11-12-2013 03:30 AM - edited 03-04-2019 09:33 PM
Hi,
We have CISCO 1921/K9 Router for ISP Connectivity. We have 2 ISPs.
Route policy placed in Interface Fa0/1 for Proxy server traffic through FA0/0/1. with static NAT (Default route)
Other public servers traffic through FA0/0 with STATIC NAT for 2 servers (2 static NAT).
Please find the attachment for details.
My query is, Is there a posible way to perform auto-Failover between two ISPs?
My Mailserver's A-record having 24hrs TTL.
To perform auto-failover should i add additional A-record with the IP of ISP 2?
Should I reduce TTL?
Looking forward support.
11-12-2013 03:45 AM
Hello.
Actually if you are talking about mail server only (inbound connections), then the best way to have a failover - is to have 2 MX records for yuor domain (via primary and via secondary ISP), so you won't be dependant on DNS TTL.
So, nedd need for other tools, as SMTP has built-in feature.
If we are talking about NAT configuration for 2 ISPs, you might have read the article: http://docwiki.cisco.com/wiki/NAT_failover_with_DUAL_ISP_on_a_router_Configuration_Example
I would also note that it's possible for mail server to accept inbound connection via both ISPs (simultaneously) if you could assign additinal internal IP-address to your mail server, or could assign additional port to SMTP listener.
Please let me know your scenario and I could help you to craft the config.
11-12-2013 04:00 AM
Hi,
Thanks for your quick response.
We are using mail server & spamd server (outgoing mail scan) in public.
And Proxy server for Internet access - Default gateway (ISP2)
Single Internal IP address only assigned to mail server.
Static NATing configured public IPs from ISP1 Pool.
As per your suggestions, I have to add secondary Static NAT with ISP2 Pool.
Auto failover can be done by IP SLA (for outbound).
The other change I have to do is add addtional Internal IP for Mail server.
Please correct me if I'm wrong.
11-12-2013 04:14 AM
Hi.
If you are using proxy as a proxy ONLY (not a firewall), then there is no reason to use it as router (at least on WAN link).
It's better to move proxy server into inside network, so it could be used over primary and over secondary links (in case of failover).
Yes, ip sla will help you to identify interface traffic should flow into.
NAT with route-map will help you to apply correct PAT (per destination interface).
If you assign additional internal IP to your SMTP server, then you are configuring static translations over both IPSs based
on SMTP source (internal) IP-address.
PS: please provide your NAT configuration including [falsified] IP-addresses.
PS2: you need 2 MX records for SMTP failover!
11-12-2013 04:39 AM
Hi,
Please find the NAT details.
#####################################################################
interface GigabitEthernet0/0
description To Firewall
ip address 10.*.*.* *.*.*.*
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
ip policy route-map PUB
duplex auto
speed auto
!
interface GigabitEthernet0/1
description ISP2
ip address 125.17.*.* *.*.*.*
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
!
interface FastEthernet0/0/0
description ISP1
ip address 220.*.*.* *.*.*.*
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
ip nat pool Airtel 125.21.*.* 125.21.*.* netmask 255.255.255.240
ip nat pool reliance 220.227.*.* *.*.*.* netmask 255.255.255.240
ip nat inside source list 101 pool Airtel overload
ip nat inside source static (mailserver ip) 220.227.*.*
ip nat inside source static (spamdserver ip) 220.227.*.*
ip route 0.0.0.0 0.0.0.0 (ISP2 Gateway)
route-map PUB permit 10
match ip address 102
set ip next-hop 220.227.*.*
set interface FastEthernet0/0/0
access-list 102 permit ip host (mailserver ip) any
access-list 102 permit ip host (spamdserver ip) any
########################################################
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide