cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.1-033
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.0.0-418
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

1651
Views
0
Helpful
1
Replies
lfkentwell
Beginner

Ironport ESA behind a NAT address

I know it is recomended to give an ironport ESA a public IP on a dedicated interface to take advantge of the reputation checking etc.  I believe this is so it recieves the email frmo the original sender IP and if you put a relay between the Ironport and the original sender you break this.  I know there is some things you can turn on in this case but my question is if I NAT from an external IP to the ironports internal IP this shouldnt loose the feature becuase the origin IP doesnt change and the connection is still direct to the ironport, not via a relay.  Is this correct?  Will i loose any functionality if I NAT the Ironport?  Reason im asking is I dont have a free IP to give just to the Ironport but have others I can reuse since SMTP is not in use on these IP's.                  

1 ACCEPTED SOLUTION

Accepted Solutions
Rehan Latif
Cisco Employee

Hi Lance,

Using NATed IP address does not break any of the ESA functionality including reputation filtering. The ESA is only looking at the source IP address for inbound connections and if the firewall is not changing the source IP, ESA will be able to perform reputation filtering without issues.

Using another MTA before the ESA will include a little bit of complexity. However, even with that it is possible to perform reputation filtering using combination of "Incoming Relay" feature and content/message filters.

Regards,

Rehan Latif

View solution in original post

1 REPLY 1
Rehan Latif
Cisco Employee

Hi Lance,

Using NATed IP address does not break any of the ESA functionality including reputation filtering. The ESA is only looking at the source IP address for inbound connections and if the firewall is not changing the source IP, ESA will be able to perform reputation filtering without issues.

Using another MTA before the ESA will include a little bit of complexity. However, even with that it is possible to perform reputation filtering using combination of "Incoming Relay" feature and content/message filters.

Regards,

Rehan Latif

View solution in original post