Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3082
Views
10
Helpful
3
Replies

ESA C360 two listener interface + Management config

wilson_1234_2
Level 3
Level 3

‎02-20-2015 12:06 PM

I have never done anything with these and currently they are being managed by another person.

I don't have access to the appliances and I am trying to sort out how to install them into the network.

According to the manager of these devices, there is only one default gateway and he wants an external (inbound) and an internal (outbound) interface configured, along with a management connection.

I don't see how the connection will work with only one default gateway, when the interfaces are on separate networks.

Also, the guy that manages these is telling me that he can't put the management interface in the same subnet as the data interfaces, which would indicate the interface should be configured separately, each having a default gateway.

And, how is the security handled between interfaces on these?

Is it safe to have an outside interface in a DMZ and an internal interface in the core network?

It seems to me if there is a management interface, the other interfaces (inbound and outbound) should be in the DMZ and the management on the internal network.

The guides I have seen, don't really go into any of the things I have asked above.

Anyone have input on this?

Labels:
0 Helpful
3 Replies 3

Paul Cardelli
Level 1
Level 1

‎02-20-2015 04:26 PM

In the ESA/Ironport you have a default gateway go out the (WAN), and then create summary routes for all private address spaces for the outbound (LAN) interface. I have not used the management interface yet. I'm guessing that would be limited to interfaces on that vlan, or specific routed IP ranges.

For security it depends on your environment. The configuration above is a edge type configuration with a management out of band network. The benefit is that your firewall rules will be simple, and overall it will make the logical and physical configuration easier to troubleshoot and manage.

Firewall Rules:

WAN to DMZ

SMTP, ICMP  (ANY)

 

DMZ to WAN

SMTP, ICMP, DNS  (ANY)

 

If you are concerned about having it configured this way, you can have just one interface per appliance, but it is a little more complicated as your inbound will be SMTP port, and the outbound connector port from your e-mail servers to the ESA will need to be some other port, and would need to be configured that way.

 

WAN to DMZ

SMTP, ICMP  (ANY)

 

DMZ to WAN

SMTP, ICMP, DNS  (ANY)

 

LAN to DMZ

SMTP2(Port26) To ESAs from email servers

HTTP, HTTPS To ESAs from authorized management systems

SSH from SMA To ESAs from management systems

 

DMZ to LAN

SMTP2(Port26) from ESAs to email servers

SSH to SMA from ESAs to management systems

 

wilson_1234_2
Level 3
Level 3
In response to Paul Cardelli

‎02-20-2015 04:48 PM

Thanks for the reply.

The guy managing the Ironports is insisting on two data interfaces (data1, inbound from Internet, data 2 outbound to mail server) and the management.

I still don't get how the routing works in this type of scenario if the Ironport is in the DMZ and the default gateway is the DMZ firewall interface.

How does the inside (outbound to mail server) interface route out of the VLAN different than the it is currently in when the only default gateway is in the DMZ? 

 

0 Helpful

Paul Cardelli
Level 1
Level 1
In response to wilson_1234_2

‎02-21-2015 11:15 AM

This is really basic routing configuration, I'll keep this reply focused on just the routing part.

In the routing table, the device will pick the most specific routes in the table first then choose the least specific or default route last. Along with with this routes are also ordered in the table by physically or directly connected subnets, static routes (ones we configure), and dynamic routes (learned via BGP,OSPF, and so on). On the ESAs you just have static and directly connected routes. So keep this in mind and the rest will make sense. 

All the routing configuration will be configured as below on the ESA Appliances

  1. So because we know that most of the internet addresses are accessing the dmz through a NAT Public address on the firewall, we'll leave the default route pointing to the DMZ Gateway - This is the least specific route on the table - Basically if all else fails send traffic here.
  2. The next route added will more specific, and since we know that all private addresses will be communicating on the Outbound LAN interface, you will configure the following known private address subnets to point to the LAN also know as RFC1918: 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 Think of this as the default route for your private address space 
  3. Now for you may have a few (Special Case) routes on the private or pubic side you want to send through a different gateway. For example I want to send 192.168.1.0/24(which is more specific then a /16 or 255.255.0.0 mask) to a gateways accessed through the management port. Or you can create a route for just a single machine 192.168.1.5 which is the most specific and will overrule most if not all routes on the table.

Now you may have noticed I did not tell you to configure the DMZ subnet or the LAN subnet, or even the management subnet. These are directly connected and as long as the Interface is correctly configured you do not configure them. You only need to configure routes.

There are a lot of more fun even more advanced routing topics, but as this is just an email appliance, the above more then covers what is needed to know. You can google, youtube, or wiki for more info.

I hope this in depth reply on routing helps answer your question.

 

Customers Also Viewed These Support Documents