NAT Stateful Failover

When the word "stateful" is mentioned in the networking world, it usually means that the router or a firewall keeps records of the sessions created. Stateful failover means that whatever sessions that have been recorded in one device the other backup device has a knowledge of it and can act as a backup without those sessions torn down in case the main device fails. It will function as the same as the primary one. NAT has also the failover functionality. This lab will focus on configuring Dynamic NAT failover.




R3 and R4 are NAT routers. R3 is the primary and R4 is the back up NAT router. These must be configured so that 
R4 will provide stateful failover. Subnets in R1 1.1.1.1/32 - 1.1.1.5/32 should be translated to
123.123.123.1 - .5 /24. The host side ip address must match e.g. 1.1.1.1/32 = 123.123.123.1/32.

These have been preconfigured:
1. OSPF on all routers.
2. Default route and floating static default route in R5.(for 123.123.123.0/24 reachability)
3. Ip OSPF cost in the links from R2 to R3 and R3 to R5 to disable equal cost path load balancing.


1. First let's configure which is the inside and outside part in the NAT configuration.


R3(config)#int se0/2
R3(config-if)#description connected to R2
R3(config-if)#ip nat inside
R3(config-if)#int se0/3
R3(config-if)#description connected to R5
R3(config-if)#ip nat outside

R4(config)#int se0/2
R4(config-if)#description connected to R2
R4(config-if)#ip nat inside
R4(config-if)#int se0/0
R4(config-if)#description connected to R5
R4(config-if)#ip nat outside

2. Configure an access-list list that will match the IP addresses of Loopback0 in R1 and configure a NAT pool where we will get the translations.


Note: The "match-host" keyword makes it possible for exact host to host translation 1.1.1.1/32 = 123.123.123.1/32, .5 = .5 the
last octet in the ip address will be the same value. It will match the host portion of the IP address.

R3(config)#access-list 1 permit 1.1.1.0 0.0.0.255
R3(config)#ip nat pool LOOPBACK 123.123.123.1 123.123.123.5 prefix-length 24 type match-host

R4(config)#access-list 1 permit 1.1.1.0 0.0.0.255
R4(config)#ip nat pool LOOPBACK 123.123.123.1 123.123.123.5 prefix-length 24 type match-host

3. Configure a NAT stateful ID. This is what makes the stateful failover possible. This configuration will determine which is the primary NAT router and the backup.


R3(config)#ip nat stateful id 1 ----------> This is locally significant.
R3(config-ipnat-snat)#primary 23.23.23.3
R3(config-ipnat-snat-pri)#peer 24.24.24.4
R3(config-ipnat-snat-pri)#mapping-id 1 ---------> This should match on the routers.
R3(config-ipnat-snat-pri)#exit


R4(config)#ip nat stateful id 1 ----------> This is locally significant.
R4(config-ipnat-snat)#backup 24.24.24.4
R4(config-ipnat-snat-pri)#peer 23.23.23.3
R4(config-ipnat-snat-pri)#mapping-id 1 ---------> This should match on the routers.
R4(config-ipnat-snat-pri)#exit

The "peer" keyword here will do that trick on making the 2 routers related. The ip addresses configured on the "primary" and "backup" parameters should be one of the IP addresses in the router which is configured with the "ip nat inside" command. Otherwise, you will get an error message that its not a match.If 2 backups are configured and they are peer with each other, they won't establish a relationship. A router can be configured as a primary for one mapping-id and back up for another.

After configuring these commands, let's see the logs created by the routers.



R3#

*Mar 1 01:36:33.783: %SNAT-5-PROCESS: Id 1, System start converging
*Mar 1 01:36:45.871: SNAT (Receive): CONVERGENCE Message for Router-Id: 1 from Peer Router-Id: 1's entries
*Mar 1 01:36:45.871: %SNAT-5-PROCESS: Id 1, System fully converged

R4#
*Mar 1 01:34:11.803: %SNAT-5-PROCESS: Id 1, System start converging
*Mar 1 01:34:11.811: %SNAT-5-PROCESS: Id 1, System fully converged
*Mar 1 01:34:48.767: %SNAT-5-PROCESS: Id 1, System start converging
*Mar 1 01:34:50.791: SNAT (Receive): CONVERGENCE Message for Router-Id: 1 from Peer Router-Id: 1's entries
*Mar 1 01:34:50.795: %SNAT-5-PROCESS: Id 1, System fully converged

Let's do a show command that will check the status of the Stateful Failover NAT.


R3#show ip snat distributed

Stateful NAT Connected Peers

SNAT: Mode PRIMARY
: State READY
: Local Address 23.23.23.3
: Local NAT id 1
: Peer Address 24.24.24.4
: Peer NAT id 1
: Mapping List 1

R4#show ip snat distributed

Stateful NAT Connected Peers

SNAT: Mode BACKUP
: State READY
: Local Address 24.24.24.4
: Local NAT id 1
: Peer Address 23.23.23.3
: Peer NAT id 1
: Mapping List 1

4. Configure the IP NAT translation statement mapping access-list 1 and the NAT pool created.


R3(config)#ip nat inside source list 1 pool LOOPBACK mapping-id 1


R4(config)#ip nat inside source list 1 pool LOOPBACK mapping-id 1

5. Now let's test NATing by pingin 5.5.5.5 sourcing from the IP's on Loopback0 on R1. (Will not be shown) We can do "debug ip nat" on R3 and R4, but will only see output in R3 since the traffic passes there. For the sake of a shorter post I will not display the output.

