In this article, I add Statefull NAT to my previous MHSRP configuration. When I have 2 or more router in a subnet I can configure them for Hot Standby Router Configuration (HSRP) to achieve router redundancy or next hop redundancy.

If I add NAT to one of the routers, I will need to enable NAT on all the other routers as well. The problem is, when the active router fails, the other router takes over but it has no information about the translations on the previously active router. So there should be some way to synchronize the NAT translation table between the routers and this is what stateful NAT is about.

You can download the topology for GNS3 v1 and config files here. In this topology both routers connect to internet but these connection can be configured to any subnet.

The initial configuration for R1 and R2 are as follows:

R1#sh run int f0/0 Building configuration... Current configuration : 211 bytes ! interface FastEthernet0/0 ip address 10.10.12.1 255.255.255.0 duplex auto speed auto standby 1 ip 10.10.12.201 standby 1 priority 150 standby 1 preempt standby 2 ip 10.10.12.202 standby 2 preempt end R2#sh run int f0/0 Building configuration... Current configuration : 211 bytes ! interface FastEthernet0/0 ip address 10.10.12.2 255.255.255.0 duplex auto speed auto standby 1 ip 10.10.12.201 standby 1 preempt standby 2 ip 10.10.12.202 standby 2 priority 150 standby 2 preempt end

First thing, I need to assign a name to my HSRP group. Here I call it STETFUL_MHSRP_1 for group 1 and STETFUL_MHSRP_2 for group 2.

R1(config)#int f0/0 R1(config-if)#standby 1 name STETFUL_MHSRP_1 R1(config-if)#standby 2 name STETFUL_MHSRP_2 R2(config)#int f0/0 R2(config-if)#standby 1 name STETFUL_MHSRP_1 R2(config-if)#standby 2 name STETFUL_MHSRP_2

This name is important in that I will use it in Stateful NAT configuration. For Stateful NAT, the command I need is ip nat stateful which you need to assign an ID.

R1(config)#ip nat stateful id 1 R1(config-ipnat-snat)#redundancy STETFUL_MHSRP_1 R1(config-ipnat-snat-red)#mapping-id 1 R2(config)#ip nat stateful id 1 R2(config-ipnat-snat)#redundancy STETFUL_MHSRP_1 R2(config-ipnat-snat-red)#mapping-id 1

Some platforms support more than one redundancy but in my topology both 3725 and 7200 give me this error:

R1(config-ipnat-snat-red)#redundancy STETFUL_MHSRP_2 %Multi-redundancy entry not supported

So I am stuck with only one. but you get the idea. If I could go for the second redundancy I would assign the same mapping-id.

Next I configure nat with this mapping-id. You can use a pool or have the router use interface IP addres for NAT:

R1(config)#ip nat pool NAT_POOL 121.1.1.11 121.1.1.21 netmask 255.255.255.0 R1(config)#ip nat inside source list 10 pool NAT_POOL mapping-id 1 R1(config)#access-list 10 permit any R1(config-if)#int f0/0 R1(config-if)#ip nat inside R1(config-if)#int s0/0 R1(config-if)#ip nat outside R2(config)#ip nat pool NAT_POOL 121.1.1.11 121.1.1.21 netmask 255.255.255.0 R2(config)#ip nat inside source list 10 pool NAT_POOL mapping-id 1 R2(config)#access-list 10 permit any R2(config-if)#int f0/0 R2(config-if)#ip nat inside R2(config-if)#int s0/1 R2(config-if)#ip nat outside

For verification I check HSRP status:

R1#sh standby FastEthernet0/0 - Group 1 State is Active 2 state changes, last state change 00:05:13 Virtual IP address is 10.10.12.201 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 2.064 secs Preemption enabled Active router is local Standby router is 10.10.12.2, priority 100 (expires in 6.840 sec) Priority 150 (configured 150) Group name is "STETFUL_MHSRP_1" (cfgd) FastEthernet0/0 - Group 2 State is Standby 4 state changes, last state change 00:01:53 Virtual IP address is 10.10.12.202 Active virtual MAC address is 0000.0c07.ac02 Local virtual MAC address is 0000.0c07.ac02 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 0.800 secs Preemption enabled Active router is 10.10.12.2, priority 150 (expires in 6.792 sec) Standby router is local Priority 100 (default 100) Group name is "STETFUL_MHSRP_2" (cfgd)

