In this How To, we explain Cisco SNAT. Cisco SNAT allows two or more routers performing the NAT function as a group.
This is really handy for redundancy purposes, and can be used in conjunction with Cisco’s HSRP function (click here to see how HSRP is configured).
The NAT routers are going to exchange information in their NAT translation databases with each other. Whenever a new NAT connection occurs via one of the NAT routers, the router relays that information to the others in the SNAT group. But these routers aren’t just exchanging the IP addresses of the NAT IP flows; they’re also exchanging the TCP state of those flows. The standby routers have already created the NAT translation table and are waiting for a failure on the active router. In other words, the purpose for this exchange of NAT flow information is to ensure one of the standby NAT routers can take over if the active NAT router goes down. While you can configure SNAT in its own primary/backup mode, it works best when configured with HSRP.
Cisco has released SNAT in phases:
- In the first phase, released in Cisco in IOS 12.2(13)T, it only worked with protocols that didn’t contain IP information in the application layer.
- As of Cisco IOS 12.3(7)T, SNAT supports applications that have IP information embedded in the application layer, such as FTP.
- Cisco released some scalability enhancements for SNAT in IOS 12.4(4)T.
We are going to show you how to configure SNAT with HSRP.
Start by using the regular HSRP standby commands on your HSRP interfaces. You will also need to configure an HSRP router with a group name of SNATHSRP to use the SNAT HSRP API.
Your standby command might look something like this:
standby name SNATHSRP
standby ip 10.0.0.3 secondary
You also need to ensure the full exchange of NAT state information between the routers in the SNAT group. Here’s an example:
standby delay reload 60
standby 1 preempt delay minimum 60 reload 60 sync 60
After exiting Interface Configuration Mode, enter the ip nat stateful command; make sure it includes the same SNATHSRP group name. Here’s an example:
ip nat stateful id 1 redundancy SNATHSRP mapping-id 10
Now, you can enter your standard NAT commands to create your translation pools. Here’s an example:
ip nat pool snatpool1 10.0.0.5 10.0.0.15 prefix-length 24
ip nat inside source route-map snatrtmap1 pool snatpool1 mapping-id 10 overload
Now, create your access control list and route map, according to the network for which you’re configuring NAT. Here’s an example:
access-list 101 permit ip 10.10.10.0 0.0.0.255 22.214.171.124 0.0.0.255
route-map snatrtmap1 permit 10match ip address 101
Finally, configure the other routers in your SNAT and HSRP pools to communicate. After that, you can use the traditional NAT commands such as show ip nat translations and show ip nat statistics, as well as theshow ip snat command.
The combination of SNAT and HSRP working together preserves NAT translations when a failure occurs. A standby router can step in and take over the active role, possibly without users ever realizing there was a failure. Even better, you can be home asleep when it happens.
We hope this helps.