1 T1 line, 2 public ips, 2 email servers, 2 domain names, 2 pix 501s, bad communication between servers

I have 2 companies on the same T1 line, they each have their own domain name and win2k3 sbs servers hosting email separately.  Sometimes, email does not get delivered to the other server and times out, sometimes it works perfect.  no rhyme or reason.  Scenario:

server1 is connected to a pix501 with public ip of and domain is domain1.com.
server2 is connected to a pix501 with public ip of and domain is domain2.com.

The T1 has 5 ips and uses a cisco 1720 as it's router with ip which is the gateway for both pix's.

If a user from domain1.com sends an email to a user on domain2.com, the message will sit in the exchange queue until it times out.  If the same user sends the message again the next day, it gets delivered to the other server in milliseconds.

Neither server has any trouble sending email to any other domains.   If it was consistent, I would say that the 1720 could not send the traffic out and receive it back in to the other IP, but it is very sporatic.  Short of setting up a vpn between the pix 501s, does anyone have any ideas on how to make this work?
thanks, Mike
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

create an external smtp connector on each exchange server for the oposite domain and tell it to relay to the other domains exchange server. This is because pix(like any firewall can not hair pin a route back on the same interface)
this is where/how you woudl smtp connector on each side. would be the internal IP of the exchange server on the other side of the vpn
mstefaniAuthor Commented:
So you are indicating, but not stating exactly, that I need to setup a vpn between the pix 501's first?  I cannot do that because these are separate companies and should not be joined by a vpn, even if for smtp traffic only.

And I would think that the 1720 would be the one that could not "hairpin" since it is gateway to the internet and the destination is behind it.  Which makes me want to say why don't they allow it?

If the 'hairpin' problem is true, why does it work 70% of the time and fail 30%?????

When the emails are sitting in the exchange queue, can the exchange server ping anything on the internet (such as www.google.com)?  What I'm getting at is that if the 501's have 10 user licenses, subtract 1 for the PIX itself, then there can be only 9 hosts behind the 501 that are allowed out to the internet at any given time.  In such a case, one of the IP's in the arp table would first have to time out in order to free up a "license" for another IP to access the internet.
mstefaniAuthor Commented:
The pix 501s are unlimited users.....nice thought though!  You were thinking outside the box.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.