary and backup NAT translation tables remain synchronized.
Figure 1 shows a typical configuration that uses the NAT Stateful Failover for Asymmetric Outside-to-Inside and ALG Support—Stateful NAT Phase 2 feature.
Figure 1 Stateful NAT Asymmetric Outside-to-Inside Support
How Stateful Failover for ALGs Works
For Application Layer Gateways (ALGs) the stateful failover embedded addressing enhancement allows the secondary or backup NAT router to properly handle NAT and delivery of IP traffic. NAT inspects all IP traffic entering interfaces that have been configured with the NAT feature. The inspection consists of matching the incoming traffic against a set of translations rules and performs an address translation if a match occurs. The following are examples:
•
•
•
Some of the applications and protocols that embed source port or IP address information include:
•
•
•
•
•
•
•
A complete list of current ALG protocols supported by Cisco IOS NAT can be found at
http://www.cisco.com/en/US/tech/tk648/tk361/tech_brief09186a00801af2b9.html
How to Configure NAT Stateful Failover for Asymmetric Outside-to-Inside and ALG Support
This section contains the following procedures:
•
•
Configuring SNAT with HSRP
To configure your Hot Standby Router Protocol (HSRP) router with Stateful Network Address Translation (SNAT), use the following commands:
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
DETAILED STEPS
Configuring SNAT Primary/Backup
Use the following commands to enable the NAT Stateful Failover for Asymmetric Outside-to-Inside and ALG Support feature:
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Configuration Examples for NAT Stateful Failover for Asymmetric Outside-to-Inside and ALG Support
This section contains the following examples:
•
Configuring SNAT with HSRP: Example
The following example shows how to configure SNAT with HSRP.
ip nat Stateful id 1redundancy SNATHSRPmapping-id 10ip nat pool SNATPOOL1 11.1.1.1 11.1.1.9 prefix-length 24ip nat inside source route-map rm-101 pool SNATPOOL1 mapping-id 10 overloadip classlessip route 11.1.1.0 255.255.255.0 Null0no ip http serverip pim bidir-enableConfiguring SNAT Primary/Backup: Example
The following example shows how to configure SNAT on the primary/backup router.
ip nat Stateful id 1primary 10.88.194.17peer 10.88.194.18mapping-id 10!ip nat Stateful id 2backup 10.88.194.17peer 10.88.194.17mapping-id 10Additional References
The following sections provide references related to Stateful NAT.
Related Documents
Standards
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Command Reference
This section documents modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.3 T command reference publications.
ip nat inside destination
To enable Network Address Translation (NAT) of the inside destination address, use the ip nat inside destination command in global configuration mode. To remove the dynamic association to a pool, use the no form of this command.
ip nat inside destination list {access-list-number | name} pool name [mapping-id map-id]
no ip nat inside destination list {access-list-number | name} pool name [mapping-id map-id]
Syntax Description
Defaults
No inside destination addresses are translated.
Command Modes
Global configuration
Command History
11.2
This command was introduced.
12.3(7)T
The mapping-id map-id keyword and argument combination was added.
Usage Guidelines
This command has two forms: dynamic and static address translation. The form with an access list establishes dynamic translation. Packets from addresses that match the standard access list are translated using global addresses allocated from the pool named with the ip nat pool command.
Examples
The following example shows how to translate between inside hosts addressed to either the 192.168.1.0 or 192.168.2.0 network to the globally unique 171.69.233.208/28 network:
ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28ip nat inside destination list 1 pool net-208!interface ethernet 0ip address 171.69.232.182 255.255.255.240ip nat outside!interface ethernet 1ip address 192.168.1.94 255.255.255.0ip nat inside!access-list 1 permit 192.168.1.0 0.0.0.255access-list 1 permit 192.168.2.0 0.0.0.255Need example for mapping-idRelated Commands
ip nat inside source
To enable Network Address Translation (NAT) of the inside source address, use the ip nat inside source command in global configuration mode. To remove the static translation or remove the dynamic association to a pool, use the no form of this command.
Dynamic NAT
ip nat inside source {list {access-list-number | access-list-name} | route-map name} {interface type number | pool name} [mapping-id map-id | overload | vrf name]
no ip nat inside source {list {access-list-number | access-list-name} | route-map name} {interface type number | pool name} [mapping-id map-id | overload | vrf name]
Static NAT
ip nat inside source {static {esp local-ip interface type number | local-ip global-ip}} [extendable | mapping-id map-id | no-alias | no-payload | redundancy group-name | route-map | vrf name]
no ip nat inside source {static {esp local-ip interface type number | local-ip global-ip}} [extendable | mapping-id map-id | no-alias | no-payload | redundancy group-name | route-map | vrf name]
Port Static NAT
ip nat inside source {static {tcp | udp {local-ip local-port global-ip global-port | interface global-port}} [extendable | mapping-id map-id | no-alias | no-payload | redundancy group-name | route-map | vrf name]
no ip nat inside source {static {tcp | udp {local-ip local-port global-ip global-port | interface global-port}} [extendable | mapping-id map-id | no-alias | no-payload | redundancy group-name | route-map | vrf name]
Network Static NAT
ip nat inside source static network local-network global-network mask [extendable | no-alias | no-payload | mapping-id map-id | redundancy group-name | route-map | vrf name]
no ip nat inside source static network local-network global-network mask [extendable | no-alias | no-payload | mapping-id map-id | redundancy group-name | route-map | vrf name]
Syntax Description
Defaults
No NAT translation of inside source addresses occurs.
