I have a question about designing a failover for SMTP server between HQ site and DR site.
I have web servers failover using this CSS.
I have a one armed config and cannot change it, I am using
"add destination service" for the web servers and it works.
The problem is that on a Mail server, it can initiate connections to send mail from the inside and I am thinking I will have reverse lookup problems whne the connection to remote mail domains from my server will NAT from the PIX rather than the CSS.
I have looked into having all traffic route through the CSS from the PIX firewalls to the edge router.
I am also wondering about haveing PTR records in our hosted DNS from the 4 IP Addresses that traffic could originate from (two at HQ and two at DR).
I am not sure which way to go with this, but I need to get something set up for a DR test next month.
Does anyone have any input about this?
Is the PRT records an ok way to go?
What about forcing the traffic through the CSS, then from the CSS to the edge router?
basically, your concern is traffic originated from the mail server.
You want to make all this traffic look as if coming from a single unique server ip.
So, I would say you need to nat this traffic with the vip address and you can do it using ACL on the CSS.
Then the PIX can, if needed, nat this vip address into a public address.
So from outside to inside, client communicate with the public address which is nated by the pix into the vip address. Traffic is loadbalanced to the servers and everything is ok.
From inside to outside, the CSS nat with the ACL the server ip into the vip address, which the pix translate into the public ip and if a reverse lookup is done, it should show the mailserver name of your company.
The CSS, edge router and PIX are all sitting in the same LAN with the VIP address being a public IP address and the services have public IP addresses also.
So the CSS is sitting on the outside network.
The CSS is taking inbound and sending to the the PIX NATed address, if that server is down, the CSS forwards to the second PIX NATed address.
Inbound the traffic all hits the VIP and the CSS forward it to the public IP NAT on the ouside interface of the PIX. That works ok.
The problem is on the outbound, I am not sure if I should try and force the e-mail traffic through the CSS (from PIX to CSS to edge router and out, or make sure the hosted DNS will have PTR records of the NATed addresses of the servers (bypassing CSS outbound).
Our failover sceanario depends on the default gateway to be dynamic, so I cannot static route through the CSS to the edge router.
My understanding is that if I can get the traffic to flow back through the CSS even in one-armed mode, with the CSS sitting outside the PIX, the traffic will be sourced from the VIP address and I do not need to use "destination service"
Introduction This article will help you understand the steps on how to
download the UCS licenses from the Cisco Systems website and then
installing it on the UCS. The redacted (blue lines) just covers up
certain numbers for privacy please do not take them...
Introduction This article will help you understand and educate the
customer on how to clear their "expired licenses"
(license-graceperiod-expired) from their UCS-M. If a customer just
purchased a license and needs a step by step guide on how to download
Introduction Prepositioning is a powerful tools on the WAAS platform but
it is not always easy to figure out why your jobs are failing when
trying to retrieve the files.Here is a method that should help you to
figure out the reason why they are not succes...