SNAT should be available in IOS on CCO around the first half of December. Please be aware that SNAT will be released in two phases as follows: Phase 1 - SNAT for TCP/UDP protocols with NO embedded port info in the payload. - Symmetric routing only - inside NAT pools only
Phase 2 due out in 1Q'03 - support for protocols that embed port info in the payload. E.G FTP, PPTP/GRE, Skinny, TFTP. - Asymmetric routing support - outside NAT pool support - ip nat inside destination support Hope this helps :) -----Original Message----- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: 22 November 2002 04:32 To: [EMAIL PROTECTED] Subject: RE: Stateful NAT Failover [7:57857] Howard C. Berkowitz wrote: > > I've been hunting for specific technical documentation on > stateful > failover between NAT instances in two routers, or even PIX. I don't know about routers, but there's an OK document about PIX failover here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note0918 6a0080094ea7.shtml If you look at the section on Stateful Failover, you'll see that PIX address translation (xlate, static and dynamic) and connection (conn) records are passed to the standby unit from the active unit along with other state information. PIX has a Logical Update (LU) software module that provides transport to PIX applications supporting stateful failover. The state update occurs from the active to standby through the LAN interface. The state update sent to the standby PIX is triggered by the application. The LU transport is UDP-like, with no retransmission. (Bet that's not what you though LU stood for! ;-) There's not a whole lot of detail in the document, but it might be a start. Priscilla > I > can > find lots of marketing references in the description of the > Cisco > GRIP architecture, and details of stateful IPsec failover. No > details of NAT failover. > > On assorted search engines (Cisco and non-Cisco), it keeps > coming > back to stateful packet inspection, but not NAT per se. > > By stateful NAT failover, assume the following scenario: > > R1 is primary and R2 is backup. R1 knows its mappings from > outside > address/port to inside address/port. It shares this > information with > R2, which remains passive. Presumably, inside routers use HSRP > to > find the active NAT, which is on the DMZ. HSRP on the DMZ can > tell > the Internet access routers which NAT is active. > > Does anyone know where this is documented, or is it simply > considered > a subset of stateful packet inspection at the implementation, > not > marketing, level? For more information about Barclays Capital, please visit our web site at http://www.barcap.com. Internet communications are not secure and therefore the Barclays Group does not accept legal responsibility for the contents of this message. Although the Barclays Group operates anti-virus programmes, it does not accept responsibility for any damage whatsoever that is caused by viruses being passed. Any views or opinions presented are solely those of the author and do not necessarily represent those of the Barclays Group. Replies to this email may be monitored by the Barclays Group for operational or business reasons. ------------------------------------------------------------------------ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57926&t=57857 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]