https://community.cisco.com/t5/network-security/suggestion-is-needed/m-p/1995503#M434591 <HTML><HEAD></HEAD><BODY><P>both the customer's residing in inside zone of the ASA box by having the sub interfaces created on the ASA?????</P></BODY></HTML> Fri, 08 Jun 2012 11:29:04 GMT nkarthikeyan 2012-06-08T11:29:04Z https://community.cisco.com/t5/network-security/suggestion-is-needed/m-p/1995502#M434590 <P>Hey, forks</P><P></P><P>We have a hosted data center environment. We use dual ASA 5510 for connection going out to Internet. On the internal side of the ASA5510, we use unique VLANs to identify different hosted customers and also isolate traffic among them. Recently we run into an issue that one customer can not email another customer whoes email servers are both residing in our hosted environment. For Example, </P><P></P><P>Customer A email server is configured with 10.10.1.1 with public IP mapped on ASA5510 as 23.24.25.26. Customer B email server is configured with 192.168.2.1 with public IP mapped on same ASA5510 as 23.24.25.28. When customer A send email to customer B, traffic got blocked, which is expected on ASA. Now we are trying to keep the proper security while somehow allow 2 customer to communicating emails.</P><P></P><P>We could configure ACL specific to do the job but it will not be managable if there are 50 customers need to email another 50 customers in the same environment...</P><P></P><P>Please advise.</P><P></P><P>/S</P> Mon, 11 Mar 2019 23:16:49 GMT https://community.cisco.com/t5/network-security/suggestion-is-needed/m-p/1995502#M434590 SIMMN 2019-03-11T23:16:49Z https://community.cisco.com/t5/network-security/suggestion-is-needed/m-p/1995503#M434591 <HTML><HEAD></HEAD><BODY><P>both the customer's residing in inside zone of the ASA box by having the sub interfaces created on the ASA?????</P></BODY></HTML> Fri, 08 Jun 2012 11:29:04 GMT https://community.cisco.com/t5/network-security/suggestion-is-needed/m-p/1995503#M434591 nkarthikeyan 2012-06-08T11:29:04Z https://community.cisco.com/t5/network-security/suggestion-is-needed/m-p/1995504#M434592 <HTML><HEAD></HEAD><BODY><P> That is correct. That is I guess the main reason I am searching for alternative way to allow certain communication while maintaining the setup.</P></BODY></HTML> Fri, 08 Jun 2012 11:38:58 GMT https://community.cisco.com/t5/network-security/suggestion-is-needed/m-p/1995504#M434592 SIMMN 2012-06-08T11:38:58Z https://community.cisco.com/t5/network-security/suggestion-is-needed/m-p/1995505#M434593 <HTML><HEAD></HEAD><BODY><P>Still waiting for suggestions...</P><P></P><P>BTW, Do other big hosting environment use single routing/firewall instance for each customer?</P></BODY></HTML> Thu, 14 Jun 2012 13:59:27 GMT https://community.cisco.com/t5/network-security/suggestion-is-needed/m-p/1995505#M434593 SIMMN 2012-06-14T13:59:27Z https://community.cisco.com/t5/network-security/suggestion-is-needed/m-p/1995506#M434594 <HTML><HEAD></HEAD><BODY><P>Hi Bro</P><P>To resolve your issue, you'll need to configure Cisco DNS Doctoring. This will work like a charm.</P><P></P><P><A href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml">http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml</A></P><P></P><P>In most enterprise deployment, that hosts hundreds of tenants, they would normally use Cisco FWSM running in multi-context mode. This mean one virtual FW per customer. On the switching side, Cisco Nexus 7K is used instead.</P><P></P><P>P/S: if you think this comment is useful, please do rate them nicely <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Sun, 29 Jul 2012 02:23:20 GMT https://community.cisco.com/t5/network-security/suggestion-is-needed/m-p/1995506#M434594 Ramraj Sivagnanam Sivajanam 2012-07-29T02:23:20Z https://community.cisco.com/t5/network-security/suggestion-is-needed/m-p/1995507#M434595 <HTML><HEAD></HEAD><BODY><P>Hi Shuai Yu,</P><P></P><P>You can do a hairpinning enabled to make this work.</P><P></P><P></P><P>Please refer the below document as well along with doctoring concept which ramraj has suggested. Here you are doing within the sub interfaces. Both are almost similar in concepts.</P><P></P><P>You have to create nat rules in such a way to achive this.</P><P></P><P><A class="jive-link-external-small" href="http://ckdake.com/content/2009/hairpinning-with-a-cisco-asa.html">http://ckdake.com/content/2009/hairpinning-with-a-cisco-asa.html</A></P><P></P><P>!</P><P></P><P>Please do rate if the given information helps.</P><P></P><P>by</P><P></P><P>Karthik</P></BODY></HTML> Sun, 29 Jul 2012 14:22:16 GMT https://community.cisco.com/t5/network-security/suggestion-is-needed/m-p/1995507#M434595 nkarthikeyan 2012-07-29T14:22:16Z https://community.cisco.com/t5/network-security/suggestion-is-needed/m-p/1995508#M434596 <HTML><HEAD></HEAD><BODY><P>Thanks for the suggestion. But multi-context on Asa will not be applicable for us. IPSec VPNs are used between data enter and customers.</P><P></P><P>Plus, we prefer to not configure acl/nay rules to accomplish this. What if there are 10 or 20 customers need this setup? Just don't want to loss configuration control.</P><P></P><P>We are considering the email relay server or CSR1000v.</P><P></P><P>If u have any other suggestion, please post.</P><P>Sent from Cisco Technical Support iPad App</P></BODY></HTML> Sun, 29 Jul 2012 14:46:42 GMT https://community.cisco.com/t5/network-security/suggestion-is-needed/m-p/1995508#M434596 SIMMN 2012-07-29T14:46:42Z