IP NAT Stateful Failover With HSRP

IP NAT Stateful permet de synchroniser les tables de NAT entre 2 routeurs

 

  • Inside Local = IP privé d’un host du résau local
  • Inside Global = IP Publique utilisé pour le Nat
  • Outside Local = IP privé de destination
  • Outside Global = IP Publique de destination

IP NAT

Les postes BB1 et BB2 ont leur route par défaut vers 10.10.0.254, Ils doivent utiliser le pool 213.36.21.10 à 213.36.21.13 pour atteindre Internet

les routeurs R4 et R5 partagent l’IP virtuel 10.10.0.254 en HSRP

Configuration HSRP

R4(config)#int fa0/0
R4(config-if)#standby 1 ip 10.10.0.254
R4(config-if)#standby 1 priority 120
R4(config-if)#standby 1 preempt
R4(config-if)#standby 1 name HSRP-1
R4(config-if)#standby 1 track fastEthernet 0/1 50

R5(config)#int fa0/0
R5(config-if)#standby 1 ip 10.10.0.254
R5(config-if)#standby 1 priority 110
R5(config-if)#standby 1 preempt
R5(config-if)#standby 1 name HSRP-1
R5(config-if)#standby 1 track fastEthernet 0/1 50

Vérifications:

R4#show standby brief
                     P indicates configured to preempt.
                     |
Interface   Grp Prio P State    Active          Standby         Virtual IP
Fa0/0       1   120  P Active   local           10.10.0.5       10.10.0.254

Configuration de IP NAT Stateful

1- Activation du « stateful »

  • le routeur R4 a l’ID 1 ( le routeur R5 aura l’id 2 )
  • le process stateful se réfère a l’instance HSRP nommé « HSRP-1 »
  • le process stateful a l’ID 100 (commun au 2 routeurs)
R4(config)#ip nat Stateful id 1
R4(config-ipnat-snat)#redundancy HSRP-1
R4(config-ipnat-snat-red)#mapping-id 100
R4(config-ipnat-snat-red)#exit

2- Configuration du pool d’adresses IP publiques utilisées

R4(config)#ip nat pool MY-POOL 213.36.21.10 213.36.21.13 prefix-length 24

3 – Création d’une access-list

R4(config)#access-list 1 permit 10.10.0.0 0.0.0.255

4 – Création d’une route-map

R4(config)#route-map MY-LAN permit 10
R4(config-route-map)#match ip address 1

5 – Activation du NAT

R4(config)#int fa0/0
R4(config-if)#ip nat inside
R4(config)#int fa0/1
R4(config-if)#ip nat outside

R4(config)#ip nat inside source route-map MY-LAN pool MY-POOL mapping-id 100

 

Même chose sur le routeur R5 (avec l’ID 2) :

R5(config)#ip nat Stateful id 2
R5(config-ipnat-snat)#redundancy HSRP-1
R5(config-ipnat-snat-red)#mapping-id 100
R5(config-ipnat-snat-red)#exit

R5(config)#ip nat pool MY-POOL 213.36.21.10 213.36.21.13 prefix-length 24

R5(config)#access-list 1 permit 10.10.0.0 0.0.0.255

R5(config)#route-map MY-LAN permit 10
R5(config-route-map)#match ip address 1

R5(config)#int fa0/0
R5(config-if)#ip nat inside
R5(config)#int fa0/1
R5(config-if)#ip nat outside

R5(config)#ip nat inside source route-map MY-LAN pool MY-POOL mapping-id 100

Vérifications :

BB1#ping 80.80.80.21
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 80.80.80.21, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/28 ms

R4#debug ip nat
IP NAT debugging is on

R4#
*Mar 12 16:13:19.983: NAT: s=10.10.0.101->213.36.21.10, d=80.80.80.21 [5]
*Mar 12 16:13:19.987: NAT*: s=80.80.80.21, d=213.36.21.10->10.10.0.101 [8405]
*Mar 12 16:13:20.011: NAT: s=10.10.0.101->213.36.21.10, d=80.80.80.21 [6]
*Mar 12 16:13:20.015: NAT*: s=80.80.80.21, d=213.36.21.10->10.10.0.101 [8406]
*Mar 12 16:13:20.023: NAT: s=10.10.0.101->213.36.21.10, d=80.80.80.21 [7]
*Mar 12 16:13:20.027: NAT*: s=80.80.80.21, d=213.36.21.10->10.10.0.101 [8407]
*Mar 12 16:13:20.035: NAT: s=10.10.0.101->213.36.21.10, d=80.80.80.21 [8]
*Mar 12 16:13:20.035: NAT*: s=80.80.80.21, d=213.36.21.10->10.10.0.101 [8408]
*Mar 12 16:13:20.043: NAT: s=10.10.0.101->213.36.21.10, d=80.80.80.21 [9]
*Mar 12 16:13:20.047: NAT*: s=80.80.80.21, d=213.36.21.10->10.10.0.101 [8409]

R4#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 213.36.21.10:8906 10.10.0.101:8906 80.80.80.21:8906 80.80.80.21:8906
icmp 213.36.21.10:8907 10.10.0.101:8907 80.80.80.21:8907 80.80.80.21:8907
icmp 213.36.21.10:8908 10.10.0.101:8908 80.80.80.21:8908 80.80.80.21:8908
icmp 213.36.21.10:8909 10.10.0.101:8909 80.80.80.21:8909 80.80.80.21:8909
icmp 213.36.21.10:8910 10.10.0.101:8910 80.80.80.21:8910 80.80.80.21:8910

R5#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 213.36.21.10:8906 10.10.0.101:8906 80.80.80.21:8906 80.80.80.21:8906
icmp 213.36.21.10:8907 10.10.0.101:8907 80.80.80.21:8907 80.80.80.21:8907
icmp 213.36.21.10:8908 10.10.0.101:8908 80.80.80.21:8908 80.80.80.21:8908
icmp 213.36.21.10:8909 10.10.0.101:8909 80.80.80.21:8909 80.80.80.21:8909
icmp 213.36.21.10:8910 10.10.0.101:8910 80.80.80.21:8910 80.80.80.21:8910

R4#show ip snat distributed

Stateful NAT Connected Peers

SNAT: Mode IP-REDUNDANCY :: ACTIVE
: State READY
: Local Address 10.10.0.4
: Local NAT id 1
: Peer Address 10.10.0.5
: Peer NAT id 2
: Mapping List 100

R5#show ip snat distributed

Stateful NAT Connected Peers

SNAT: Mode IP-REDUNDANCY :: STANDBY
: State READY
: Local Address 10.10.0.5
: Local NAT id 2
: Peer Address 10.10.0.4
: Peer NAT id 1
: Mapping List 100
This entry was posted in IP Services. Bookmark the permalink.

Comments are closed.