cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
20080
Views
20
Helpful
24
Replies

How to configure routing in Ironport with 2 network interfaces?

Alibek Ismailov
Level 1
Level 1

Hello, i configured 2-nd network interface on ironport.

I want that 2-nd interface sent messages from 2-nd outside IP-address.

On Default Route i have gateway of 1-st interface.

I added second route (to Destination i put IP-address (DMZ-zone) of 2-nd interface (AM I RIGHT?) and to Gateway - gateway of 2-nd interface).

 *(Look for attachment)

2-nd interface gets messages from Mail Server, but sends it through 1-st interface from 1-st outer IP-address.

When i change Default Route Gateway to gateway of 2-nd interface, both interfaces send messages from 2-nd interface from 2-nd outer IP-address. So 1-st interface doesn't send from 1-st outer IP-address.

How to configure routing in Ironport that 1-st interface sent messages through 1-st outer IP-address and 2-nd interface sent messages through 2-nd outer IP-address?

1 Accepted Solution

Accepted Solutions

Boris Uskov
Level 4
Level 4

Hello, Alibek

By default, IronPort will choose the interface, which is the nearest to the destination. So, in your case (according to screenshot), the second-interface's IP-address will be chosen only if the destination IP-address of the packet is in 192.168.9.x.
But, to make IronPort send messages from the second interface you can create outgoing content filter. In the filter you can choose the action "Deliver from IP Interface". Please, see the attach.

Previously, I had a similar task, and I solved it by the way, described here:
https://supportforums.cisco.com/discussion/12541481/esa-policy-based-routing

View solution in original post

24 Replies 24

Boris Uskov
Level 4
Level 4

Hello, Alibek

By default, IronPort will choose the interface, which is the nearest to the destination. So, in your case (according to screenshot), the second-interface's IP-address will be chosen only if the destination IP-address of the packet is in 192.168.9.x.
But, to make IronPort send messages from the second interface you can create outgoing content filter. In the filter you can choose the action "Deliver from IP Interface". Please, see the attach.

Previously, I had a similar task, and I solved it by the way, described here:
https://supportforums.cisco.com/discussion/12541481/esa-policy-based-routing

My 1st MailServer (192.168.9.*) sends messages to 1st interface (192.168.9.*). 

My 2nd MailServer (192.168.10.*) sends messages to 2nd interface (192.169.10.*).

So, ironport must send messages from 2nd MailServer from 2nd interface, doesn't it?

But it sends messages from 1st interface.  

I configured outgoing content filter to send from 2nd interface. But 2nd interface gets messages and send them from 1st interface. (look attachment)

Hello, Alibek.

I'm very sorry for delay.
This behaviour of IronPort is expected. When it receives messages from 2nd MailServer (192.168.10.*), the message contains some destination address. For example, the message should be delivered to some of gmail servers.
Let's assume, that gmail server, to which the mail should be delivered, has an IP-address 1.2.3.4. The IronPort looks at it's routing table for destination 1.2.3.4. So, IronPort understands, that it should use default gateway. What is the nearest interface to defaul gateway IP-address? It is 1st interface. So, IronPort will use 1st interface IP-address as a source IP-address to relay the message to outside.

You need to use OutGoing Content Filters to deliver from 2ns interface. For example, if 1st MailServer serves the mail-domain @abc.com, and 2nd MailServer serves the mail-domain @xyz, you can create a OutGoing Content Filter to deliver messages, where Envelop Sender field contains "xyz", from 2nd interface. For example, see the attach.
Or, you can use some other conditions in OutGoing Content Filters, depending on your situation.

Hello, Boris.

Thanks, but as i wrote in my previous message i configured Outgoing Content Filter to deliver messages from user@abc.com from 2nd interface, but 2nd interface receives messages from 2nd MailServer and sends them outside through 1st interface. U can look for attachment in previous message.

Ok, I see it. Have you applied content filter to OutGoing mail Policy? I mean someting like in the attach...

 

Yes, i applied it.

Ok, so we have to investigate the issue deeply. 
Could you, please, share the screenshots of the configuration of outgoing contenet filter, outgoing mail policies?
And I'd like to verify the screenshot from Network -> Routing one more time (I know, that you posted it already, but, please, make a fresh screenshot one more time).

Screenshots in attachment.

On routing page in Destination i must put address of subnet (where 2nd MailServer and 2nd Ironport interface)? (look attachment)

Should i remove 2nd MailServer from Sender Group: Relaylist (1st interface) and on the contrary? (look attachment)

From my point of view, if both mail-servers are situated on the same subnets, as Interfaces of ironport, you don't need to add any special routes in routing table of ironport. You need to have only one route - default route.

No, you don't have to remove MailServers from Relaylists.

One more suggestion. Try to use System Administration -> Trace to emulate the mail flow from 2nd MailServer. Post the resulsts of trace here, please.

i did trace, it sent through 2nd interface

Ah, ok, trace shows that the message was received by 2nd Interface, but it doesn't show us, from which inteface the message would be sent.

Please, check the field "content filter processing" in the output of trace. Let's be sure, that the message matches the content filter "Interface2".

And one more thing. I noticed, that you use Antispam rule in your outgoing policies. Usually, you don't need to switch on Antispam rules in outgoing policies, because it is suggestible, that the outgoing messages from your MailServer are trusted, and you are not a spammer.

I caught one guy in my company who sent his own advertisement, so Antispam in outgoing policy is needed