Network-Core.Net: Stateful Nat con HSRP

Con el stateful nat conseguimos que el router activo que hace el nat pase al de backup la tabla de nat constantemente por si fallara la conexión y el router de backup tubiera que reemplazarlo así no habría pérdida de sesión:
Seguimos el esquema siguiente

Primero necesitamos la configuración del HSRP, el name SNAT-HSRP es una estiqueta que la usaremos para que por las interfaces que tengan esa etiqueta se transmita el nat
Router_Activo

interface FastEthernet0/0
 ip address 192.168.1.3 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 standby 1 ip 192.168.1.1
 standby 1 priority 50
 standby 1 name SNAT-HSRP   ! etiqueta para el stateful nat
end

Router_Backup

interface FastEthernet0/0
 ip address 192.168.1.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 standby 1 ip 192.168.1.1
 standby 1 name SNAT-HSRP   ! etiqueta para el stateful nat
end

Configuramos los grupos de snat, es igual en ambos routers

ip nat Stateful id 1
  redundancy SNAT-HSRP   ! etiqueta para el stateful nat
   mapping-id 10         ! esto tendremos que tenerlo puesto en nuestro nat
   protocol   udp

Configuramos el nat por completo en los dos routers

ip nat pool NAT 1.1.1.1 1.1.1.1 prefix-length 24
ip nat inside source list NAT pool NAT mapping-id 10 overload  ! no olvidar el mapping-id
!
ip access-list standard NAT
 permit 192.168.1.0 0.0.0.255

Activamos el debug ip snat, el mensaje a fijarnos es "%SNAT-5-PROCESS: Id 1, System fully converged"

*Mar  1 01:49:25.255: SNAT Redundancy Update(stby): found Group HSRP
*Mar  1 01:49:25.255: SNAT Redundancy Update(stby):active 192.168.1.2 standby 0.0.0.0
*Mar  1 01:49:25.255: SNAT Redundancy Update(stby): O-standby 0.0.0.0
                       N-standby 192.168.1.3
*Mar  1 01:49:25.255: SNAT Redundancy Update(stby):O-state 4, N-state 5
*Mar  1 01:49:25.259: SNAT tableid(stby):0
*Mar  1 01:49:25.259: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby
*Mar  1 01:49:25.259: SNAT Redundancy (upd): Group HSRP: old_state 5, new_state 6
*Mar  1 01:49:25.259: SNAT Redundancy (upd): Group HSRP: old_state 5 new_state 6, Active 192.168.1.2, Standby 192.168.1.3
*Mar  1 01:49:25.259: SNAT Redundancy (cfg): snat-Mode:  IP-REDUNDANCY
*Mar  1 01:49:25.263: SNAT Redundancy (cfg): snat-stat:  BACKUP
*Mar  1 01:49:25.263: SNAT Redundancy (cfg): actve-add:  0.0.0.0
*Mar  1 01:49:25.263: SNAT Redundancy (cfg): stdby-add:  0.0.0.0

*Mar  1 01:49:25.263: SNAT Redundancy (fsm): new-state:  STANDBY
*Mar  1 01:49:25.263: SNAT Redundancy (fsm): old-state:  SPEAK
*Mar  1 01:49:25.263: SNAT Redundancy (fsm): ri-active:  192.168.1.2
*Mar  1 01:49:25.263: SNAT Redundancy (fsm): ri-stndby:  192.168.1.3
*Mar  1 01:49:25.267: SNAT Redundancy (fsm): N-standby:  0.0.0.0
*Mar  1 01:49:25.267: SNAT Redundancy (fsm): O-standby:  0.0.0.0

*Mar  1 01:49:25.267: SNAT Redundancy (fsm): O-State SPEAK, N-state STANDBY
*Mar  1 01:49:25.267: SNAT Redundancy (fsm): Open new standby, N-State 6stdby 192.168.1.3 --> active 192.168.1.2
*Mar  1 01:49:25.675: SNAT (dscov): Peer NAT id send SYNC message
*Mar  1 01:49:25.675: SNAT (init): Initialized Peer block for 192.168.1.2
*Mar  1 01:49:25.675: SNAT (mapp): Add mapping-id 10 to list
*Mar  1 01:49:25.679: SNAT Peer block (cfg): Mode :  STANDBY
*Mar  1 01:49:25.679: SNAT Peer block (cfg): State:  IDLE
*Mar  1 01:49:25.679: SNAT Peer block (cfg): laddr:  192.168.1.3
*Mar  1 01:49:25.679: SNAT Peer block (cfg): Raddr:  192.168.1.2
*Mar  1 01:49:25.679: SNAT (state): Put peer_status back to SNAT_READY, send new SYN msg
*Mar  1 01:49:25.683: SNAT (state): 192.168.1.3 <--> 192.168.1.2 went from ESTAB to READY
*Mar  1 01:49:25.683: SNAT (State): Hold on sending DUMP_REQUEST msg
*Mar  1 01:49:25.683: SNAT (dscov): Peer NAT id send SYNC message
*Mar  1 01:49:25.683: SNAT (conn): Send Sync msg to peer cycle 10

*Mar  1 01:49:30.959: SNAT (ReadIP): S: notification receiving 0 msgs (0)
*Mar  1 01:49:30.959: SNAT (Systm): Increment Convergence level to 1
*Mar  1 01:49:30.959: %SNAT-5-PROCESS: Id 1, System start converging
*Mar  1 01:49:49.683: %SNAT-5-PROCESS: Id 1, System fully converged

Una vez lo tenemos funcionando lanzamos un ping y vemos si al hacer nat en un router los dos tienen las mismas tablas.
Podemos comprobar que funciona asi

Router_Activo#sh ip snat distributed

Stateful NAT Connected Peers

SNAT: Mode IP-REDUNDANCY :: ACTIVE
    : State READY
    : Local Address 192.168.1.2
    : Local NAT id 1
    : Peer Address 192.168.1.3
    : Peer NAT id 1
    : Mapping List 10

Router_Backup#sh ip snat distributed

Stateful NAT Connected Peers

SNAT: Mode IP-REDUNDANCY :: STANDBY
    : State READY
    : Local Address 192.168.1.3
    : Local NAT id 1
    : Peer Address 192.168.1.2
    : Peer NAT id 1
    : Mapping List 10

Ya lo tenemos funcionando
Para ver que le pasa un router al otro lo podemos ver asi:

Router_Backup#sh ip snat peer 192.168.1.2

Show NAT Entries created by peer: 192.168.1.2

Pro Inside global      Inside local       Outside local      Outside global
icmp 1.1.1.1:21        192.168.1.100:21   10.0.0.100:21      10.0.0.100:21

Network-Core.Net

Stateful Nat con HSRP

No hay comentarios:

Publicar un comentario

Etiquetas