[c-nsp] VRRP, NAT issue for incoming connections

Fri Aug 3 15:11:19 EDT 2007

Legitimate SMTP gateways should never skip a reachable lower value MX
record. You can consider getting a simple SMTP relay service from the
external provider (postini.com/godadd.com etc.etc.) This way all
internal/external email delivery will go through the smart host.

-----Original Message-----
From: Giles Coochey [mailto:gcoochey at sapphire.gi] 
Sent: Friday, August 03, 2007 3:37 AM
To: Tolstykh, Andrew; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] VRRP, NAT issue for incoming connections

> Asymmetric routing occurs in this situation and any stateful firewall
or
> a TCP based application (like SMTP) will deny this connection.
> 
> ADSL connection should only be used after the primary connection
fails.
> Why are you trying to use ADSL while the primary production connection
> is still up?
> 

This is what I believe, I want to avoid Asymmetric routing at all costs,
and I think NATing the incoming SMTP connection on the ADSL routing
would be the way to do that? Can I do that without affecting the
existing NAT in
the opposite direction on a protocol basis? i.e. only SMTP traffic.

> Asymmetric routing issue will resolve by itself after the primary
> connection fails. I assume MX records were setup using the different
> priority values?
> 

Yes, the MX records have different priority values, with the highest
preference (Lowest value) being the leased line, some mail gateways
still
seem to want to send (legitimate non-UBE) email through the ADSL IP
address.

> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Giles Coochey
> Sent: Wednesday, August 01, 2007 10:12 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] VRRP, NAT issue for incoming connections
> 
> Hi,
> 
> I have a customer who has two connections, one ADSL and one
leased-line
> connection, both are for Internet access.
> 
> They use NAT on both of these connections, and VRRP on the inside
> interfaces to detect a failure. ADSL is set as the backup interface
> while the leased-line connection is the active one.
> 
> They also have inbound NAT for port 25 (SMTP) to their mail gateway,
to
> accept incoming mail, and they have set up MX records for both IPs on
> their ADSL & leased-line.
> 
> However, I find that the ADSL NAT does not work, which I believe is
> because their mail gateway routes the reply traffic through the active
> VRRP, so the sending mail server breaks the connection, because it
gets
> responses from a different IP address that it initiated the
connection.
> 
> Any ideas on a solution to this? I'm thinking of something like
reverse
> NAT to specific internal IP addresses to bypass the VRRP issue... but
> I'm unsure of whether I can NAT on only TCP/25 traffic...
> 
> The platforms are low end, routers are an 850 and 1841.
> 
> Appreciate any ideas you may have.
> 
>                   |------------|
>                   |            |         |-----|
>                   | Internet   |---------|Mail |
>                   |            |         |Svrs |
>                   |------------|         |-----|
>                     |        |
>            NAT->x   |        |   NAT->y
>                    850      1841
>                     |  VRRP  |
>                   |-----------
>                   |
>                |-----|
>                |Mail |
>                |Svr  |
>                |-----|
> 

The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential
and/or privileged material.  Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon,
this information by persons or entities other than the intended recipient is prohibited.   If you received this in error, please
contact the sender and delete the material from any computer.