Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Network Design Problem

Status
Not open for further replies.
cs79

cs79

ISP
Joined
Dec 22, 2003
Messages
7
Location
MY
Hi All,

I will be implementing a network using a Cisco 1721 router using ADSL as it's main link and ISDN as a DDR solution for redudancy.

The problem is that an email server needs to be located in the router's LAN segment. Worst yet, a microsoft ISA firewall will sit between the router and the email server.

Normally this wouldn't pose a big problem. However, the DSL and ISDN provider are different and therefore the ISDN link and the DSL link will be in different networks.

Since the email server must be able to receive email at all times, the email server must be somehow associated with 2 different public IPs at different times (if main link fails, DDR dials up..)

I did think of routing all traffic through the router to the ISA firewall and then from the ISA firewall, route all email traffic to the email server (with private IP). This might work but I'm not too sure about how ISA works.

Another problem exist when implementing Outlook Web Access on the web server. Since it runs on HTTP and HTTPS traffic, if I statically route it to the email server, that would mean even normal web browsing will end up there. The connection needs to be used not only for the email server but also for normal traffic (i.e ftp etc.)

Anyone have any idea to go around this?

Thanks in advance.
 
Sort by date Sort by votes
I don't think you can do this with the NAT implementation under IOS if you want to translate the same set of ports.

I would use 2 routers and then use HSRP on the LAN. You would set the ADSL router to be HSRP active, and the ISDN router to be standby - then on the ADSL router track the ADSL interface and decrement the HSRP Priority so it becomes standby. You would need 'preempt' configuring also to allow the ADSL router to become active again once the ADSL line is restored.

Alternatively you could manually configure the router when the ADSL line went down........

With regards to ISA, you will need to publish a server through the publishing rules but again I don't think you can publish the same server/ports to different IP addresses? I am not too hot on ISA.

Andy
 
Upvote 0 Downvote
Hi Andy,

Thanks for the prompt reply. I've found out however that ISA would not support 2 external networks and therefore HSRP would not work.

I think I'll need to look for another way around this.

 
Upvote 0 Downvote
I think you misunderstood my post. What I suggested is 2 separate routers, both configured for NAT - the ADSL router will be NATing your internal source to the ADSL external address. The ISDN router will be NATing the same internal source to the ISDN external address. HSRP will be used for default gateway redundancy - in a normal situation your ISAs default gateway will be the ADSL router since it will be HSRP active. Should the ADSL fail then via HSRP tracking the ISDN router will assume the IP address of the default gateway (it will become HSRP active). There will be no stateful failover etc but it will give you what you want.
You would need to ensure your ISPs are forwarding traffic correctly, how you go about this will be tricky since the DNS record of your mail server would need to be changed (DNS round robin???).
Outbound traffic is easy - NAT in each router will provide this without any trouble.

Andy
 
Upvote 0 Downvote
Hi Andy,

Although your HSRP solution provides an interesting solution to my problem but I strongly doubt that my client will fork out the extra cash for an extra router. As for the DNS part, I was going to associate the domain name with 2 MX records with different preference values.

Thanks anyway
 
Upvote 0 Downvote
There is no way you can do this with one router - unless you are prepared to reconfigure the router in a failure situation.
For the cost of another low-spec ISDN router (801/802)???

Andy
 
Upvote 0 Downvote
Hi Andy,

If the active router was doing NATing as well, correct me if I'm wrong but wouldn't traffic state info get lost on the active router if the standby router takes over?

It's been sometime since I've done my BCMSN and work with HSRP so forgive me if I'm a little rusty.

Regards
 
Upvote 0 Downvote
Yes, there is no way you could maintain state information. This failover scenario means your source IP addresses will change (as well as the router). If you want statefull failover then you would need some portable IP address space that you can advertise to your ISPs (almost definately BGP would be required also). You would then also need something like a pair of PIX firewalls running as a failover pair.
No offence intended but the network you are descibing is not really an enterprise class network and I assume your customer hasn't got the cash to have this type of setup.
What I have suggested is a way around your problem that will work as long as you can get the MX records setup correctly in DNS. During a failover situation you will get a short period of instability where the ISDN router kicks in, after that users should just notice the speed difference. I am not a DNS expert so I don't know how the 2 MX records works?

Andy
 
Upvote 0 Downvote
Here's one way you could have two public IPs going to your email server.

(using fictional IPs)



On email server:
(on the NIC, put two IP addresses)
Primary IP: 10.10.10.1
Secondary IP: 10.10.10.2

On the router try:

ip nat inside source static tcp 10.10.10.1 443 <public IP-1> 443 extendable
ip nat inside source static tcp 10.10.10.2 443 <public IP-2> 443 extendable

This way, any traffic coming in on either public address destined for port 443 will end up on the same machine. With having two private IPs on the same NIC, you avoid NAT mapping conflicts. Since both private IPs are in the same subnet, there is no routing/gateway conflict.

This worked for us.
 
Upvote 0 Downvote
Hi Andy,

You're right. It's not an enterprise setup. Unfortunately I'm forced to work within the constraints provided by my client. As they're not prepared for 2 routers or 2 firewalls, I might just need to NAT the traffic multiple times. Through the router and then through the firewall again. Perhaps I can just route email specific traffic from the router to the firewall and then route it to the email server.

Bierhunter,

Thanks for the suggestion. But this will only work if the email server is connected directly to my router and not sitting behind my firewall? Wouldn't the firewall need to what you've just suggested instead of the router? I need to check to see if it can do that.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

jobsp90
  • Locked
  • Question Question
I have a issue in my office hospital network regarding using IPPBX software.
Replies
2
Views
511
DavetheChef
DavetheChef
Luzbel
  • Locked
  • Question Question
Connecting HVAC controller to network
Replies
0
Views
562
Luzbel
Luzbel
DavidSigma
  • Locked
  • Question Question
CP7861 problem
Replies
0
Views
489
DavidSigma
DavidSigma
khashyar2021
  • Locked
  • Question Question
Problem with cisco switch after upgrading
Replies
1
Views
451
Geraldine Souza
Geraldine Souza
CDIV
  • Locked
  • Question Question
Help me build a network
Replies
1
Views
327
burtsbees
burtsbees

Part and Inventory Search

Sponsor

Back
Top