Routing in Cisco ESA when using Data1 for incoming and Data2 for outgoing emails

M.Hakeem · ‎06-12-2018

I'm using vESA as following setup

1. Management with IP 10.10.10.10/24

2. Data1 (incomingmail) with IP 172.16.10.10/24 (public)

3. Data2 (outgoingmail) wih IP 172.16.11.10/24 (private)

Data1 and Data2 are connecting to firewall in DMZ1 and DMZ2. Management is connecting to inside.

How do the email flow look like and the routing?

Libin Varghese · ‎06-15-2018

The mail flow and routing would work based on what network routes are configured and how you are directing emails towards the ESA.

For instance, emails from the internet are being sent to which interface on the ESA. Is traffic allowed from the internet (through the firewall) to that interface.

Emails from the internal exchange going outbound, which interface are you sending them to and is traffic allowed from the internal exchange to the interface.

When trying to create a delivery connection the ESA would select the default gateway configured, unless there are static routes configured under Network -> Routing.

Since most of these are mostly network design decisions it can be done anyway that is required on your end.

M.Hakeem · ‎06-15-2018

Thanks for your replay. please find the below detalis

ESA Configuration:
==================
interfaces:
===========
e1 (Incoming) 10.96.130.3/29 -----> Gateway 10.96.130.1
e2 (Outbound) 10.96.130.11/29 -----> Gateway 10.96.130.9
e0 (Management) 10.96.5.33/24 -----> Gateway 10.96.5.1

Exchange:
=========
10.1.7.11/24

AD:
===
10.1.9.152/24

Routing:
========
Destination            Gateway
10.1.7.0/24           10.96.130.9
10.1.9.0/24           10.96.5.1
10.1.14.0/24          10.96.5.1   (To manage ESA)
Default route         10.96.130.1

Firewall Configuration
=======================
10.96.130.3 NATED to (ex: 20.1.1.1)
10.96.130.11 NATED to (ex: 20.1.1.2)

Is the routing right or not? if yes, when i send an email the recipient received the email as spam and the cause is SPF. The recipient received the email with the ip 20.1.1.1 which there is no SPF configuration on this IP. I configured SPF verification on ip 20.1.1.2.

So, In my scenario shall I need two public IP (one for MX record and second for SPF verification).

Libin Varghese · ‎06-16-2018

Looking at the part of the configuration provided what I can say is that for all connections created for IP's not added in the routing the ESA will use default route 10.96.130.1 to deliver those emails.

Once this is selected as the gateway, ESA will look for the least IP interface to create a connection which here is 10.96.130.3 hence the external recipient sees connections from 20.1.1.1.

You can try setting the interface to be used for delivery to a higher IP than the inbound and try testing further.

M.Hakeem · ‎07-10-2018

Yes, It is working now.

I need a checklist template to test ESA and SMA after migration.