Re: Clustering 2 Secure Email Gateway C690 using Firewall Cisco ASA

Stas Zolotarenko · ‎03-12-2024

Hi,

We have 2 Secure Email Gateway C690 devices Version: 15.0.1-030.
Is it possible to create a cluster if the connection between them is using Firewall Cisco ASA on which is configured NAT (host to host)?

Thank you.

balaji.bandi · ‎03-12-2024

clustering possible below resources help you, the NAT part depends on you want to load-balance each other ? when the incoming traffic coming from out side to inside.

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118174-technote-esa-00.html

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/200885-ESA-Cluster-Requirements-and-Setup.html

https://www.cisco.com/c/en/us/support/docs/security/secure-email-gateway/217136-working-of-cluster-group-machine-levels.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Ruben Cocheno · ‎03-12-2024

@Stas Zolotarenko

Carefull here, you will find issues while natting due the TLS required for POV/Quarantine delivery.

The following ports are needed for SMA <-- --> ESA communication :

PVO:

1) ESA --> SMA (7025)

2) SMA --> ESA (7025)

Spam Quarantine:

1) ESA --> SMA (6025)

2) SMA --> ESA (25)

General Connectivity / Tracking / Reporting:

1) ESA --> SMA (22)

2) SMA --> ESA (22)

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

Ken Stieers · ‎03-12-2024

That us going to take some testing...

Clustering = Config replication, nothing more...

So the question is does the config have any references that will overwrite the cluster communication config?

E.g. ESA1 has IP x.x.x.x and its nat'd to y.y.y.y

When ESA2 is configured to sync with y.y.y.y, and gets the config from ESA1 which has it's ip as x.x.x.x could that break the cluster?

Yep, gonna need to test that. Once clustered they do complain (via alert emails) if they can't communicate, so you should see if it breaks.

Stas Zolotarenko · ‎03-12-2024

Is it even possible to create a cluster if ESA1 and ESA2 devices are connected to each other through a Cisco ASA firewall on which NAT (host-to-host) is configured?

saliyev · ‎04-28-2024

theoretically it should work if we think about ESA leverages SSH for Clustering and I don't think SNAT might cause trouble for SSH session. But I highly recommend to deploy two test ESA virtual machines and check cluster through the firewall+SNAT.