DNS is using the same MX records as is hosted in the ISP.

We need to know whether we have to allow the new ISP public ips we used to configure the Firewall interface

has to be allowed on Cisco Iron port as EMail traffic is getting affected.

The ESA does not need to know IP's for external emails coming to it, since it would accept all connections and then perform reputation checks, etc before accepting the email.

ESA only needs to be configured to know IP's used to send email outside (usually internal exchange) which isn't the case here.

Since you mentioned email traffic as affected, did you see traffic even reaching the ESA after the ISP change?

mail_logs on the ESA would log all SMTP connections coming to the ESA as ICID.

Even telnet to the ESA from an external source would show if connection is timing out, being rejected, etc.

If it's a network down situation, you should certainly consider contacting TAC to get quick assistance.

Regards,

Libin

Thanks for answering

Actually it is not a Network down issue.

We have changed our design by adding redundancy on the ISP Internet link,by providing a new ISP and by configuring new NGFW interface as a Backup InTERFACE.Now when the primary Internet link goes down then the secondary link will be up with the new NGFW backup interface.New public ips were used for this task.

So when this new backup link is up , the traffic will pass through the new NGFW backup interfaces.

We allowed all natting for the new interfaces and all services are allowed to pass traffic via the new NGFW interface towards the Internet.

Problem faced is the external Email traffic is getting affected when we enable the traffic to pass through the NGFW backup interfaces on the NGFW and simultaneously using the new ISP link.

Please can you advise on this from ESA perspective.