Monday, 24 February 2014

NAT STATE FULL FAILOVER ON CISCO

CISCO NAT Stateful Failover:
When the word "stateful" is mentioned in the networking world, it usually means that the router or a firewall keeps records of the sessions created. Stateful failover means that whatever sessions that have been recorded in one device the other backup device has a knowledge of it and can act as a backup without those sessions torn down in case the main device fails. It will function as the same as the primary one. NAT has also the failover functionality. This lab will focus on configuring Dynamic NAT failover.

R3 and R4 are NAT routers. R3 is the primary and R4 is the back up NAT router. These must be configured so that 
R4 will provide stateful failover. Subnets in R1 1.1.1.1/32 - 1.1.1.5/32 should be translated to 
123.123.123.1 - .5 /24. The host side ip address must match e.g. 1.1.1.1/32 = 123.123.123.1/32.

These have been preconfigured:
1. OSPF on all routers.
2. Default route and floating static default route in R5.(for 123.123.123.0/24 reachability)
3. Ip OSPF cost in the links from R2 to R3 and R3 to R5 to disable equal cost path load balancing.

1. First let's configure which is the inside and outside part in the NAT configuration.

R3(config)# int se0/2
R3(config-if)# description connected to R2
R3(config-if)# ip nat inside
R3(config-if)# int se0/3
R3(config-if)# description connected to R5
R3(config-if)# ip nat outside

R4(config)# int se0/2
R4(config-if)# description connected to R2
R4(config-if)# ip nat inside
R4(config-if)# int se0/0
R4(config-if)# description connected to R5
R4(config-if)# ip nat outside

2. Configure an access-list list that will match the IP addresses of Loopback0 in R1 and configure a NAT pool where we will get the translations.

Note: The "match-host" keyword makes it possible for exact host to host translation 1.1.1.1/32 = 123.123.123.1/32, .5 = .5 the 
last octet in the ip address will be the same value. It will match the host portion of the IP address.

R3(config)# access-list 1 permit 1.1.1.0 0.0.0.255
R3(config)# ip nat pool LOOPBACK 123.123.123.1 123.123.123.5 prefix-length 24 type match-host

R4(config)# access-list 1 permit 1.1.1.0 0.0.0.255
R4(config)# ip nat pool LOOPBACK 123.123.123.1 123.123.123.5 prefix-length 24 type match-host

3. Configure a NAT stateful ID. This is what makes the stateful failover possible. This configuration will determine which is the primary NAT router and the backup.

R3(config)# ip nat stateful id 1 ----------> This is locally significant.
R3(config-ipnat-snat)# primary 23.23.23.3
R3(config-ipnat-snat-pri)# peer 24.24.24.4
R3(config-ipnat-snat-pri)# mapping-id 1 ---------> This should match on the routers.
R3(config-ipnat-snat-pri)# exit

R4(config)# ip nat stateful id 1 ----------> This is locally significant.
R4(config-ipnat-snat)# backup 24.24.24.4
R4(config-ipnat-snat-pri)# peer 23.23.23.3
R4(config-ipnat-snat-pri)# mapping-id 1 ---------> This should match on the routers.
R4(config-ipnat-snat-pri)# exit

The "peer" keyword here will do that trick on making the 2 routers related. The ip addresses configured on the "primary" and "backup" parameters should be one of the IP addresses in the router which is configured with the "ip nat inside" command. Otherwise, you will get an error message that its not a match.If 2 backups are configured and they are peer with each other, they won't establish a relationship. A router can be configured as a primary for one mapping-id and back up for another.

After configuring these commands, let's see the logs created by the routers.

R3#
*Mar 1 01:36:33.783: %SNAT-5-PROCESS: Id 1, System start converging
*Mar 1 01:36:45.871: SNAT (Receive): CONVERGENCE Message for Router-Id: 1 from Peer Router-Id: 1's entries
*Mar 1 01:36:45.871: %SNAT-5-PROCESS: Id 1, System fully converged

R4#
*Mar 1 01:34:11.803: %SNAT-5-PROCESS: Id 1, System start converging
*Mar 1 01:34:11.811: %SNAT-5-PROCESS: Id 1, System fully converged
*Mar 1 01:34:48.767: %SNAT-5-PROCESS: Id 1, System start converging
*Mar 1 01:34:50.791: SNAT (Receive): CONVERGENCE Message for Router-Id: 1 from Peer Router-Id: 1's entries
*Mar 1 01:34:50.795: %SNAT-5-PROCESS: Id 1, System fully converged

Let's do a show command that will check the status of the Stateful Failover NAT.

