Finding Feature Information
Restrictions for Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
Information About Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
How to Configure Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
Configuration Examples for Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
Additional References
Feature Information for Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT

Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT

Last Updated: November 29, 2012

The Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT feature supports the forwarding of packets from a standby redundancy group to the active redundancy group for packet handling. If this feature is not enabled, the return TCP packets forwarded to the router that did not receive the initial synchronization (SYN) message are dropped because they do not belong to any known existing session.

This module provides an overview of asymmetric routing and describes how to configure asymmetric routing

Finding Feature Information
Restrictions for Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
Information About Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
How to Configure Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
Configuration Examples for Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
Additional References
Feature Information for Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Restrictions for Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT

Asymmetric routing over Multiprotocol Label Switching (MPLS) and VPN is not supported.
LANs that use virtual IP addresses and virtual MAC (VMAC) addresses do not support asymmetric routing.
VPN routing and forwarding (VRF) is not supported.

Information About Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT

Asymmetric Routing Overview
Asymmetric Routing Support in Firewalls
Asymmetric Routing in NAT
Asymmetric Routing in a WAN-LAN Topology

Asymmetric Routing Overview

Asymmetric routing occurs when packets from TCP or UDP connections flow in different directions through different routes. In asymmetric routing, packets that belong to a single TCP or UDP connection are forwarded through one interface in a redundancy group (RG), but returned through another interface in the same RG. In asymmetric routing, the packet flow remains in the same RG. When you configure asymmetric routing, packets received on the standby RG are redirected to the active RG for processing. If asymmetric routing is not configured, the packets received on the standby RG may be dropped.

Asymmetric routing determines the RG for a particular traffic flow. The state of the RG is critical in determining the handling of packets. If an RG is active, normal packet processing is performed. In case the RG is in a standby state and you have configured asymmetric routing and the asymmetric-routing always-divert enable command, packets are diverted to the active RG. Use the asymmetric-routing always-divert enable command to always divert packets received from the standby RG to the active RG.

The figure below shows an asymmetric routing scenario with a separate asymmetric-routing interlink interface to divert packets to the active RG.

Figure 1

Asymmetric Routing Scenario

The following rules apply to asymmetric routing:

1:1 mapping exists between the redundancy interface identifier (RII) and the interface.
1:n mapping exists between the interface and an RG. (An interface can have multiple RGs.)
1:n mapping exists between an RG and applications that use it. (Multiple applications can use the same RG).
1:1 mapping exists between an RG and the traffic flow. The traffic flow must map only to a single RG. If a traffic flow maps to multiple RGs, an error occurs.
1:1 or 1:n mapping can exist between an RG and an asymmetric-routing interlink as long as the interlink has sufficient bandwidth to support all the RG interlink traffic.

Asymmetric routing consists of an interlink interface that handles all traffic that is to be diverted. The bandwidth of the asymmetric-routing interlink interface must be large enough to handle all expected traffic that is to be diverted. An IPv4 address must be configured on the asymmetric-routing interlink interface, and the IP address of the asymmetric routing interface must be reachable from this interface.

Note

We recommend that the asymmetric-routing interlink interface be used for interlink traffic only and not be shared with high availability (HA) control or data interfaces because the amount of traffic on the asymmetric-routing interlink interface could be quite high.

Asymmetric Routing Support in Firewalls

For intrabox asymmetric routing support, the firewall does a stateful Layer 3 and Layer 4 inspection of Internet Control Message Protocol (ICMP), TCP, and UDP packets. The firewall does a stateful inspection of TCP packets by verifying the window size and order of packets. The firewall also requires the state information from both directions of the traffic for stateful inspection. The firewall does a limited inspection of ICMP information flows. It verifies the sequence number associated with the ICMP echo request and response. The firewall does not synchronize any packet flows to the standby redundancy group (RG) until a session is established for that packet. An established session is a three-way handshake for TCP, the second packet for UDP, and informational messages for ICMP. All ICMP flows are sent to the active RG.

The firewall does a stateless verification of policies for packets that do not belong to the ICMP, TCP, and UDP protocols.

The firewall depends on bidirectional traffic to determine when a packet flow should be aged out and diverts all inspected packet flows to the active RG. Packet flows that have a pass policy and that include the same zone with no policy or a drop policy are not diverted.

