topic So, this is my understamding in Network Security

E-Mail Server on Asa

Mesut Canbolat — Tue, 12 Mar 2019 08:50:39 GMT

Dear All,

My need is for our mailserver is below:

Able to send and receive emails from - to outside internet domains with two public ip addresses from

ISP1 and ISP2. Our Dns records for ourdomain.com are on the ISP1 and ISP2's Name Servers with the same value of MX records 10.

Scenario :

If the link of ISP1 fails email relaying and sending for ourdomain.com will be able to continue from the ISP2 link.

Since we have two same MX 10 records, is the ISP2 link going to receive emails even if the ISP1 link keeps running.

We do appreciate your config examples and advise.

Thanks

Mesut

I am not an expert on DNS

Ajay Saini — Fri, 27 Jan 2017 11:32:31 GMT

I am not an expert on DNS stuff but below advise is on basis of networking experience:

How is the design actually. Where are the ISPs terminating and are these 2 ISP active at the same time or one at a time. Please confirm the physical setup.

Also, please confirm if the dns reply consisting of mx record values has both entries if you do dns lookup from either ISP or it has just one mx record corresponding to that ISP.

Ideally, if the mx priority values are same, I would expect traffic to be load balanced, but then that depends where that traffic(smtp) goes(which ISP) and that depends on your physical setup.

HTH

Thanks AJ for your reply.

Mesut Canbolat — Fri, 27 Jan 2017 17:13:04 GMT

Thanks AJ for your reply.

Our physical setup : Asa 5512x outside0 : Isp1 outside1: Isp2 inside : MailServer

Example Ips :

outside 0 : 95.95.95.1 /28 Active

outside 1 : 75.75.75.1 /28 Active at the same time. Same Mx 10 Records

inside : 192.168.1.1 /24

MailServer : 192.168.1.10 /24

No Local Network No Clients localy connected. All clients are remote clients ousite IMAP connections.

Please advise , Thanks

Mesut

Ok, so can I assume that this

Ajay Saini — Fri, 27 Jan 2017 19:08:09 GMT

Ok, so can I assume that this query is all about inbound access needed by outside located clients to internal exchange using IMAP protocol. Or maybe imap over ssl?

Please confirm.

Ok, so can I assume that this

Mesut Canbolat — Fri, 27 Jan 2017 20:01:18 GMT

Ok, so can I assume that this query is all about inbound access needed by outside located clients to internal exchange using IMAP protocol. Or maybe imap over ssl?

Please confirm. AJ

Yes AJ it is only IMAP connections.

So, this is my understamding

Ajay Saini — Fri, 27 Jan 2017 20:39:17 GMT

So, this is my understamding of your setup, please correct me if I am wrong somewhere:

ISP1 - default gateway with preferred route towards internet
ISP2 - default gateway with less preferred route towards internet

In this case, inbound traffic should work for both ISP since reply traffic will follow the same path back as it came in.

Now, as per your scenario, lets say ISP1 fails and ISP2 is handling incoming traffic for both mx records . Now, when the ISP1 comes back up, if the inbound traffic arrives on ISP1, it will work.
It all depends on how quikcly ISP1 can punt the traffic for ISP1 towards ISP1. ASA will have a limited role to play in there since its a recipient.
Depends on ISP what criteria they have to identify of when the ISP1 is active or down. Looks like a routing question that should be pointed to the ISP.

Let me know if I missed out on something or there is some additional questions.

HELLO AJ

Mesut Canbolat — Sat, 28 Jan 2017 05:48:36 GMT

HELLO AJ

---------------------------------------------------------------------------------------------------------------------

So, this is my understamding of your setup, please correct me if I am wrong somewhere:

ISP1 - default gateway with preferred route towards internet
ISP2 - default gateway with less preferred route towards internet

In this case, inbound traffic should work for both ISP since reply traffic will follow the same path back as it came in.

Let me know if I missed out on something or there is some additional questions.

**********************************************************************

Hi AJ , You did understand everything very well. You are not missing anything else . If you have time could you please try on example setup config. Thanks a lot for your time and advice.