6. Let's check the translation on R3, our main NAT router and afterwards check if R4 is getting the information from the NATing table.


R3#sh ip nat tran
Pro Inside global Inside local Outside local Outside global
icmp 123.123.123.1:20 1.1.1.1:20 5.5.5.5:20 5.5.5.5:20
--- 123.123.123.1 1.1.1.1 --- ---
icmp 123.123.123.2:19 1.1.1.2:19 5.5.5.5:19 5.5.5.5:19
--- 123.123.123.2 1.1.1.2 --- ---
icmp 123.123.123.3:18 1.1.1.3:18 5.5.5.5:18 5.5.5.5:18
--- 123.123.123.3 1.1.1.3 --- ---
icmp 123.123.123.4:17 1.1.1.4:17 5.5.5.5:17 5.5.5.5:17
--- 123.123.123.4 1.1.1.4 --- ---
icmp 123.123.123.5:16 1.1.1.5:16 5.5.5.5:16 5.5.5.5:16
--- 123.123.123.5 1.1.1.5 --- ---

R4#sh ip nat tran
Pro Inside global Inside local Outside local Outside global
icmp 123.123.123.1:20 1.1.1.1:20 5.5.5.5:20 5.5.5.5:20
--- 123.123.123.1 1.1.1.1 --- ---
icmp 123.123.123.2:19 1.1.1.2:19 5.5.5.5:19 5.5.5.5:19
--- 123.123.123.2 1.1.1.2 --- ---
icmp 123.123.123.3:18 1.1.1.3:18 5.5.5.5:18 5.5.5.5:18
--- 123.123.123.3 1.1.1.3 --- ---
icmp 123.123.123.4:17 1.1.1.4:17 5.5.5.5:17 5.5.5.5:17
--- 123.123.123.4 1.1.1.4 --- ---
icmp 123.123.123.5:16 1.1.1.5:16 5.5.5.5:16 5.5.5.5:16
--- 123.123.123.5 1.1.1.5 --- ---

Though the traffic did not pass through R4, it knows the translation. Notice that the host part of the original ip address and the translated ip address is the same. This is the result of the "match=host" keyword.
Let's see if the failover information by R3 is passed to R4 by a show command.


R4#sh ip snat peer 23.23.23.3

Show NAT Entries created by peer: 23.23.23.3

Pro Inside global Inside local Outside local Outside global
--- 123.123.123.1 1.1.1.1 --- ---
--- 123.123.123.2 1.1.1.2 --- ---
--- 123.123.123.3 1.1.1.3 --- ---
--- 123.123.123.4 1.1.1.4 --- ---
--- 123.123.123.5 1.1.1.5 --- ---
icmp 123.123.123.5:16 1.1.1.5:16 5.5.5.5:16 5.5.5.5:16
icmp 123.123.123.4:17 1.1.1.4:17 5.5.5.5:17 5.5.5.5:17
icmp 123.123.123.3:18 1.1.1.3:18 5.5.5.5:18 5.5.5.5:18
icmp 123.123.123.2:19 1.1.1.2:19 5.5.5.5:19 5.5.5.5:19
icmp 123.123.123.1:20 1.1.1.1:20 5.5.5.5:20 5.5.5.5:20

In the even that R3 and the traffic goes to R4, the sessions need not to be restarted as there are already existing translations on R4 which have been passed by R3. Let's shut down the interface in R3 and lets show how R4 reacts.


R4#
*Mar 1 02:11:15.819: %SNAT-5-ALERT: BACKUP staging recovery, replacing Primary
*Mar 1 02:11:15.819: %SNAT-5-PROCESS: Id 1, System start converging
*Mar 1 02:11:15.827: %SNAT-5-PROCESS: Id 1, System fully converged

It places itself as the primary NAT router but the translations that its learned from R3 will continue to be in place. Once R3 goes back up, it will put itself again the backup NAT router.

Comments

2 Responses to "NAT Stateful Failover"

skeenster said... September 17, 2011 at 3:17 PM

Nice doc thanks. I however have one question. All cisco documentation advises that the stateful nat id should be unique between both routers and this is also shown in their config examples.

When I look at your example above the same snat id is in use. I have configured both methods and they seem to both work. You mention that the snat id is only locally significant however the cisco docs I have read seem to suggest that each router requires a unique id..

Thanks

Anonymous said... October 9, 2011 at 6:27 PM

any dynamic nat stateful failover examples?

Post a Comment

Certifications

Certifications

The Dreamer

A fun loving person who enjoys learning new things. Currently working as a Network Engineer supporting the global network of a Fortune 500 company. This blog serves as my notes for the labs I created for my CCIE journey. I can guarantee there are errors in my posts. If you spot them, please let me know.

Join my Facebook Page I WANT TO BE A CCIE

Donate to the Cause

My aim is to create materials for free and possibly a free lab. If you wish to help out, please send any amount. Thanks.

Join my Bandwagon

Blogs that I Read