We help IT Professionals succeed at work.

NAT with Two ISP ( External IP from ISP-1)

I have exchange server running on NAT environment.  10.1.1.2 is exchange server internal IP Address and external IP Address is 120.X.X.X.  We have two ISP connections and exchange server external IP address is given by ISP-1. When we connected to our ISP-1 everything is working fine. When the ISP-1 is down and we will connect to Internet using ISP-2.
Since the exchange server external IP is from ISP-1, there won’t be any route through ISP-2 to reach our exchange server. So we could not send/receive any e-mails while we connected to ISP-2.  We are using SONIC firewall and exchange 2007.
We cannot do NAT from two external IP to one internal IP. So taking external IP from ISP-2 and NAT to 10.1.1.2 is not possible. At the same time I don’t want assign another IP (like 10.1.1.3) to exchange server and assign ISP-2 for NAT. I think this option also won’t work.
Please suggest a solution for this.

Thanks
Ram.
Comment
Watch Question

Commented:
If you have a static IP from the secondary IP, assign a secondary internal IP to your Exchange server and do a static NAT from the secondary ISP static IP to that.
Then update your DNS MX records to include a secondary MX which will be the static IP from the secondary IP.
Essentially, you become your own backup mail server.
Top Expert 2010

Commented:
Is ISP-2 connected to an interface of the Sonicwall consuming a public static IP?  Do you get an error when you try to setup a nat for the secondary ISP-2 IP?  If this is your scenario, simply running the Public Server Wizard should get you what you want.  You'll just need to make sure your MX records are configured properly.

Author

Commented:
Exchange team is saying running two IP address is problem. They said they have lot of issues related configurations. They would like to run only one IP and requesting firewall/network team figure out the solution for this.

That is why i have clearly mentioned that running two IP is a problem.

Commented:
Then use digitap's suggestion and get the firewall to do proper NAT for the single internal IP.
Try to read your SonicWall documentation. May be it can be switched to other mode, when ISP-2 will work only when ISP-1 is down. So there will be always only one NAT. There are no difference to Exchange what ISP is connected, if you make 2 MX records.
Top Expert 2010

Commented:
If you have two ISP connections to your sonicwall then you may be employing failover or load balance.  These options will be under Network > WAN Failover & LB.  als315 is correct in that if you have this enabled, then you need two MX records.  You'll also want to make sure you have a PTR as well for both IP addresses.

Author

Commented:
First of all thanks a lot for everyone...

I am aware of having two MX records one for the external IP obtained from ISP-1 and other for the external IP obtained from ISP-2. Whenever ISP-1 is down ISP-2 IP will be up and running and ISP-2 will do the routing from Internet to this IP block.

My questions around how the internal to external traslation will take place behind firewall. How internal IP 10.1.1.2 will get translated in to 120.X.X.X (ISP-1) or 130.X.X.X (ISP-2) external IP ? Is that something Sonic firewall will take care ?

After Digitiap comments i just spoke to the lead who manange our sonicwalls. He is telling that is not possible at FW end...I dont have login to verify that also....Can you share any sonicwall documentation on how to configure that....

Basically what i understood is two exteral IPs with MX records (one from ISP-1 and other from ISP-2)
and then these two external can be translated into one external...in this case soniwall will take care of failover....is this correct ?
 
Top Expert 2010

Commented:
When you configure the sonicwall to failover and load balance, it does handle that.  The only limitation I can think of is if your sonicwall is so old that it won't handle this functionality.  If that's the case, then your sonicwall would have to be REALLY old!!!

Here is a link to a PDF walking through configuring this functionality.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=3707

To be honest, I don't know what you're tech is talking about because we've implemented this scenario many times.  I've been working with the sonicwall appliance for over 5 years and I think I know them pretty well by now...>GRIN<!  Again, unless there is an element not made known here, there shouldn't be anything would prevent this deployment.  By the way, I can get you a better document if I know the following:

Type of sonicwall:
Enhanced or Standard OS:

Author

Commented:
I am external architect to them came to setup this site. I have asked the firewall info. Not sure whether I will get it or not.  Let me try my best to get it.

 I have gone thru the sonicwall article. It is talking about doing HTTP traffic thru an interface and TELNET thru other.  I think what we are looking for is sending the exchange traffic only thru primary link always (NAT Exchange internal IP to ISP-1external IP) and if primary link fails send the exchange traffic thru secondary link (switch the NAT to ISP-2 external IP).

Can you help me in getting the relavent doc...
Top Expert 2010
Commented:
All I can really give you is instructions on setting up the failover.  The sonicwall will treat ALL communications within the realms of the failover unless you're trying to achieve something different, then you exclude those services.  Here, I assume that your default ISP has failed and you want the Sonicwall to detect this and failover traffice to the secondary ISP.  Additionally, you'd like it to revert back to default ISP.  I have included the steps for the newer Enhanced OS.
Failover-Enhanced-5.6-above.pdf

Author

Commented:
I will pass this over to my FW team and let you know....
Top Expert 2010

Commented:
sounds good...

Author

Commented:
I dont want to hold till my techs come back....
Top Expert 2010

Commented:
OK...thanks for the points!