And R1 is active. Now I check stateful NAT for my peer (here R2 is configured as out NAT peer):

R1#sh ip snat distributed verbose Stateful NAT Connected Peers SNAT: Mode IP-REDUNDANCY :: ACTIVE : State READY : Local Address 10.10.12.1 : Local NAT id 1 : Peer Address 10.10.12.2 : Peer NAT id 1 : Mapping List 1 : InMsgs 13, OutMsgs 0, tcb 0x65E46160, listener 0x0 R1# R1#sh ip snat peer 10.10.12.2 Show NAT Entries created by peer: 10.10.12.2 Pro Inside global Inside local Outside local Outside global

We have a peer. No translation yet. I issue a ping from a PC and check translation table.

PC1> ping 100.100.100.100 -count 100 84 bytes from 100.100.100.100 icmp_seq=2 ttl=254 time=171.653 ms <snip> R1#sh ip snat peer 10.10.12.2 Show NAT Entries created by peer: 10.10.12.2 Pro Inside global Inside local Outside local Outside global udp 121.1.1.13:49154 122.2.2.2:49154 100.100.100.100:33434 100.100.100.100:33434 udp 121.1.1.13:49155 122.2.2.2:49155 100.100.100.100:33435 100.100.100.100:33435 udp 121.1.1.13:49156 122.2.2.2:49156 100.100.100.100:33436 100.100.100.100:33436 udp 121.1.1.13:49157 122.2.2.2:49157 100.100.100.100:33437 100.100.100.100:33437 udp 121.1.1.13:49158 122.2.2.2:49158 100.100.100.100:33438 100.100.100.100:33438 udp 121.1.1.13:49159 122.2.2.2:49159 100.100.100.100:33439 100.100.100.100:33439 udp 121.1.1.13:49160 122.2.2.2:49160 100.100.100.100:33440 100.100.100.100:33440 udp 121.1.1.13:49161 122.2.2.2:49161 100.100.100.100:33441 100.100.100.100:33441

R1# sh ip nat trans Pro Inside global Inside local Outside local Outside global udp 121.1.1.13:49154 122.2.2.2:49154 100.100.100.100:33434 100.100.100.100:33434 udp 121.1.1.13:49155 122.2.2.2:49155 100.100.100.100:33435 100.100.100.100:33435 udp 121.1.1.13:49156 122.2.2.2:49156 100.100.100.100:33436 100.100.100.100:33436 udp 121.1.1.13:49157 122.2.2.2:49157 100.100.100.100:33437 100.100.100.100:33437 udp 121.1.1.13:49158 122.2.2.2:49158 100.100.100.100:33438 100.100.100.100:33438 udp 121.1.1.13:49159 122.2.2.2:49159 100.100.100.100:33439 100.100.100.100:33439 udp 121.1.1.13:49160 122.2.2.2:49160 100.100.100.100:33440 100.100.100.100:33440 udp 121.1.1.13:49161 122.2.2.2:49161 100.100.100.100:33441 100.100.100.100:33441

And on R2 I see the same translation table:

R2#sh ip snat peer 10.10.12.1 Show NAT Entries created by peer: 10.10.12.1 Pro Inside global Inside local Outside local Outside global udp 121.1.1.13:49154 122.2.2.2:49154 100.100.100.100:33434 100.100.100.100:33434 udp 121.1.1.13:49155 122.2.2.2:49155 100.100.100.100:33435 100.100.100.100:33435 udp 121.1.1.13:49156 122.2.2.2:49156 100.100.100.100:33436 100.100.100.100:33436 udp 121.1.1.13:49157 122.2.2.2:49157 100.100.100.100:33437 100.100.100.100:33437 udp 121.1.1.13:49158 122.2.2.2:49158 100.100.100.100:33438 100.100.100.100:33438 udp 121.1.1.13:49159 122.2.2.2:49159 100.100.100.100:33439 100.100.100.100:33439 udp 121.1.1.13:49160 122.2.2.2:49160 100.100.100.100:33440 100.100.100.100:33440 udp 121.1.1.13:49161 122.2.2.2:49161 100.100.100.100:33441 100.100.100.100:33441