[c-nsp] VRRP, NAT issue for incoming connections

Giles Coochey gcoochey at sapphire.gi
Wed Aug 1 11:12:01 EDT 2007


Hi,

I have a customer who has two connections, one ADSL and one leased-line
connection, both are for Internet access.

They use NAT on both of these connections, and VRRP on the inside
interfaces to detect a failure. ADSL is set as the backup interface
while the leased-line connection is the active one.

They also have inbound NAT for port 25 (SMTP) to their mail gateway, to
accept incoming mail, and they have set up MX records for both IPs on
their ADSL & leased-line.

However, I find that the ADSL NAT does not work, which I believe is
because their mail gateway routes the reply traffic through the active
VRRP, so the sending mail server breaks the connection, because it gets
responses from a different IP address that it initiated the connection.

Any ideas on a solution to this? I'm thinking of something like reverse
NAT to specific internal IP addresses to bypass the VRRP issue... but
I'm unsure of whether I can NAT on only TCP/25 traffic... 

The platforms are low end, routers are an 850 and 1841.

Appreciate any ideas you may have.

                  |------------|
                  |            |         |-----|
                  | Internet   |---------|Mail |
                  |            |         |Svrs |
                  |------------|         |-----|
                    |        |
           NAT->x   |        |   NAT->y
                   850      1841
                    |  VRRP  |
                  |-----------
                  |           
               |-----|
               |Mail |
               |Svr  |
               |-----|



More information about the cisco-nsp mailing list