Note

The firewall does not support the asymmetric-routing always-divert enable command that diverts packets received on the standby RG to the active RG. By default, the firewall forces all packet flows to be diverted to the active RG.

Asymmetric Routing in NAT

By default, when asymmetric routing is configured, Network Address Translation (NAT) processes non-ALG packets on the standby RG, instead of forwarding them to the active. The NAT-only configuration (that is when the firewall is not configured) can use both the active and standby RGs for processing packets. If you have a NAT-only configuration and you have configured asymmetric routing, the default asymmetric routing rule is that NAT will selectively process packets on the standby RG. You can configure the asymmetric-routing always-divert enable command to divert packets received on the standby RG to the active RG. Alternatively, if you have configured the firewall along with NAT, the default asymmetric routing rule is to always divert the packets to the active RG.

When NAT receives a packet on the standby RG and if you have not configured the diverting of packets, NAT does a lookup to see if a session exists for that packet. If a session exists and there is no ALG associated for that session, NAT processes the packet on the standby RG. The processing of packets on the standby RG when a session exists significantly increases the bandwidth of the NAT traffic.

ALGs are used by NAT to identify and translate payload and to create child flows. ALGs require a two-way traffic to function correctly. NAT must divert all traffic to the active RG for any packet flow that is associated with an ALG. This is accomplished by checking if ALG data that is associated with the session is found on the standby RG. If ALG data exits, the packet is diverted for asymmetric routing.

Asymmetric Routing in a WAN-LAN Topology

Asymmetric routing supports only a WAN-LAN topology. In a WAN-LAN topology, devices are connected through LAN interfaces on the inside and WAN interfaces on the outside. There is no control on the routing of return traffic received through WAN links. Asymmetric routing controls the routing of return traffic received through WAN links in a WAN-LAN topology. The figure below shows a WAN-LAN topology.

Figure 2

Asymmetric Routing in a WAN-LAN Topology

How to Configure Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT

Configuring a Redundancy Application Group and a Redundancy Group Protocol
Configuring Data, Control, and Asymmetric Routing Interfaces
Configuring a Redundant Interface Identifier and Asymmetric Routing on an Interface
Configuring Dynamic Inside Source Translation with Asymmetric Routing

Configuring a Redundancy Application Group and a Redundancy Group Protocol

Redundancy groups consist of the following configuration elements:

The amount by which the priority will be decremented for each object.
Faults (objects) that decrement the priority
Failover priority
Failover threshold
Group instance
Group name
Initialization delay timer

SUMMARY STEPS

1. enable

2. configure terminal

3. redundancy

4. application redundancy

5. group id

6. name group-name

7. priority value [failover threshold value]

8. preempt

9. track object-number decrement number

10. exit

11. protocol id

12. timers hellotime {seconds | msec msec} holdtime {seconds | msec msec}

13. authentication {text string | md5 key-string [0 | 7] key [timeout seconds] | key-chain key-chain-name}

