Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1612
Views
5
Helpful
5
Replies

New ISP connected to our Network but External emails are not working

IdrisMohiuddin91379
Level 1
Level 1

‎10-27-2020 11:51 PM

Hi,

We have recently connected a new ISP as a redundant Internet Service provider,we configured a New interface on the NGFW for the new ISP with new Public ips .

All our services are working fine through the new ISP but External emails are failing.

We have allowed the new Public subnet in the DNS Umbrella too.

We have Cisco ESA as our EMail Gateway,do we need to allow our New Public ISP subnet on the Cisco ESA.

Labels:
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎10-28-2020 01:21 AM

Not sure how your DNS, have you changed New MX records to a new ISP IP address?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

IdrisMohiuddin91379
Level 1
Level 1
In response to balaji.bandi

‎11-01-2020 12:36 AM

DNS is using the same MX records as is hosted in the ISP.

We need to know whether we have to allow the new ISP public ips we used to configure the Firewall interface

has to be allowed on Cisco Iron port as EMail traffic is getting affected.

0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee
In response to IdrisMohiuddin91379

‎11-01-2020 10:53 PM

The ESA does not need to know IP's for external emails coming to it, since it would accept all connections and then perform reputation checks, etc before accepting the email.

ESA only needs to be configured to know IP's used to send email outside (usually internal exchange) which isn't the case here.

Since you mentioned email traffic as affected, did you see traffic even reaching the ESA after the ISP change?

mail_logs on the ESA would log all SMTP connections coming to the ESA as ICID.

Even telnet to the ESA from an external source would show if connection is timing out, being rejected, etc.

If it's a network down situation, you should certainly consider contacting TAC to get quick assistance.


Regards,

Libin

0 Helpful

IdrisMohiuddin91379
Level 1
Level 1
In response to Libin Varghese

‎11-01-2020 11:16 PM

Thanks for answering

Actually it is not a Network down issue.

We have changed our design by adding redundancy on the ISP Internet link,by providing a new ISP and by configuring new NGFW interface as a Backup InTERFACE.Now when the primary Internet link goes down then the secondary link will be up with the new NGFW backup interface.New public ips were used for this task.

 

So when this new backup link is up , the traffic will pass through the new NGFW backup interfaces.

We allowed all natting for the new interfaces and all services are allowed to pass traffic via the new NGFW interface towards the Internet.

Problem faced is the external Email traffic is getting affected when we enable the traffic to pass through the NGFW backup interfaces on the NGFW and simultaneously using the new ISP link.

Please can you advise on this from ESA perspective.

0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee

‎11-02-2020 12:01 AM

My inputs would be same as earlier. Unless we have some errors on the ESA side, we'll need to isolate how traffic flow is working.

 

Do you see traffic reaching the ESA from the new interface?

mail_logs on the ESA would log all SMTP connections coming to the ESA as ICID.

 

Even telnet to the ESA from the backup interfaces would show if connection is timing out, being rejected, etc.

Packet captures should help narrow down what's going on.

 

Regards,

Libin

0 Helpful
Customers Also Viewed These Support Documents