Sorry for the delay here. I

Ajay Saini — Tue, 31 Jan 2017 15:59:09 GMT

Sorry for the delay here. I am having some troubles with support forum notifications. I will search some documents or provide a sample config in a day or two max.

Hi AJ ,

Mesut Canbolat — Tue, 31 Jan 2017 16:52:58 GMT

Hi AJ ,

Thanks for your kindly update. Please take your time . It is not so urgernt at the moment.

When you are done with your priority jobs . You are most welcome to provide example configs.

Take Care ,

Mesut

Ok, here is the scenario:

Ajay Saini — Thu, 02 Feb 2017 20:52:35 GMT

Ok, here is the scenario:

inside - lan segment

outside - ISP1 and having preferred default gateway

outside2 - ISP2 and having less preferred gateway

Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside 10.0.99.1 255.255.255.0 manual
GigabitEthernet0/1 inside 192.168.129.222 255.255.255.0 manual
GigabitEthernet0/3 outside2 11.11.11.1 255.255.255.0 manual

ciscoasa(config)# sh run route
route outside 0.0.0.0 0.0.0.0 10.0.99.2 1
route outside2 0.0.0.0 0.0.0.0 11.11.11.254 254

Now, we have 1 public ip address on each ISP that inside email server is reachable through. Lets say that 10.0.99.10 (ISP1 mx record) and 11.11.11.10 (ISP2 mx record).

Also assume that inside email server is 192.168.129.10

Lets apply 2 NAT statement on each ISP :

object network obj-10.0.99.10
host 10.0.99.10
object network obj-192.168.129.10
host 192.168.129.10
object network obj-11.11.11.10
host 11.11.11.10

nat (inside,outside) source static obj-192.168.129.10 obj-10.0.99.10
nat (inside,outside) source static obj-192.168.129.10 obj-11.11.11.10

nat (inside,outside2) source static obj-192.168.129.10 obj-10.0.99.10
nat (inside,outside2) source static obj-192.168.129.10 obj-11.11.11.10

***skipped access-lists, need to be applied as required ports****

Now, in normal state (when both ISP are active), inbound traffic will work fine through either ISP on any ip address.

Lets say, ISP1 goes down and ISP 2 is active. In this case we would expect traffic to arrive on ISP2. No matter on what ip address it comes on, it will work fine. Lets say that a user on internet resolved the mx record to ip address 10.0.99.10 (which belongs to ISP1), then the traffic needs to arrive till ASA ISP2(thats something ISP needs to do) and then ASA will handle it just fine.

Once, the ISP1 comes back up, then inbound again will work on how the users on internet resolve mx records and where the traffic lands(which ISP).

Please let me know if there are any questions.

FYI, if you wish to add ISP failover feature here, even then this should work. I don't see any challenge as far as ASA is concerned.

Hello Dear AJ ,

Mesut Canbolat — Mon, 06 Feb 2017 09:09:00 GMT

Hello Dear AJ ,

Sorry for my late reply. Many thanks for your example config for my scenario.

I will be able to deploy this config on our running active asa network at the end of this month when we do half day maintanence.

I will be posting all test results here .

Once again thank you for all your great effort and support.

Best Wishes

Mesut

You will also need an SLA

Marius Gunnerud — Mon, 06 Feb 2017 10:04:56 GMT

You will also need an SLA tracker to either track the interface or an IP so that the ASA knows when to insert the backup route.

Also, since traffic will be expected on both interfaces even when ISP2 is not the active route, you will need to account for asynchronous routing. depending on the ASA version you are running you can do this either by placing interfaces in traffic zones (version 9.3.2 or higher) or tcp bypass. If you are not running a version higher than 9.3.2 then I suggest upgrading and implementing traffic zones as using tcp-bypass can cause security risks.

sla monitor 123

type echo protocol ipIcmpEcho 4.2.2.2 interface outside

sla monitor schedule 123 life forever start-time now

track 1 rtr 123 reachability

route outside1 0.0.0.0 0.0.0.0 10.0.0.2 1 track 1

route outside2 0.0.0.0 0.0.0.0 11.0.0.1 254

zone outside

interface gig0/1

description to ISP1

zone-member outside

interface gig0/2

description to ISP2

zone-member outside

Please remember to select a correct answer and rate helpful posts