R3#show ip snat distributed

Stateful NAT Connected Peers:

SNAT: Mode PRIMARY
: State READY
: Local Address 23.23.23.3
: Local NAT id 1
: Peer Address 24.24.24.4
: Peer NAT id 1
: Mapping List 1

R4#show ip snat distributed

Stateful NAT Connected Peers

SNAT: Mode BACKUP
: State READY
: Local Address 24.24.24.4
: Local NAT id 1
: Peer Address 23.23.23.3
: Peer NAT id 1
: Mapping List 1

4. Configure the IP NAT translation statement mapping access-list 1 and the NAT pool created.

R3(config)# ip nat inside source list 1 pool LOOPBACK mapping-id 1

R4(config)# ip nat inside source list 1 pool LOOPBACK mapping-id 1

5. Now let's test NATing by pingin 5.5.5.5 sourcing from the IP's on Loopback0 on R1. (Will not be shown) We can do "debug ip nat" on R3 and R4, but will only see output in R3 since the traffic passes there. For the sake of a shorter post I will not display the output.

6. Let's check the translation on R3, our main NAT router and afterwards check if R4 is getting the information from the NATing table.

R3#sh ip nat tran
Pro Inside global Inside local Outside local Outside global
icmp 123.123.123.1:20 1.1.1.1:20 5.5.5.5:20 5.5.5.5:20
--- 123.123.123.1 1.1.1.1 --- ---
icmp 123.123.123.2:19 1.1.1.2:19 5.5.5.5:19 5.5.5.5:19
--- 123.123.123.2 1.1.1.2 --- ---
icmp 123.123.123.3:18 1.1.1.3:18 5.5.5.5:18 5.5.5.5:18
--- 123.123.123.3 1.1.1.3 --- ---
icmp 123.123.123.4:17 1.1.1.4:17 5.5.5.5:17 5.5.5.5:17
--- 123.123.123.4 1.1.1.4 --- ---
icmp 123.123.123.5:16 1.1.1.5:16 5.5.5.5:16 5.5.5.5:16
--- 123.123.123.5 1.1.1.5 --- ---

R4#sh ip nat tran
Pro Inside global Inside local Outside local Outside global
icmp 123.123.123.1:20 1.1.1.1:20 5.5.5.5:20 5.5.5.5:20
--- 123.123.123.1 1.1.1.1 --- ---
icmp 123.123.123.2:19 1.1.1.2:19 5.5.5.5:19 5.5.5.5:19
--- 123.123.123.2 1.1.1.2 --- ---
icmp 123.123.123.3:18 1.1.1.3:18 5.5.5.5:18 5.5.5.5:18
--- 123.123.123.3 1.1.1.3 --- ---
icmp 123.123.123.4:17 1.1.1.4:17 5.5.5.5:17 5.5.5.5:17
--- 123.123.123.4 1.1.1.4 --- ---
icmp 123.123.123.5:16 1.1.1.5:16 5.5.5.5:16 5.5.5.5:16
--- 123.123.123.5 1.1.1.5 --- ---

Though the traffic did not pass through R4, it knows the translation. Notice that the host part of the original ip address and the translated ip address is the same. This is the result of the "match=host" keyword.
Let's see if the failover information by R3 is passed to R4 by a show command.

R4#sh ip snat peer 23.23.23.3

Show NAT Entries created by peer: 23.23.23.3

Pro Inside global Inside local Outside local Outside global
--- 123.123.123.1 1.1.1.1 --- ---
--- 123.123.123.2 1.1.1.2 --- ---
--- 123.123.123.3 1.1.1.3 --- ---
--- 123.123.123.4 1.1.1.4 --- ---
--- 123.123.123.5 1.1.1.5 --- ---
icmp 123.123.123.5:16 1.1.1.5:16 5.5.5.5:16 5.5.5.5:16
icmp 123.123.123.4:17 1.1.1.4:17 5.5.5.5:17 5.5.5.5:17
icmp 123.123.123.3:18 1.1.1.3:18 5.5.5.5:18 5.5.5.5:18
icmp 123.123.123.2:19 1.1.1.2:19 5.5.5.5:19 5.5.5.5:19
icmp 123.123.123.1:20 1.1.1.1:20 5.5.5.5:20 5.5.5.5:20


In the even that R3 and the traffic goes to R4, the sessions need not to be restarted as there are already existing translations on R4 which have been passed by R3. Let's shut down the interface in R3 and lets show how R4 reacts.

R4#
*Mar 1 02:11:15.819: %SNAT-5-ALERT: BACKUP staging recovery, replacing Primary
*Mar 1 02:11:15.819: %SNAT-5-PROCESS: Id 1, System start converging
*Mar 1 02:11:15.827: %SNAT-5-PROCESS: Id 1, System fully converged


It places itself as the primary NAT router but the translations that its learned from R3 will continue to be in place. Once R3 goes back up, it will put itself again the backup NAT router.

No comments:

Post a Comment