Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1880
Views
0
Helpful
4
Replies

ESA Deployment without public IP address

Go to solution
kachavda
Level 1
Level 1

‎08-02-2016 07:45 PM

Hello Experts,

I want to know that if I deploy the ESA into my network without public IP address with a config on the ASA as if is there any traffic for port 25 then forwards it to the ESA then to the Exchange.

I have published my firewall's public IP address in the MX record.

In this scenario, will there be any issue for the ESA to determine sender's reputation while receiving an email?

And if the ESA is not able to determine sender's reputation then what is the best way to deploy the ESA without using a public IP address.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎08-03-2016 07:17 AM

I would expect that 99% of ESA-installations are using a private IP on the public listener with static NAT on the firewall in front of the ESA. There is nothing wrong on this. Just think about what get's translated here. It's the destination IP of the request that comes from the internet and the ESA still sees the IP of the sender. Only your internal Mailserver doesn't see the original sender-IP. But that typically doesn't matter as the SPAM-check is already done when the mail hits the internal server.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee

‎08-02-2016 10:38 PM

Hello Kachavda,

On the ESA it does not require a public IP interface.

But when connection comes from internet -> ASA -> ESA -> Exchange

When ASA -> ESA, is the ASA going to mask the original source IP with it's own?

If this is the case, it will break SBRS filtering and the recommended settings if this is the case is to run an incoming relay setup so we can look for the original source IP within email headers.

Regards,

matthew

0 Helpful

Go to solution
kachavda
Level 1
Level 1
In response to Mathew Huynh

‎08-03-2016 07:14 PM

Hi Mathew,

Thank you for your reply. ASA is not going to mask source IP with its own.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎08-03-2016 07:17 AM

I would expect that 99% of ESA-installations are using a private IP on the public listener with static NAT on the firewall in front of the ESA. There is nothing wrong on this. Just think about what get's translated here. It's the destination IP of the request that comes from the internet and the ESA still sees the IP of the sender. Only your internal Mailserver doesn't see the original sender-IP. But that typically doesn't matter as the SPAM-check is already done when the mail hits the internal server.

0 Helpful

Go to solution
kachavda
Level 1
Level 1
In response to Karsten Iwen

‎08-03-2016 07:18 PM

Thanks Karsten for helping.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents