Redundancy failover NAT

Almost every small enterprise use Network address translation (NAT). but I am not sure how many enterprises use the redundancy failover NAT design.  I created and implemented the redundancy NAT design for some enterprises, the design works very well. here I like to share those designs.

Redundancy failover NAT   

Assume the enterprise get one internet connection from his ISP,  his ISP assign the a small ip block 65.65.65.0/29 to him. this enterprise have two servers, ip address is 172.16.0.21 and 172.16.0.22 respectively. the employees' PC ip is in the range of 172.16.0.128/25. This enterprise like to have the hardware redundancy on his Internet gateway.

Base on the requirement, the design diagram is below

In this design, R1 and R2 is the enterprise's internet gateway router.

• R1 will be the primary route, R2 will be the backup router
• we configure the HSRP at LAN side and HSRP at WAN side as well for redundancy.
• The LAN side HSRP virtual ip which is 172.16.0.1 will be the gatway ip for the hosts. 
• The WAN side HSRP virtual ip is 64.1.1.3,
• The ISP needs to route the public ip block 65.65.65.0/29 to 64.1.1.3 which is the WAN side HSRP virtual ip.
• On R1, LAN side HSRP will track the WAN side interface; WAN side HSRP also need track the LAN side interface. This method will insure the two HSRP always synchronised to same router. we don't need setup track on R2 
• we will configure the NAT on R1 and R2. the interface facing WAN side will be the NAT OUTSIDE, rest interfaces which include the interfaces between R1 and R2 will be NAT INSIDE. 
• we  static NAT 172.16.0.21 to 65.65.65.1,  static NAT 172.16.0.22 to 65.65.65.2.  dynamic the range 172.16.0.128/25 overload to 65.65.65.6.
• run ospf between R1 and R2. configure the static default route on both router 

The detail configuration is below:

R1 configurations

========================================================

hostname R1

!

interface FastEthernet0/0

description [To WAN]

 ip address 64.1.1.2 255.255.255.248

 ip nat outside

 ip virtual-reassembly

 duplex full

 speed auto

 standby 1 ip 64.1.1.1

 standby 1 priority 120

 standby 1 preempt

 standby 1 track FastEthernet0/1 40

!

interface FastEthernet0/1

description [To LAN]

 ip address 172.16.0.11 255.255.255.0

 ip nat inside

 ip virtual-reassembly

 duplex full

 speed auto

 standby 2 ip 172.16.0.1

 standby 2 priority 120

 standby 2 preempt

 standby 2 track FastEthernet0/0 40

!

interface FastEthernet1/0

description [To R2]

 ip address 10.10.10.1 255.255.255.252

 ip nat inside

 ip virtual-reassembly

 duplex full

 speed auto

!

router ospf 1

 log-adjacency-changes

 network 10.10.10.0 0.0.0.255 area 0

 network 172.16.0.0 0.0.0.255 area 10

 passive-interface FastEthernet0/1

 default-information originate

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 64.1.1.6

!

ip nat pool PUB1 65.65.65.6 65.65.65.6 netmask 255.255.255.248

ip nat inside source list WORKSTATIONS pool PUB1

ip nat inside source static 172.16.0.21 65.65.65.1

ip nat inside source static 172.16.0.22 65.65.65.2

!

!

ip access-list standard WORKSTATIONS

 permit 172.16.0.128 0.0.0.127

========================================================

R2 configuration
========================================================
hostname R2
!

interface FastEthernet0/0
description [To WAN]
 ip address 64.1.1.3 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex full
 speed auto
 standby 1 ip 64.1.1.1
 standby 1 preempt
!
interface FastEthernet0/1
description [To LAN]
 ip address 172.16.0.12 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex full
 speed auto
 standby preempt
 standby 2 ip 172.16.0.1
 standby 2 preempt
!
interface FastEthernet1/0
description [To R1]
 ip address 10.10.10.2 255.255.255.252
 ip nat inside
 ip virtual-reassembly
 duplex full
 speed auto
!
router ospf 1
 log-adjacency-changes
 network 10.10.10.0 0.0.0.255 area 0

 network 172.16.0.0 0.0.0.255 area 10

 passive-interface FastEthernet0/1

 default-information originate
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 64.1.1.6
!