14. bfd

15. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Device> enable	Enables privileged EXEC mode. Enter your password if prompted
Step 2	configure terminal Example: Device# configure terminal	Enters global configuration mode.
Step 3	redundancy Example: Device(config)# redundancy	Enters redundancy configuration mode.
Step 4	application redundancy Example: Device(config-red)# application redundancy	Configures application redundancy and enters redundancy application configuration mode.
Step 5	group id Example: Device(config-red-app)# group 1	Configures a redundancy group and enters redundancy application group configuration mode.
Step 6	name group-name Example: Device(config-red-app-grp)# name group1	Specifies an optional alias for the protocol instance.
Step 7	priority value [failover threshold value] Example: Device(config-red-app-grp)# priority 100 failover threshold 50	Specifies the initial priority and failover threshold for a redundancy group.
Step 8	preempt Example: Device(config-red-app-grp)# preempt	Enables preemption on the redundancy group and enables the standby device to preempt the active device. The standby device preempts only when its priority is higher than that of the active device.
Step 9	track object-number decrement number Example: Device(config-red-app-grp)# track 50 decrement 50	Specifies the priority value of a redundancy group that will be decremented if an event occurs on the tracked object.
Step 10	exit Example: Device(config-red-app-grp)# exit	Exits redundancy application group configuration mode and enters redundancy application configuration mode.
Step 11	protocol id Example: Device(config-red-app)# protocol 1	Specifies the protocol instance that will be attached to a control interface and enters redundancy application protocol configuration mode.
Step 12	timers hellotime {seconds \| msec msec} holdtime {seconds \| msec msec} Example: Device(config-red-app-prtcl)# timers hellotime 3 holdtime 10	Specifies the interval between hello messages sent and the time period before which a device is declared to be down. Holdtime should be at least three times the hellotime.
Step 13	authentication {text string \| md5 key-string [0 \| 7] key [timeout seconds] \| key-chain key-chain-name} Example: Device(config-red-app-prtcl)# authentication md5 key-string 0 n1 timeout 100	Specifies authentication information.
Step 14	bfd Example: Device(config-red-app-prtcl)# bfd	Enables the integration of the failover protocol running on the control interface with the Bidirectional Forwarding Detection (BFD) protocol to achieve failure detection in milliseconds. BFD is enabled by default.
Step 15	end Example: Device(config-red-app-prtcl)# end	Exits redundancy application protocol configuration mode and enters privileged EXEC mode.

Configuring Data, Control, and Asymmetric Routing Interfaces

In this task, you configure the following redundancy group (RG) elements:

The interface that is used as the control interface.
The interface that is used as the data interface.
The interface that is used for asymmetric routing.

Note

Asymmetric routing, data, and control must be configured on separate interfaces.

SUMMARY STEPS

1. enable

2. configure terminal

3. redundancy

4. application redundancy

5. group id

6. data interface-type interface-number

7. control interface-type interface-number protocol id

8. timers delay seconds [reload seconds]

9. asymmetric-routing interface type number

10. asymmetric-routing always-divert enable

11. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Device> enable	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: Device# configure terminal	Enters global configuration mode.
Step 3	redundancy Example: Device(config)# redundancy	Enters redundancy configuration mode.
Step 4	application redundancy Example: Device(config-red)# application redundancy	Configures application redundancy and enters redundancy application configuration mode.
Step 5	group id Example: Device(config-red-app)# group 1	Configures a redundancy group (RG) and enters redundancy application group configuration mode.
Step 6	data interface-type interface-number Example: Device(config-red-app-grp)# data GigabitEthernet 0/0/0	Specifies the data interface that is used by the RG.
Step 7	control interface-type interface-number protocol id Example: Device(config-red-app-grp)# control GigabitEthernet 0/0/2 protocol 1	Specifies the control interface that is used by the RG. The control interface is also associated with an instance of the control interface protocol.
Step 8	timers delay seconds [reload seconds] Example: Device(config-red-app-grp)# timers delay 100 reload 400	Specifies the time required for an RG to delay role negotiations that start after a fault occurs or the system is reloaded.
Step 9	asymmetric-routing interface type number Example: Device(config-red-app-grp)# asymmetric-routing interface GigabitEthernet 0/1/1	Specifies the asymmetric routing interface that is used by the RG.
Step 10	asymmetric-routing always-divert enable Example: Device(config-red-app-grp)# asymmetric-routing always-divert enable	Always diverts packets received from the standby RG to the active RG.
Step 11	end Example: Device(config-red-app-grp)# end	Exits redundancy application group configuration mode and enters privileged EXEC mode.

Configuring a Redundant Interface Identifier and Asymmetric Routing on an Interface

Note

You must not configure a redundant interface identifier (RII) on an interface that is configured either as a data interface or as a control interface.
You must configure the RII and asymmetric routing on both active and standby devices.
You cannot enable asymmetric routing on the interface that has a virtual IP address configured.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface type number

4. redundancy rii id

5. redundancy group id [decrement number]

6. redundancy asymmetric-routing enable

7. end

DETAILED STEPS

Command or Action

Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

interface type number

Example:

Device(config)# interface GigabitEthernet 0/1/3

Selects an interface to be associated with the redundancy group (RG) and enters interface configuration mode.

