Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Source IP substitution on the same network


We have PI class C network, AS and router (3845) to support connections to two ISPs using BGP. In this network we install two MS TMG 2010 servers using MS NLB. Let's say that we have such "inside" scheme

x.x.x.0 - globally routable network (/24)

x.x.x.1 - router interface address

x.x.x.11 - primary virtual NLB IP address

x.x.x.12 - first MS TMG server

x.x.x.14 - second MS TMG server

Everything works fine but there is one problem - SMTP. All incoming connections go to x.x.x.11 and than through TMG farm to our SMTP server, but outgoing connections use both x.x.x.12 and x.x.x.14 and mail servers refuse to get mail from ONE server ( using two different addresses.

The idea is to use NAT and change source IPs to one another (x.x.x.12 -> x.x.x.15, x.x.x.14 -> x.x.x.15) and peer's mail servers should see only x.x.x.15. We do the following

ip nat outside  - on two interfaces to ISPs

ip nat inside  - on x.x.x.1 interface

ip nat pool NLB11 x.x.x.15 x.x.x.15 netmask

ip nat inside source list 111 pool NLB11 overload

access-list 111 permit tcp host x.x.x.12 any eq smtp

access-list 111 permit tcp host x.x.x.14 any eq smtp

I understand that this is somehow tricky because outside pool is on the same network. This combination even works sometimes but not always. Some mail servers allow to telnet 25 and others do not. Show ip nat tra command really shows tcp sessions but it seems to me that sometimes we couldn't get return packets. I even tried to make static NAT instead of dynamic pool (just for one address):

ip nat inside source static x.x.x.12 x.x.x.15

Result is exactly the same.

Probably the router sends NATed packet through one outside interface but return packet goes through another and goes unNATed.

Have anybody some thoughts about it? Maybe there is completely different scheme to resolve such a problem? Please do not propose to place TMG farm to and to do full NAT on router. TMG farm is already a NAT "device" and our router is not a performance leader.



Everyone's tags (3)

Source IP substitution on the same network


try to make 2 more records in dns server  x.x.x.12  x.x.x.14

New Member

Source IP substitution on the same network

Thank you.

The problem has been solved. Not a DNS problem.