cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1579
Views
5
Helpful
5
Replies

New ISP connected to our Network but External emails are not working

Hi,

We have recently connected a new ISP as a redundant Internet Service provider,we configured a New interface on the NGFW for the new ISP with new Public ips .

All our services are working fine through the new ISP but External emails are failing.

We have allowed the new Public subnet in the DNS Umbrella too.

We have Cisco ESA as our EMail Gateway,do we need to allow our New Public ISP subnet on the Cisco ESA.

5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

Not sure how your DNS, have you changed New MX records to a new ISP IP address?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

DNS is using the same MX records as is hosted in the ISP.

We need to know whether we have to allow the new ISP public ips we used to configure the Firewall interface

has to be allowed on Cisco Iron port as EMail traffic is getting affected.

The ESA does not need to know IP's for external emails coming to it, since it would accept all connections and then perform reputation checks, etc before accepting the email.

ESA only needs to be configured to know IP's used to send email outside (usually internal exchange) which isn't the case here.

Since you mentioned email traffic as affected, did you see traffic even reaching the ESA after the ISP change?

mail_logs on the ESA would log all SMTP connections coming to the ESA as ICID.

Even telnet to the ESA from an external source would show if connection is timing out, being rejected, etc.

If it's a network down situation, you should certainly consider contacting TAC to get quick assistance.


Regards,

Libin

Thanks for answering

Actually it is not a Network down issue.

We have changed our design by adding redundancy on the ISP Internet link,by providing a new ISP and by configuring new NGFW interface as a Backup InTERFACE.Now when the primary Internet link goes down then the secondary link will be up with the new NGFW backup interface.New public ips were used for this task.

 

So when this new backup link is up , the traffic will pass through the new NGFW backup interfaces.

We allowed all natting for the new interfaces and all services are allowed to pass traffic via the new NGFW interface towards the Internet.

Problem faced is the external Email traffic is getting affected when we enable the traffic to pass through the NGFW backup interfaces on the NGFW and simultaneously using the new ISP link.

Please can you advise on this from ESA perspective.

Libin Varghese
Cisco Employee
Cisco Employee

My inputs would be same as earlier. Unless we have some errors on the ESA side, we'll need to isolate how traffic flow is working.

 

Do you see traffic reaching the ESA from the new interface?

mail_logs on the ESA would log all SMTP connections coming to the ESA as ICID.

 

Even telnet to the ESA from the backup interfaces would show if connection is timing out, being rejected, etc.

Packet captures should help narrow down what's going on.

 

Regards,

Libin