Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1578
Views
0
Helpful
4
Replies

2 ISPs Failover - Static NAT for Servers

rameshbalachandran
Level 1
Level 1

‎11-12-2013 03:30 AM - edited ‎03-04-2019 09:33 PM

Hi,

     We have CISCO 1921/K9 Router for ISP Connectivity. We have 2 ISPs.

Route policy placed in Interface Fa0/1 for Proxy server traffic  through FA0/0/1. with static NAT (Default route)

Other public servers traffic through FA0/0 with STATIC NAT for  2 servers (2 static NAT).

Please find the attachment for details.

My query is, Is there a posible way to perform auto-Failover between two ISPs?

My Mailserver's A-record having 24hrs TTL.

To perform auto-failover should i add additional A-record with the IP of ISP 2?

Should I reduce TTL?

Looking forward support.

Labels:
Preview file
23 KB
0 Helpful
4 Replies 4

Vasilii Mikhailovskii
Level 7
Level 7

‎11-12-2013 03:45 AM

Hello.

Actually if you are talking about mail server only (inbound connections), then the best way to have a failover - is to have 2 MX records for yuor domain (via primary and via secondary ISP), so you won't be dependant on DNS TTL.

So, nedd need for other tools, as SMTP has built-in feature.

If we are talking about NAT configuration for 2 ISPs, you might have read the article:  http://docwiki.cisco.com/wiki/NAT_failover_with_DUAL_ISP_on_a_router_Configuration_Example

I would also note that it's possible for mail server to accept inbound connection via both ISPs (simultaneously) if you could assign additinal internal IP-address to your mail server, or could assign additional port to SMTP listener.

Please let me know your scenario and I could help you to craft the config.

0 Helpful

rameshbalachandran
Level 1
Level 1
In response to Vasilii Mikhailovskii

‎11-12-2013 04:00 AM

Hi,

Thanks for your quick response.

We are using mail server & spamd server (outgoing mail scan) in public.

And Proxy server for Internet access - Default gateway (ISP2)

Single Internal IP address only assigned to mail server.

Static NATing configured public IPs from ISP1 Pool.

As per your suggestions, I have to add secondary Static NAT with ISP2 Pool.

Auto failover can be done by IP SLA (for outbound).

The other change I have to do is add addtional Internal IP for Mail server.

Please correct me if I'm wrong.

0 Helpful

Vasilii Mikhailovskii
Level 7
Level 7
In response to rameshbalachandran

‎11-12-2013 04:14 AM

Hi.

If you are using proxy as a proxy ONLY (not a firewall), then there is no reason to use it as router (at least on WAN link).

It's better to move proxy server into inside network, so it could be used over primary and over secondary links (in case of failover).

Yes, ip sla will help you to identify interface traffic should flow into.

NAT with route-map will help you to apply correct PAT (per destination interface).

If you assign additional internal IP to your SMTP server, then you are configuring static translations over both IPSs based

on SMTP source (internal) IP-address.

PS: please provide your NAT configuration including [falsified] IP-addresses.

PS2: you need 2 MX records for SMTP failover!

0 Helpful

rameshbalachandran
Level 1
Level 1
In response to Vasilii Mikhailovskii

‎11-12-2013 04:39 AM

Hi,

     Please find the NAT details.

#####################################################################

interface GigabitEthernet0/0

description To Firewall

ip address 10.*.*.* *.*.*.*

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly in

ip policy route-map PUB

duplex auto

speed auto

!

interface GigabitEthernet0/1

description ISP2

ip address 125.17.*.* *.*.*.*

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

duplex full

speed 100

!

interface FastEthernet0/0/0

description ISP1

ip address 220.*.*.* *.*.*.*

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

ip nat pool Airtel 125.21.*.* 125.21.*.* netmask 255.255.255.240

ip nat pool reliance 220.227.*.* *.*.*.* netmask 255.255.255.240

ip nat inside source list 101 pool Airtel overload

ip nat inside source static (mailserver ip) 220.227.*.*

ip nat inside source static (spamdserver ip) 220.227.*.*

ip route 0.0.0.0 0.0.0.0 (ISP2 Gateway)

route-map PUB permit 10

match ip address 102

set ip next-hop 220.227.*.*

set interface FastEthernet0/0/0

access-list 102 permit ip host (mailserver ip) any

access-list 102 permit ip host (spamdserver ip) any

########################################################

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card