I have worked with this quite a bit. I understand how it is supposed to work and can get SNAT and stateful CBAC to work well independently of one another. I labbed this up and had the same issues. Everything worked until I go to 2.8. Then SNAT breaks.
So I decided to revert and bring in the final configs on R1 and R6. The error went away, but SNAT was broken worse than ever. I noticed that the "ip inspect log drop-pkt" was not in the config (probably not a requirement, but is quite handy). I put that in expecting to see the error. No error, but no SNAT peers either. I decided to remove the ACL and INSPECT from fa0/1.1256. Still no go. Then I noticed that the nat statement is completely missing from the final config on R6. It is also missing in the download from the download area. I added the nat statement and SNAT converged. I went back and merged the rest of the config back in and all was still well. Then stateful CBAC required 2 reboots of R6. At this point with "ip inspect log drop-pkt" enabled, the errors return and stateful NAT is no longer converging. So I don't know if this is a bug or what. However, I'm not sure this lab fully works when you bring 2.8 into the picture. As I mentioned earlier, I do question the stateful ID number. It seems to work even with them both being the same until you actually turn the inspections on in 2.8. However every book and document that I can find that has any detail, says this is used to determine which router created a nat entry and should be unique per router. Basically it is an extra field in a NAT entry. I'm not sure how that matters, unless it gives special rights to the router to delete those tranlations. I guess I am curious if anyone has made certain that CBAC HA was functioning correctly, then rechecked Stateful NAT to see that the child entries were creating? Am I missing something? On Sat, Aug 1, 2009 at 9:50 AM, Paul Stewart <[email protected]> wrote: > They are not propogated. However, they even after the the CBAC and the > INSPECT HA were configured. Once I rebooted, and a "show redundancy > inter-device" showed good, SNAT was no longer propogated. > > > On Sat, Aug 1, 2009 at 9:38 AM, Tyson Scott <[email protected]> wrote: > >> Sorry, >> >> >> >> Let me correct that. Did you check the Stateful NAT table to see if the >> entries are properly propegated? >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S and Security >> >> Technical Instructor - IPexpert, Inc. >> >> >> Telephone: +1.810.326.1444 >> Cell: +1.248.504.7309 >> Fax: +1.810.454.0130 >> Mailto: [email protected] >> >> >> >> Join our free online support and peer group communities: >> http://www.IPexpert.com/communities >> >> >> >> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On >> Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, >> CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE >> Storage Lab Certifications. >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Paul Stewart >> *Sent:* Friday, July 31, 2009 10:18 PM >> *To:* [email protected] >> *Subject:* [OSL | CCIE_Security] 2a HA Items >> >> >> >> I get the following when I combine stateful CBAC and Stateful NAT. When I >> enable Stateful NAT all is well. Stateful CBAC all is well, until you do >> the reboot that is required to bring the redundancy scheme into sync. Then >> it seems as though it breaks the stateful nat. Really in this case, >> stateful nat is unnecessary, because it is all one to one. However, the >> directions ask for stateful NAT, so I assume that we need to get it so the >> child sessions can be created. I guess my question is what is the error >> below trying to tell me? >> >> >> *Aug 1 03:11:57.213: %FW-6-DROP_PKT: Dropping udp session >> 9.9.156.11:15555 9.9.156.6:15555 due to device running in HA standby >> mode with ip ident 12839 >> R6# >> *Aug 1 03:12:27.213: %FW-6-DROP_PKT: Dropping udp session >> 9.9.156.11:15555 9.9.156.6:15555 due to device running in HA standby >> mode with ip ident 13323 >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