ip nat pool PUB1 65.65.65.6 65.65.65.6 netmask 255.255.255.248

ip nat inside source list WORKSTATIONS pool PUB1

ip nat inside source static 172.16.0.21 65.65.65.1

ip nat inside source static 172.16.0.22 65.65.65.2

!
!
ip access-list standard WORKSTATIONS
 permit 172.16.0.128 0.0.0.127

========================================================

ISP1 configuration
========================================================
hostmname ISP1

interface FastEthernet0/0
 ip address 64.1.1.6 255.255.255.248
 duplex auto
 speed auto

ip route 65.65.65.0 255.255.255.248 64.1.1.1

! need redistribute this static route. here I didn't list it

========================================================

Analyse this design:

If there is no failure happened, it function as below:

• R1 is the active router for both LAN side HSRP and WAN side HSRP.
• Outgoing traffic from a host at LAN side goes into active router R1 interface F0/1, then it is routed from interface F0/1 to F0/0. since the F0/1 is NAT INSIDE, F0/0 is the NAT OUTSIDE, the Outgoing traffi's source IP address will be translated from 172.16.0.Y to 65.65.65.X . then the traffic goes out from the interface F0/0 of R1.
• The returning traffic points to WAN side HSRP virtual ip, since R1 is active WAN side HSRP, the returning traffic is sent to R1 F0/0. Since the F0/0 is NAT OUTSIDE,  R1 check the returning traffic against NAT translations table first, if the returning traffic destination ip address is 65.65.65.X, R1 then translate the returning traffic destination ip address to 172.16.0.Y according to NAT translations table. then R1 route the translated returning package of which destination ip is 172.16.0.Y against the routing table.

If the R1 interface F0/0 is down, system reaction is below:

1. R1 remove the network 64.1.1.0/29 since interface F0/0 is down
2. R1 remove the static default route since it point to 64.1.1.6 which is invalid now
3. R1 install the ospf default route into the routing table, the ospf default route is point to R2 which is 10.10.10.2
4. R2 become the active router for WAN side HSRP since R1 interface F0/0 down
5. R1 LAN side HSRP track the interface F0/0, since F0/0 is down, the R1 LAN side HSRP priority decrease to 80.
6. R2 become the active router for LAN side HSRP since R1 LAN side HSRP priority is 80 now.
7. At this point, R2 become the active HSRP for both LAN side and WAN side.
8. The outgoing traffic goes to R2 interface F0/1 since the R2 is active HSRP at LAN side, then the outgoing traffic get translated properly.
9. The returning traffic goes to R2 interface F0/0 since the R2 is active HSRP at WAM side as well, the returning traffic will be properly translated against the existing NAT translation table.
10. So there is no outage happen if R1 interface F0/0 is down.

If the R1 interface F0/1 is down, system reaction is below

1. R2 become the active HSRP for LAN side since R1 F0/1 is down.
2. R1 WAN side HSRP track the interface F0/1, since interface F0/1 is down, R1 WAN side HSRP priority lower to 80.
3. R2 become the active router for WAN side HSRP since R1 priority is lower
4. The outgoing traffic goes to R2 interface F0/1 since the R2 is active HSRP at LAN side, then the outgoing traffic get translated properly.
5. The returning traffic goes to R2 interface F0/0 since the R2 is active HSRP at WAM side as well, the returning traffice will be properly translated against the existing NAT translation table.
6. There is no outage happen if R1 interface F0/1 is down

Note: 

• The key to make the failover NAT work is to make sure the returning traffic is delivered to correct NAT outside interface.  
• Also static NAT table do not respond for the ARP request. 

Please also check the link below:

• Redundancy failover NAT connect two different ISPs
• High Availability Stateful Failover NAT for Asymmetric Outside-to-Inside Support

For Network Design, Build and Consulting Services, 
please visit:
www.unistreamnetworks.com