Last time, I discussed how you can achieve Cisco router redundancy using the Hot Standby Router Protocol (HSRP). This time, let's delve a little deeper into your other HSRP options. If you're interested in using Network Address Translation (NAT) with HSRP, you should familiarize yourself with the Cisco IOS Stateful NAT (SNAT) feature, which helps provide higher availability and higher redundancy on your network when using NAT.
To quickly review, when you have two routers running HSRP, the standby router takes over if the active router goes down. However, if this happens when you're using NAT, it severs all connections going through the active router using dynamic NAT, and users would need to reestablish those connections. That's where SNAT comes in.
What is SNAT?
There's some confusion out there about what exactly SNAT stands for, and a Google search will return a variety of definitions. According to Microsoft, SNAT stands for Secure NAT and is available on ISA Server. In addition, SNAT can stand for Source NAT. However, in the Cisco arena, SNAT stands for Stateful NAT.
SNAT involves two or more routers performing the NAT function as a group. These NAT routers exchange information in their NAT translation databases with each other. You can view this information using the show ip nat translationscommand, whose output lists the protocol, inside global IP, inside local IP, outside local IP, and outside global IP.
Whenever a new NAT connection occurs via one of the NAT routers, the router relays that information to the others in the SNAT group. But these routers aren't just exchanging the IP addresses of the NAT IP flows; they're also exchanging the TCP state of those flows. The standby routers have already created the NAT translation table and are waiting for a failure on the active router.
In other words, the purpose for this exchange of NAT flow information is to ensure one of the standby NAT routers can take over if the active NAT router goes down. While you can configure SNAT in its own primary/backup mode, it works best when configured with HSRP.
Cisco has released SNAT in phases. In the first phase, released in Cisco in IOS 12.2(13)T, it only worked with protocols that didn't contain IP information in the application layer. But as of Cisco IOS 12.3(7)T, SNAT supports applications that have IP information embedded in the application layer, such as FTP. In addition, Cisco released some scalability enhancements for SNAT in IOS 12.4(4)T.
How do you configure SNAT?
To configure SNAT with HSRP, start by using the regular HSRP standby commands on your HSRP interfaces. You also need to configure an HSRP router with a group name of SNATHSRP to use the SNAT HSRP API.
Your standby command might look something like this:
standby name SNATHSRP standby ip 10.10.10.1 secondary
You also need to ensure the full exchange of NAT state information between the routers in the SNAT group. Here's an example:
standby delay reload 60 standby 1 preempt delay minimum 60 reload 60 sync 60
After exiting Interface Configuration Mode, enter the ip nat stateful command; make sure it includes the same SNATHSRP group name. Here's an example:
ip nat stateful id 1 redundancy SNATHSRP mapping-id 10
Now you can enter your standard NAT commands to create your translation pools. Here's an example:
ip nat pool snatpool1 10.10.10.1 10.10.10.9 prefix-length 24 ip nat inside source route-map rm-snat1 pool snatpool1 mapping-id 10 overload
Next, create your access control list and route map, according to the network for which you're configuring NAT. Here's an example:
access-list 101 permit ip 10.10.10.0 0.0.0.255 126.96.36.199 0.0.0.255 route-map rm-snat1 permit 10 match ip address 101
Finally, configure the other routers in your SNAT and HSRP pools to communicate. After that, you can use the traditional NAT commands such as show ip nat translations and show ip nat statistics, as well as the show ip snat command.
The combination of SNAT and HSRP working together preserves NAT translations when a failure occurs. A standby router can step in and take over the active role—possibly without users ever realizing there was a failure. Even better, you can be home asleep when it happens.
Want to learn more? Check out these Cisco resources
- Stateful Failover of Network Address Translation (SNAT) Phase 1
- NAT Stateful Failover for Asymmetric Outside-to-Inside and ALG Support—Stateful NAT Phase 2
- Scalability for Stateful NAT
- Configuring NAT for High Availability
- Enhanced IP Resiliency using Cisco Stateful NAT
Miss a column?
Check out the Cisco Routers and Switches Archive, and catch up on David Davis' most recent columns.
Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!
David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.