[c-nsp] VRRP, NAT issue for incoming connections

Fri Aug 3 04:37:08 EDT 2007

> Asymmetric routing occurs in this situation and any stateful firewall
or
> a TCP based application (like SMTP) will deny this connection.
> 
> ADSL connection should only be used after the primary connection
fails.
> Why are you trying to use ADSL while the primary production connection
> is still up?
> 

This is what I believe, I want to avoid Asymmetric routing at all costs,
and I think NATing the incoming SMTP connection on the ADSL routing
would be the way to do that? Can I do that without affecting the
existing NAT in
the opposite direction on a protocol basis? i.e. only SMTP traffic.

> Asymmetric routing issue will resolve by itself after the primary
> connection fails. I assume MX records were setup using the different
> priority values?
> 

Yes, the MX records have different priority values, with the highest
preference (Lowest value) being the leased line, some mail gateways
still
seem to want to send (legitimate non-UBE) email through the ADSL IP
address.

> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Giles Coochey
> Sent: Wednesday, August 01, 2007 10:12 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] VRRP, NAT issue for incoming connections
> 
> Hi,
> 
> I have a customer who has two connections, one ADSL and one
leased-line
> connection, both are for Internet access.
> 
> They use NAT on both of these connections, and VRRP on the inside
> interfaces to detect a failure. ADSL is set as the backup interface
> while the leased-line connection is the active one.
> 
> They also have inbound NAT for port 25 (SMTP) to their mail gateway,
to
> accept incoming mail, and they have set up MX records for both IPs on
> their ADSL & leased-line.
> 
> However, I find that the ADSL NAT does not work, which I believe is
> because their mail gateway routes the reply traffic through the active
> VRRP, so the sending mail server breaks the connection, because it
gets
> responses from a different IP address that it initiated the
connection.
> 
> Any ideas on a solution to this? I'm thinking of something like
reverse
> NAT to specific internal IP addresses to bypass the VRRP issue... but
> I'm unsure of whether I can NAT on only TCP/25 traffic...
> 
> The platforms are low end, routers are an 850 and 1841.
> 
> Appreciate any ideas you may have.
> 
>                   |------------|
>                   |            |         |-----|
>                   | Internet   |---------|Mail |
>                   |            |         |Svrs |
>                   |------------|         |-----|
>                     |        |
>            NAT->x   |        |   NAT->y
>                    850      1841
>                     |  VRRP  |
>                   |-----------
>                   |
>                |-----|
>                |Mail |
>                |Svr  |
>                |-----|
> 