1 T1 line, 2 public ips, 2 email servers, 2 domain names, 2 pix 501s, bad communication between servers

I have 2 companies on the same T1 line, they each have their own domain name and win2k3 sbs servers hosting email separately.  Sometimes, email does not get delivered to the other server and times out, sometimes it works perfect.  no rhyme or reason.  Scenario:

server1 is connected to a pix501 with public ip of 12.34.56.162 and domain is domain1.com.
server2 is connected to a pix501 with public ip of 12.34.56.164 and domain is domain2.com.

The T1 has 5 ips and uses a cisco 1720 as it's router with ip 12.133.12.161 which is the gateway for both pix's.

If a user from domain1.com sends an email to a user on domain2.com, the message will sit in the exchange queue until it times out.  If the same user sends the message again the next day, it gets delivered to the other server in milliseconds.

Neither server has any trouble sending email to any other domains.   If it was consistent, I would say that the 1720 could not send the traffic out and receive it back in to the other IP, but it is very sporatic.  Short of setting up a vpn between the pix 501s, does anyone have any ideas on how to make this work?
thanks, Mike
mstefaniAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
mstefaniConnect With a Mentor Author Commented:
The pix 501s are unlimited users.....nice thought though!  You were thinking outside the box.
0
 
smckellar83Commented:
create an external smtp connector on each exchange server for the oposite domain and tell it to relay to the other domains exchange server. This is because pix(like any firewall can not hair pin a route back on the same interface)
0
 
smckellar83Commented:
this is where/how you woudl smtp connector on each side. 192.168.1.1 would be the internal IP of the exchange server on the other side of the vpn
smtp-connector.png
0
 
mstefaniAuthor Commented:
So you are indicating, but not stating exactly, that I need to setup a vpn between the pix 501's first?  I cannot do that because these are separate companies and should not be joined by a vpn, even if for smtp traffic only.

And I would think that the 1720 would be the one that could not "hairpin" since it is gateway to the internet and the destination is behind it.  Which makes me want to say why don't they allow it?

If the 'hairpin' problem is true, why does it work 70% of the time and fail 30%?????

0
 
bigcurefanCommented:
When the emails are sitting in the exchange queue, can the exchange server ping anything on the internet (such as www.google.com)?  What I'm getting at is that if the 501's have 10 user licenses, subtract 1 for the PIX itself, then there can be only 9 hosts behind the 501 that are allowed out to the internet at any given time.  In such a case, one of the IP's in the arp table would first have to time out in order to free up a "license" for another IP to access the internet.
0
All Courses

From novice to tech pro — start learning today.