We have PI class C network, AS and router (3845) to support connections to two ISPs using BGP. In this network we install two MS TMG 2010 servers using MS NLB. Let's say that we have such "inside" scheme
x.x.x.0 - globally routable network (/24)
x.x.x.1 - router interface address
x.x.x.11 - primary virtual NLB IP address
x.x.x.12 - first MS TMG server
x.x.x.14 - second MS TMG server
Everything works fine but there is one problem - SMTP. All incoming connections go to x.x.x.11 and than through TMG farm to our SMTP server, but outgoing connections use both x.x.x.12 and x.x.x.14 and mail servers refuse to get mail from ONE server (mail.something.ru) using two different addresses.
The idea is to use NAT and change source IPs to one another (x.x.x.12 -> x.x.x.15, x.x.x.14 -> x.x.x.15) and peer's mail servers should see only x.x.x.15. We do the following
ip nat outside - on two interfaces to ISPs
ip nat inside - on x.x.x.1 interface
ip nat pool NLB11 x.x.x.15 x.x.x.15 netmask 255.255.255.0
ip nat inside source list 111 pool NLB11 overload
access-list 111 permit tcp host x.x.x.12 any eq smtp
access-list 111 permit tcp host x.x.x.14 any eq smtp
I understand that this is somehow tricky because outside pool is on the same network. This combination even works sometimes but not always. Some mail servers allow to telnet mail.xxx.yyy 25 and others do not. Show ip nat tra command really shows tcp sessions but it seems to me that sometimes we couldn't get return packets. I even tried to make static NAT instead of dynamic pool (just for one address):
ip nat inside source static x.x.x.12 x.x.x.15
Result is exactly the same.
Probably the router sends NATed packet through one outside interface but return packet goes through another and goes unNATed.
Have anybody some thoughts about it? Maybe there is completely different scheme to resolve such a problem? Please do not propose to place TMG farm to 192.168.xxx.0 and to do full NAT on router. TMG farm is already a NAT "device" and our router is not a performance leader.
You have an extra week of fun! Capture the Flag has been extended through July 17. Register using the links below.
As a part of Cisco Live US auxiliary programs, we invite you to learn new technologies and obtain hands-on experience in a...
Hi,I'm trying to setup a cellular connection on my Cisco 1111 router.The interface is UP and it gets a private IPv4 and a public IPv6 address.If I try to send something on IPv4 through the cellular interface it works fine.But there seems to be an issue wi...
For an offline or printed copy of this document, simply choose ⋮ Options > Printer Friendly Page. You may then Print, Print to PDF or copy and paste to any other document format you like.
Is your WAN ready for a multicloud transformation?
Network Insider Live Webinar
Tuesday, July 21, 2020 10:00 am Pacific Time (San Francisco, GMT-08:00)
This webinar will show how convergence between SD-WAN and Security is emerging as important new SASE a...