Configuring NAT for High Availability

Last Updated: November 29, 2012

This module contains procedures for configuring Network Address Translation (NAT) to support the increasing need for highly resilient IP networks. This network resiliency is required where application connectivity needs to continue unaffected by failures to links and routers at the NAT border.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for Configuring NAT for High Availability

To understand how High Availability (HA) is implemented on the Cisco ASR 1000 Series Aggregation Services Routers, see the "High Availability Overview" chapter in the Cisco ASR 1000 Series Aggregation Services Routers Software Configuration Guide.

Information About Configuring NAT for High Availability

Static Mapping Support with HSRP for High Availability Feature Overview

When an Address Resolution Protocol (ARP) query is triggered for an address that is configured with NAT static mapping and owned by the router, NAT responds with the burned in MAC (BIA MAC) address on the interface to which the ARP is pointing. Two routers act as the Hot Standby Router Protocol (HSRP) active and standby. You must enable and configure the NAT inside interfaces of the active and standby routers to belong to a group.

Address Resolution with ARP

A device can have both a local address (which uniquely identifies the device on its local segment or LAN) and a network address (which identifies the network to which the device belongs). The local address is known as the data link address because it is contained in the data link layer of the packet header and is read by data-link devices (bridges and all device interfaces). The local address is also referred to as the MAC address, because the MAC sublayer within the data link layer processes addresses for the layer.

To communicate with a device on an Ethernet port your software must first determine the 48-bit MAC or local data link address of that device; for example, the Cisco IOS XE software first must determine the 48-bit MAC or local data link address of the Ethernet port for communication. The process of determining the local data link address from an IP address is called address resolution. The process of determining the IP address from a local data-link address is called reverse address resolution.

You can use Address Resolution Protocol (ARP), proxy ARP, and Probe (similar to ARP), and Reverse Address Resolution Protocol (RARP) for address resolution. ARP, proxy ARP, and RARP are defined in RFCs 826, 1027, and 903, respectively. Probe is a protocol developed by the Hewlett-Packard Company (HP) for use on IEEE-802.3 networks.

ARP is used to associate IP addresses with media or MAC addresses. Taking an IP address as input, ARP determines the associated media address. Once a media or MAC address is determined, the IP address or the media address association is stored in an ARP cache for rapid retrieval. The IP datagram is encapsulated in a link layer frame and sent over the network. Encapsulation of IP datagrams and ARP requests and replies on IEEE 802 networks other than Ethernet is specified by the Subnetwork Access Protocol (SNAP).

How to Configure NAT for High Availability

Configuring NAT Static Mapping Support for HSRP

Both of the following tasks are required and must be performed on both the active and standby routers to configure NAT static mapping support for HSRP:

Restrictions for Configuring Static Mapping Support for HSRP

  • Static NAT mappings must be mirrored on two or more HSRP routers, because the NAT state will not be exchanged between routers running NAT in an HSRP group.
  • If you configure both HSRP routers with the same static NAT and the hsrp keyword to link the routers to the same HSRP group is not configured, the behavior of the routers will be unpredictable.

Benefits of Configuring Static Mapping Support for HSRP

  • When you configure static mapping for HSRP and the HSRP routers have an identical NAT configuration for redundancy, the failover happens without timing out and repopulating upstream ARP caches.
  • Static mapping support for HSRP allows an HSRP active router to respond to an incoming ARP request for a router that is configured with a NAT address.

Enabling HSRP on the NAT Interface

Perform this task on both active and standby routers.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    interface type number

4.    ip address ip-address mask

5.    no ip redirects

6.    ip nat {inside | outside}

7.    standby [group-number] priority priority

8.    standby [group-number] preempt

9.    standby [group-number] ip [ip-address [secondary]]

10.    standby [group-number] name [group-name]

11.    standby [group-number] track interface number

12.    end

13.    show standby

14.    show ip nat translations [verbose]


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
interface type number


Example:

Router(config)# interface GigabitEthernet 0/0/0

 

Configures an interface and enters interface configuration mode.

 
Step 4
ip address ip-address mask


Example:

Router(config-if)# ip address 192.168.1.27 255.255.255.0

 

Sets the primary IP address on the interface.

 
Step 5
no ip redirects


Example:

Router(config-if)# no ip redirects

 

Disables the sending of redirect messages

 
Step 6
ip nat {inside | outside}


Example:

Router(config-if)# ip nat inside

 

Marks the interface as connected to the inside.

 
Step 7
standby [group-number] priority priority


Example:

Router(config-if)# standby 10 priority 105

 

Configures HSRP priority.

 
Step 8
standby [group-number] preempt


Example:

Router(config-if)# standby 10 preempt

 

Configures HSRP preemption.

 
Step 9
standby [group-number] ip [ip-address [secondary]]


Example:

Router(config-if)# standby 10 ip 192.168.5.30

 

Enables the HSRP protocol.

 
Step 10
standby [group-number] name [group-name]


Example:

Router(config-if)# standby 10 name HSRP1

 

Sets the HSRP group name.

 
Step 11
standby [group-number] track interface number


Example:

Router(config-if)# standby 10 track GigabitEthernet0/0/1

 

Configures HSRP to track an object and to change the hot standby priority on the basis of the state of the object.

 
Step 12
end


Example:

Router(config-if)# end

 

Exits interface configuration mode and enters privileged EXEC mode.

 
Step 13
show standby


Example:

Router# show standby

 

(Optional) Displays HSRP information

 
Step 14
show ip nat translations [verbose]


Example:

Router# show ip nat translations verbose

 

(Optional) Displays active NAT translations.

 

Enabling Static NAT in an HSRP Environment

To enable static mapping support with HRSP for high availability, perform this task on both the active and standby routers.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    ip nat inside source static local-ip global-ip redundancy group-name

4.    ip classless

5.    ip route prefix mask interface-type interface-number

6.    no ip http server

7.    end

8.    show ip nat translations [verbose]


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
ip nat inside source static local-ip global-ip redundancy group-name


Example:

Router(config)# ip nat inside source static 192.168.5.33 10.10.10.5 redundancy HSRP1

 

Enables the router to respond to ARP queries using BIA MAC, if HSRP is configured on the NAT inside interface.

 
Step 4
ip classless


Example:

Router(config)# ip classless

 

Enables a router to forward packets that are destined for a subnet of a network that has no network default route, to the best supernet route possible.

 
Step 5
ip route prefix mask interface-type interface-number


Example:

Router(config)# ip route 10.10.10.0 255.255.255.0 GigabitEthernet0/0/0

 

Establishes static routes.

 
Step 6
no ip http server


Example:

Router(config)# no ip http server

 

Enables the HTTP server on your IP system.

 
Step 7
end


Example:

Router(config)# end

 

Exits global configuration mode and enters privileged EXEC mode.

 
Step 8
show ip nat translations [verbose]


Example:

Router# show ip nat translations verbose

 

(Optional) Displays active NAT translations.

 

Configuration Examples for NAT for High Availability

Configuring Static NAT in an HSRP Environment Examples

The following example shows support for NAT with a static configuration in an HSRP environment. Two routers are acting as HSRP active and standby, and the NAT inside interfaces are HSRP enabled and configured to belong to the group HSRP1.

Active Router Configuration 

interface GigabitEthernet 0/1/1
 ip address 192.168.5.54 255.255.255.255.0 
 no ip redirects 
 ip nat inside 
 standby 10 priority 105
 standby 10 preempt 
 standby 10 ip 192.168.5.30
 standby 10 name HSRP1 
 standby 10 track GigabitEthernet0/0/0 
! 
 ip default-gateway 10.0.18.126 
 ip nat inside source static 192.168.5.33 10.10.10.5 redundancy HSRP1 
 ip classless 
 ip route 10.10.10.0 255.255.255.0 GigabitEthernet0/0/0 
 ip route 172.22.33.0 255.255.255.0 GigabitEthernet0/0/0 
 no ip http server

Standby Router Configuration

interface GigabitEthernet 0/1/1
 ip address 192.168.5.56 255.255.255.255.0 
 no ip redirects 
 ip nat inside 
 standby 10 priority 100
 standby 10 preempt 
 standby 10 ip 192.168.5.30
 standby 10 name HSRP1
 standby 10 track GigabitEthernet0/0/1 
! 
 ip default-gateway 10.0.18.126 
 ip nat inside source static 192.168.5.33 3.3.3.5 redundancy HSRP1 
 ip classless 
 ip route 10.0.32.231 255.255.255 GigabitEthernet0/0/1 
 ip route 10.10.10.0 255.255.255.0 GigabitEthernet0/0/1 
 no ip http server

Additional References

The following sections provide references related to NAT for high availability.

Related Documents

Related Topic

Document Title

High Availability on the Cisco ASR 1000 Series Aggregation Services Routers

"High Availability Overview" chapter in the Cisco ASR Series 1000 Aggregation Services Routers Software Configuration Guide

Cisco IOS XE ISSU NAT

"Cisco IOS XE In Service Software Upgrade Process" module

NAT configuration tasks

"Configuring NAT for IP Address Conservation" module

NAT commands: complete command syntax, command mode, command history, usage guidelines, and examples

Cisco IOS IP Addressing Services Command Reference

IP addressing configuration tasks and concepts.

Cisco IOS XE IP Addressing Services Configuration Guide

Standards

Standards

Title

None

MIBs

MIBs

MIBs Link

No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.

To locate and download MIBs for selected platforms, Cisco IOS XE software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

RFCs

RFCs

Title

RFC 826

Ethernet Address Resolution Protocol: Or converting network protocol addresses to 48.bit Ethernet address for transmission on Ethernet hardware

RFC 903

Reverse Address Resolution Protocol

RFC 1027

Using ARP to implement transparent subnet gateways

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport

Feature Information for Configuring NAT for High Availability

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1 Feature Information for Configuring NAT for High Availability

Feature Name

Releases

Feature Configuration Information

NAT--Static Mapping Support with HSRP for High Availability

Cisco IOS XE Release 2.1

Static mapping support for HSRP allows the option of having only the HSRP active router respond to an incoming ARP for a router configured with a NAT address.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2012 Cisco Systems, Inc. All rights reserved.