Step 4

redundancy rii id

Example:

Device(config-if)# redundancy rii 600

Configures the redundancy interface identifier (RII).

Step 5

redundancy group id [decrement number]

Example:

Device(config-if)# redundancy group 1 decrement 20

Enables the RG redundancy traffic interface configuration and specifies the amount to be decremented from the priority when the interface goes down.

Note

You need not configure an RG on the traffic interface on which asymmetric routing is enabled.

Step 6

redundancy asymmetric-routing enable

Example:

Device(config-if)# redundancy asymmetric-routing enable

Establishes an asymmetric flow diversion tunnel for each RG.

Step 7

end

Example:

Device(config-if)# end

Exits interface configuration mode and enters privileged EXEC mode.

Configuring Dynamic Inside Source Translation with Asymmetric Routing

The following configuration is a sample dynamic inside source translation with asymmetric routing. You can configure asymmetric routing with the following types of NAT configurations--dynamic outside source, static inside and outside source, and Port Address Translation (PAT) inside and outside source translations. For more information on different types of NAT configurations, see the "Configuring NAT for IP Address Conservation" chapter.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface type number

4. ip address ip-address mask

5. ip nat outside

6. exit

7. redundancy

8. application redundancy

9. group id

10. asymmetric-routing always-divert enable

11. end

12. configure terminal

13. ip nat pool name start-ip end-ip {mask | prefix-length prefix-length}

14. exit

15. ip nat inside source list acl-number pool name redundancy redundancy-id mapping-id map-id

16. access-list standard-acl-number permit source-address wildcard-bits

17. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Device> enable	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: Device# configure terminal	Enters global configuration mode.
Step 3	interface type number Example: Device(config)# interface gigabitethernet 0/1/3	Configures an interface and enters interface configuration mode.
Step 4	ip address ip-address mask Example: Device(config-if)# ip address 10.1.1.1 255.255.255.0	Sets a primary IP address for an interface.
Step 5	ip nat outside Example: Device(config-if)# ip nat outside	Marks the interface as connected to the outside.
Step 6	exit Example: Device(config-if)# exit	Exits interface configuration mode and enters global configuration mode.
Step 7	redundancy Example: Device(config)# redundancy	Configures redundancy and enters redundancy configuration mode.
Step 8	application redundancy Example: Device(config-red)# application redundancy	Configures application redundancy and enters redundancy application configuration mode.
Step 9	group id Example: Device(config-red-app)# group 1	Configures a redundancy group and enters redundancy application group configuration mode.
Step 10	asymmetric-routing always-divert enable Example: Device(config-red-app-grp)# asymmetric-routing always-divert enable	Diverts the traffic to the active device.
Step 11	end Example: Device(config-red-app-grp)# end	Exits redundancy application group configuration mode and enters privileged EXEC mode.
Step 12	configure terminal Example: Device# configure terminal	Enters global configuration mode.
Step 13	ip nat pool name start-ip end-ip {mask \| prefix-length prefix-length} Example: Device(config)# ip nat pool pool1 prefix-length 24	Defines a pool of global addresses. Enters IP NAT pool configuration mode.
Step 14	exit Example: Device(config-ipnat-pool)# exit	Exits IP NAT pool configuration mode and enters global configuration mode.
Step 15	ip nat inside source list acl-number pool name redundancy redundancy-id mapping-id map-id Example: Device(config)# ip nat inside source list pool pool1 redundancy 1 mapping-id 100	Enables NAT of the inside source address and associates NAT with a redundancy group by using the mapping ID.
Step 16	access-list standard-acl-number permit source-address wildcard-bits Example: Device(config)# access-list 10 permit 10.1.1.1 255.255.255.0	Defines a standard access list for the inside addresses that are to be translated.
Step 17	end Example: Device(config)# end	Exits global configuration mode and enters privileged EXEC mode.

