Accepting traffic for same service from seperate public interfaces

Pulling my hair out to find a solution to  this issue. I thought I could solve it with Nat however I cant get it working. Basically I have two internet facing IP's and I want to be able to access Exchange OWA  & SMTP from either of them. However based on what router owns the HRSP IP at any given time, that is the only Public IP that will work.

I have HSRP set up with an IP SLA to detect if the public interface is down on the primary link to enable redundancy. I also have DNS failover configured with our DNS provider however as they are two separate monitoring systems it is often not robust. Example sometimes the DNS failover detects that the primary is down. Maybe its a false positive or it was just a blip, during that time staff cannot access mail as in order for this redundancy framework to work, both need to work in concert in terms of failing over.

What I want to be able to do is permanently accept traffic from both internet interfaces. I thought I could nat the public ip to ensure traffic went back to the correct border router however cant seem to get that working. I have another solution that I think can work however just want to pick brains to see if this can be simply fixed. Mt other solution is to deploy another exchange front end server and use policy routing to ensure its outbound traffic always goes via the secondary router. Network DIagram
LVL 1
MichaelAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
This is a just a simple routing problem? You need to either have HSRP on the OUTSIDE of your 1941's (which Is probably difficult if they are multi-vendor) or they need to BGP peer your public IPs to the ISP.

P
0
MichaelAuthor Commented:
Pete,

Neither suggestion is possible as the public ip's are provide via two separate ISP's
0
Soulja53 6F 75 6C 6A 61 Commented:
Have you considered using a load balancing solution. I know F5 GTM can load balance inbound DNS based traffic between two ISP's. NGINX may be a possible option too. Not sure if they have that ability.
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

Pete LongTechnical ConsultantCommented:
You want to maintain access EXTERNALLY for services like OWA Exchange etc?

Then instead of using HSRP on the routers, let the firewall handle failover (bear with me, I have  major client who does this, they have online auctions where the bids are in 5-6 figures, and they simply cannot afford downtime during auctions).

Firewall ISP failover is designed to use one ISP or the other based on an SLA tracked IP - but thats designed to provide redundancy for LAN traffic, what the documentation doesn't tell you is if you want to access services publicly, then you can use BOTH ISP lines at the same time, you need two lots of ACLS and two lots of NATS, but it works.

How the hell does this help you? Well if you publish your DNS records with a suitably low TTL, then you can use it as a backup failover - or publish the links though cloudflare and let them load balance and filter the traffic for you.
0
MichaelAuthor Commented:
Hi Pete Thanks for your advice,

I ended up solving this in a different easy wy that I cant believe I didn't think of earlier, I simply added a second nic to the exchange box and implemented policy routing on the firewall to ensure that all traffic coming from the second nic ip routed through the secondary router.

Simple and effective.

Thanks
0
MichaelAuthor Commented:
close issue
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.