[c-nsp] hsrp with static and dynamic nat for the same outside ip addr and nat timeouts
Daniel Staněk
dan at orb.cz
Sat Dec 20 14:59:30 EST 2008
Hi friends,
is it ok to have HSRP NAT configuration like this?
ip nat Stateful id 1
redundancy dmz
mapping-id 1
interface Vlan2
protocol udp
ip nat pool outside-dynamic a.a.a.a a.a.a.a netmask 255.255.255.248
ip nat inside source route-map nat-fast00 pool outside-dynamic
mapping-id 1 overload
ip nat inside source static tcp 10.142.27.101 25 a.a.a.a 25 redundancy
dmz extendable
The idea is to have two 2811's with HSRP configured at the inside
interface and doing both static tcp and dynamic overload NAT transtation
using the same outside ip address.
It seems to be functional but with one small problem - the nat
translation table of the active router is full of timing-out tcp
sessions to port 25 (the static nat entry child). The only way how to
reduce is reduce the nat tcp timeout value, otherewise there are
thousands of active translations even if the tcp connection has finished
(with default timeout one day).
Do you think it is a IOS bug or a design error?
Thanks for any advice
Dan Stanek
More information about the cisco-nsp
mailing list