Accepting traffic for same service from seperate public interfaces

Michael
Michael used Ask the Experts™
on
Pulling my hair out to find a solution to  this issue. I thought I could solve it with Nat however I cant get it working. Basically I have two internet facing IP's and I want to be able to access Exchange OWA  & SMTP from either of them. However based on what router owns the HRSP IP at any given time, that is the only Public IP that will work.

I have HSRP set up with an IP SLA to detect if the public interface is down on the primary link to enable redundancy. I also have DNS failover configured with our DNS provider however as they are two separate monitoring systems it is often not robust. Example sometimes the DNS failover detects that the primary is down. Maybe its a false positive or it was just a blip, during that time staff cannot access mail as in order for this redundancy framework to work, both need to work in concert in terms of failing over.

What I want to be able to do is permanently accept traffic from both internet interfaces. I thought I could nat the public ip to ensure traffic went back to the correct border router however cant seem to get that working. I have another solution that I think can work however just want to pick brains to see if this can be simply fixed. Mt other solution is to deploy another exchange front end server and use policy routing to ensure its outbound traffic always goes via the secondary router. Network DIagram
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Pete LongTechnical Consultant

Commented:
This is a just a simple routing problem? You need to either have HSRP on the OUTSIDE of your 1941's (which Is probably difficult if they are multi-vendor) or they need to BGP peer your public IPs to the ISP.

P

Author

Commented:
Pete,

Neither suggestion is possible as the public ip's are provide via two separate ISP's
SouljaSr.Net.Eng
Top Expert 2011

Commented:
Have you considered using a load balancing solution. I know F5 GTM can load balance inbound DNS based traffic between two ISP's. NGINX may be a possible option too. Not sure if they have that ability.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Pete LongTechnical Consultant

Commented:
You want to maintain access EXTERNALLY for services like OWA Exchange etc?

Then instead of using HSRP on the routers, let the firewall handle failover (bear with me, I have  major client who does this, they have online auctions where the bids are in 5-6 figures, and they simply cannot afford downtime during auctions).

Firewall ISP failover is designed to use one ISP or the other based on an SLA tracked IP - but thats designed to provide redundancy for LAN traffic, what the documentation doesn't tell you is if you want to access services publicly, then you can use BOTH ISP lines at the same time, you need two lots of ACLS and two lots of NATS, but it works.

How the hell does this help you? Well if you publish your DNS records with a suitably low TTL, then you can use it as a backup failover - or publish the links though cloudflare and let them load balance and filter the traffic for you.

Author

Commented:
Hi Pete Thanks for your advice,

I ended up solving this in a different easy wy that I cant believe I didn't think of earlier, I simply added a second nic to the exchange box and implemented policy routing on the firewall to ensure that all traffic coming from the second nic ip routed through the secondary router.

Simple and effective.

Thanks
Commented:
close issue

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial