[c-nsp] VRRP, NAT issue for incoming connections

Tolstykh, Andrew ATolstykh at integrysgroup.com
Wed Aug 1 11:45:15 EDT 2007


|However, I find that the ADSL NAT does not work, which I believe is
because |their mail gateway routes the reply traffic through the active
VRRP, so the |sending mail server breaks the connection, because it gets
responses from a |different IP address that it initiated the connection.

Asymmetric routing occurs in this situation and any stateful firewall or
a TCP based application (like SMTP) will deny this connection.

ADSL connection should only be used after the primary connection fails.
Why are you trying to use ADSL while the primary production connection
is still up?

Asymmetric routing issue will resolve by itself after the primary
connection fails. I assume MX records were setup using the different
priority values?


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Giles Coochey
Sent: Wednesday, August 01, 2007 10:12 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] VRRP, NAT issue for incoming connections

Hi,

I have a customer who has two connections, one ADSL and one leased-line
connection, both are for Internet access.

They use NAT on both of these connections, and VRRP on the inside
interfaces to detect a failure. ADSL is set as the backup interface
while the leased-line connection is the active one.

They also have inbound NAT for port 25 (SMTP) to their mail gateway, to
accept incoming mail, and they have set up MX records for both IPs on
their ADSL & leased-line.

However, I find that the ADSL NAT does not work, which I believe is
because their mail gateway routes the reply traffic through the active
VRRP, so the sending mail server breaks the connection, because it gets
responses from a different IP address that it initiated the connection.

Any ideas on a solution to this? I'm thinking of something like reverse
NAT to specific internal IP addresses to bypass the VRRP issue... but
I'm unsure of whether I can NAT on only TCP/25 traffic... 

The platforms are low end, routers are an 850 and 1841.

Appreciate any ideas you may have.

                  |------------|
                  |            |         |-----|
                  | Internet   |---------|Mail |
                  |            |         |Svrs |
                  |------------|         |-----|
                    |        |
           NAT->x   |        |   NAT->y
                   850      1841
                    |  VRRP  |
                  |-----------
                  |           
               |-----|
               |Mail |
               |Svr  |
               |-----|

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential
and/or privileged material.  Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon,
this information by persons or entities other than the intended recipient is prohibited.   If you received this in error, please
contact the sender and delete the material from any computer.



More information about the cisco-nsp mailing list