Command Modes
Global configuration
Command History
Usage Guidelines
This command has two forms: dynamic and static address translation. The form with an access list establishes dynamic translation. Packets from addresses that match the standard access list are translated using global addresses allocated from the pool named with the ip nat pool command.
Packets that enter the router through the inside interface and packets sourced from the router are checked against the access list for possible NAT candidates. The access list is used to specify which traffic is to be translated.
Alternatively, the syntax form with the keyword static establishes a single static translation.
Examples
The following example shows how to translate between inside hosts addressed from either the 192.168.1.0 or 192.168.2.0 network to the globally unique 171.69.233.208/28 network:
ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28ip nat inside source list 1 pool net-208!interface ethernet 0ip address 171.69.232.182 255.255.255.240ip nat outside!interface ethernet 1ip address 192.168.1.94 255.255.255.0ip nat inside!access-list 1 permit 192.168.1.0 0.0.0.255access-list 1 permit 192.168.2.0 0.0.0.255The following example shows how to translate only traffic local to the providers edge device running NAT (NAT-PE):
ip nat inside source list 1 interface e 0 vrf shop overloadip nat inside source list 1 interface e 0 vrf bank overload!ip route vrf shop 0.0.0.0 0.0.0.0 192.1.1.1ip route vrf bank 0.0.0.0 0.0.0.0 192.1.1.1!access-list 1 permit 10.1.1.1.0 0.0.0.255!ip nat inside source list 1 interface e 1 vrf shop overloadip nat inside source list 1 interface e 1 vrf bank overload!ip route vrf shop 0.0.0.0 0.0.0.0 172.1.1.1 globalip route vrf bank 0.0.0.0 0.0.0.0 172.1.1.1 globalaccess-list 1 permit 10.1.1.0 0.0.0.255Related Commands
ip nat outside source
To enable Network Address Translation (NAT) of the outside source address, use the ip nat outside source command in global configuration mode. To remove the static entry or the dynamic association, use the no form of this command.
Dynamic NAT
ip nat outside source {list {access-list-number | access-list-name} | route-map name} pool pool-name [add-route | mapping-id map-id | vrf name]
no ip nat outside source {list {access-list-number | access-list-name} | route-map name} pool pool-name [add-route | mapping-id map-id | vrf name]
Static NAT
ip nat outside source static global-ip local-ip [add-route | extendable | mapping-id map-id | no-alias | no-payload | redundancy group-name | vrf name]
no ip nat outside source static global-ip local-ip [add-route | extendable | mapping-id map-id | no-alias | no-payload | redundancy group-name | vrf name]
Port Static NAT
ip nat outside source static {tcp | udp} global-ip global-port local-ip local-port [add-route | extendable | mapping-id map-id | no-alias | no-payload | redundancy group-name | vrf name]
no ip nat outside source static {tcp | udp} global-ip global-port local-ip local-port [add-route | extendable | mapping-id map-id | no-alias | no-payload | redundancy group-name | vrf name]
Network Static NAT
ip nat outside source static network global-network local-network mask [add-route | extendable | mapping-id map-id | no-alias | no-payload | redundancy | vrf name]
no ip nat outside source static network global-network local-network mask [add-route | extendable | mapping-id map-id | no-alias | no-payload | redundancy | vrf name]
Syntax Description
Defaults
No translation of source addresses coming from the outside to the inside network occurs.
Command Modes
Global configuration
Command History
Usage Guidelines
You might have IP addresses that are not legal, officially assigned IP addresses. Perhaps you chose IP addresses that officially belong to another network. The case of an address used illegally and legally is called overlapping. You can use NAT to translate inside addresses that overlap with outside addresses. Use this command if your IP addresses in the stub network happen to be legitimate IP addresses belonging to another network, and you need to communicate with those hosts or routers.
This command has two forms: dynamic and static address translation. The form with an access list establishes dynamic translation. Packets from addresses that match the standard access list are translated using global addresses allocated from the pool named with the ip nat pool command.
Alternatively, the syntax form with the static keyword establishes a single static translation.
Examples
The following example shows how to translate between inside hosts addressed from the 9.114.11.0 network to the globally unique 171.69.233.208/28 network. Further packets from outside hosts addressed from the 9.114.11.0 network (the true 9.114.11.0 network) are translated to appear to be from the 10.0.1.0/24 network.
ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28 ip nat pool net-10 10.0.1.0 10.0.1.255 prefix-length 24ip nat inside source list 1 pool net-208ip nat outside source list 1 pool net-10!interface ethernet 0ip address 171.69.232.182 255.255.255.240ip nat outside!interface ethernet 1ip address 9.114.11.39 255.255.255.0ip nat inside!access-list 1 permit 9.114.11.0 0.0.0.255The following example shows NAT configured on the Provider Edge (PE) router with a static route to the shared service for the gold and silver Virtual Private Networks (VPNs). NAT is configured as inside source static one-to-one translations.
ip nat pool outside 4.4.4.1 4.4.4.254 netmask 255.255.255.0ip nat outside source list 1 pool mypoolaccess-list 1 permit 168.58.18.0 0.0.0.255ip nat inside source static 192.168.121.33 2.2.2.1 vrf goldip nat inside source static 192.169.121.33.2.2.2.2 vrf silverRelated Commands
Copyright © 2004 Cisco Systems, Inc. All rights reserved.
Guest