Configuration Examples for Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT

Example: Configuring a Redundancy Application Group and a Redundancy Group Protocol
Example: Configuring Data, Control, and Asymmetric Routing Interfaces
Example: Configuring a Redundant Interface Identifier and Asymmetric Routing on an Interface
Example: Configuring Dynamic Inside Source Translation with Asymmetric Routing

Example: Configuring a Redundancy Application Group and a Redundancy Group Protocol

Device# configure terminal	
Device(config)# redundancy
Device(config-red)# application redundancy
Device(config-red-app)# group 1
Device(config-red-app-grp)# name group1
Device(config-red-app-grp)# priority 100 failover threshold 50
Device(config-red-app-grp)# preempt
Device(config-red-app-grp)# track 50 decrement 50
Device(config-red-app-grp)# exit
Device(config-red-app)# protocol 1
Device(config-red-app-prtcl)# timers hellotime 3 holdtime 10
Device(config-red-app-prtcl)# authentication md5 key-string 0 n1 timeout 100
Device(config-red-app-prtcl)# bfd
Device(config-red-app-prtcl)# end

Example: Configuring Data, Control, and Asymmetric Routing Interfaces

Device# configure terminal
Device(config)# redundancy 
Device(config-red)# application redundancy
Device(config-red-app)# group 1
Device(config-red-app-grp)# data GigabitEthernet 0/0/0
Device(config-red-app-grp)# control GigabitEthernet 0/0/2 protocol 1
Device(config-red-app-grp)# timers delay 100 reload 400 
Device(config-red-app-grp)# asymmetric-routing interface GigabitEthernet 0/1/1 
Device(config-red-app-grp)# asymmetric-routing always-divert enable
Device(config-red-app-grp)# end

Example: Configuring a Redundant Interface Identifier and Asymmetric Routing on an Interface

Device# configure terminal
Device(config)# interface GigabitEthernet 0/1/3
Device(config-if)# redundancy rii 600
Device(config-if)# redundancy group 1 decrement 20
Device(config-if)# redundancy asymmetric-routing enable 
Device(config-if)# end

Example: Configuring Dynamic Inside Source Translation with Asymmetric Routing

Device(config)# interface gigabitethernet 0/1/3
Device(config-if)# ip address 10.1.1.1 255.255.255.0
Device(config-if)# ip nat outside
Device(config-if)# exit
Device(config)# redundancy
Device(config-red)# application redundancy
Device(config-red-app)# group 1
Device(config-red-app-grp)# asymmetric-routing always-divert enable
Device(config-red-app-grp)# end
Device# configure terminal
Device(config)# ip nat pool pool1 prefix-length 24
Device(config-ipnat-pool)# exit
Device(config)# ip nat inside source list pool pool1 redundancy 1 mapping-id 100
Device(config)# access-list 10 permit 10.1.1.1 255.255.255.0

Additional References

Related Topic	Document Title
Cisco IOS commands	Cisco IOS Master Commands List, All Releases
Security commands	Cisco IOS Security Command Reference Commands A to C Cisco IOS Security Command Reference Commands D to L Cisco IOS Security Command Reference Commands M to R Cisco IOS Security Command Reference Commands S to Z
Firewall inter-chassis redundancy	"Configuring Firewall Stateful Inter-Chassis Redundancy" module
NAT inter-chassis redundancy	"Configuring Stateful Inter-Chassis Redundancy" module

Standards and RFCs

Standard/RFC	Title
No new or modified standards or RFCs are supported by this feature, and support for existing standards or RFCs has not been modified by this feature.	--

MIBs

MIB	MIBs Link
No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.	To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

MIB

MIBs Link

No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.

To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

Technical Assistance

Description	Link
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.	http://www.cisco.com/cisco/web/support/index.html

Feature Information for Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Table 1

Feature Information for Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT

Feature Name	Releases	Feature Information
Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT	Cisco IOS XE Release 3.5S	The Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT feature supports the forwarding of packets from a standby redundancy group to the active redundancy group for packet handling. The following commands were introduced or modified: asymmetric-routing, redundancy asymmetric-routing enable.

Feature Name

Releases

Feature Information

Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT

Cisco IOS XE Release 3.5S

The following commands were introduced or modified: asymmetric-routing, redundancy asymmetric-routing enable.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

IP Addressing: NAT Configuration Guide, Cisco IOS XE Release 2

Bias-Free Language

Book Title

IP Addressing: NAT Configuration Guide, Cisco IOS XE Release 2

Chapter Title