10-27-2020 11:51 PM
Hi,
We have recently connected a new ISP as a redundant Internet Service provider,we configured a New interface on the NGFW for the new ISP with new Public ips .
All our services are working fine through the new ISP but External emails are failing.
We have allowed the new Public subnet in the DNS Umbrella too.
We have Cisco ESA as our EMail Gateway,do we need to allow our New Public ISP subnet on the Cisco ESA.
10-28-2020 01:21 AM
Not sure how your DNS, have you changed New MX records to a new ISP IP address?
11-01-2020 12:36 AM
DNS is using the same MX records as is hosted in the ISP.
We need to know whether we have to allow the new ISP public ips we used to configure the Firewall interface
has to be allowed on Cisco Iron port as EMail traffic is getting affected.
11-01-2020 10:53 PM
The ESA does not need to know IP's for external emails coming to it, since it would accept all connections and then perform reputation checks, etc before accepting the email.
ESA only needs to be configured to know IP's used to send email outside (usually internal exchange) which isn't the case here.
Since you mentioned email traffic as affected, did you see traffic even reaching the ESA after the ISP change?
mail_logs on the ESA would log all SMTP connections coming to the ESA as ICID.
Even telnet to the ESA from an external source would show if connection is timing out, being rejected, etc.
If it's a network down situation, you should certainly consider contacting TAC to get quick assistance.
Regards,
Libin
11-01-2020 11:16 PM
Thanks for answering
Actually it is not a Network down issue.
We have changed our design by adding redundancy on the ISP Internet link,by providing a new ISP and by configuring new NGFW interface as a Backup InTERFACE.Now when the primary Internet link goes down then the secondary link will be up with the new NGFW backup interface.New public ips were used for this task.
So when this new backup link is up , the traffic will pass through the new NGFW backup interfaces.
We allowed all natting for the new interfaces and all services are allowed to pass traffic via the new NGFW interface towards the Internet.
Problem faced is the external Email traffic is getting affected when we enable the traffic to pass through the NGFW backup interfaces on the NGFW and simultaneously using the new ISP link.
Please can you advise on this from ESA perspective.
11-02-2020 12:01 AM
My inputs would be same as earlier. Unless we have some errors on the ESA side, we'll need to isolate how traffic flow is working.
Do you see traffic reaching the ESA from the new interface?
mail_logs on the ESA would log all SMTP connections coming to the ESA as ICID.
Even telnet to the ESA from the backup interfaces would show if connection is timing out, being rejected, etc.
Packet captures should help narrow down what's going on.
Regards,
Libin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide