cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
356
Views
8
Helpful
4
Replies

Mail Server Redundancy in DMZ

Kevin Melton
Level 2
Level 2

I have a customer whom has 2 connections at the edge, ISP 1 at Edge A and ISP 2 at Edge B. Each edge is a 2611 router which hands off to a PIX 515 E.

I have an allotment of public addresses from each of the two providers.

I want to place a Mail Server Front End in my DMZ. The DMZ is comprised of the Inside interfaces of the two PIX's just mentioned as well as a 3rd PIX which effectively guards the Inside Perimeter.

My question is this: Can I set up NAT translations on each of the Edges (obviously I can; I want to know if this will work!) for the Mail Server in the DMZ.

The reason that I ask this is that if in fact one of the ISP connections were to fail I would like to have a redundant configuration that would dynamically enable our Customer's Corporate Email to continue functioning.

Thanks in advance!

4 Replies 4

wiluszm
Level 1
Level 1

k-melton,

In this configuration I would make the 2 telecom companies works for you. We have redundant 2811s facing the Internet. Both peer using BGP to our providers... and we take on full routing tables (this is the norm at most places). We simply requested to advertise our primary subnet out both providers. This took filling out forms but was completed relatively quickly (we use Time Warner & PaeTec). In the event of a link failure, our Internet address range is already being advertised out the other provider. No changes to a NAT or firewall required for the failover. This bypasses any NAT and the configuration is minimal to use this technique. I could turn off one of the 2811s right now and there would be no hiccup in our operations. I'd prefer this solution over a dual-NAT (once on the firewall, then on the router?). I know it's a pain to deal with the providers but it really is an easy request and they're paid to work for you. Hope this helps and if you have any questions let me know.

-Mike

http://cs-mars.blogspot.com

Mike's solution is the way most compainies do this.

The issue you have with tring to implement mikes method as well as your nat solution is that you state you have "pools of public addresses you got from your isps"

You must have your own regitered IP's to use a bgp based solution. You will also need a AS number but getting a block of ip's will be the challenge.

To your NAT solution. This works well for outgoing sessions but gets complex for incoming ones. The main issue is how the person on the outside knows which of your NAT'ed address to use. You must use the pool of addresses owned by each provider on their connection, you cannot cross them. This is primarialy a DNS problem and you will have to work with your upstream DNS providers. In your case you are somewhat lucky you are talking mail and not something like a web server. Smtp mail software understands multiple paths and will try them all eventually to deliver mail. Its been a very long time since I defined MX records in a DNS so there may be something I am forgetting but I am sure you can still do this.

Thanks so much for your accurate response to my issue.

Ironically enough, I do have to put a Web Server in my DMZ.

Either he won't be redundant out both links, or I will have to pursue what Mike had recommended (which I actually like, I just cant stand dealing with the folks at Sprint!). I probably will bite the bullet on this one and call.

Greatful for your response.

Kevin

Mike

Thanks for your detailed and thorough explanation.

I have to evaluate the potential hassle based upon legacy dealings with the providers (Sprint is our issue). Obviously if I can get them to allow configuration you have recommended it would be the best option for the customer.

Regards

Kevin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: