Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
820
Views
0
Helpful
4
Replies

ASA mail flow with 2 ISP

Go to solution
Lee Dress
Level 1
Level 1

‎10-11-2017 08:56 AM - edited ‎02-21-2020 06:28 AM

I have 2 ISPs that feed my ASA 5516.

I have a NAT that routes incoming mail from one ISP to the mail gateway.  this weekend that circuit went down so no mail was flowing in.

 

I'd like to be able to add a nat from the other ISP to the mail server.

is it possibly that simple that i just need to add a nat and access rule?  I'm not concerned about outbound mail. just inbound

 

I have the ability to make a second MX record in DNS. so if the first mx record doesn't respond mail will route to the second mx record.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Spooster IT Services
Level 7
Level 7

‎10-11-2017 11:17 AM

Hi  Lee Dress,

 

You need to setup two NAT rules and then allow access to private IP of mail server in access-list (if you are using two access-list for each ISP then in both and if single access-list then in that one only). 

 

Then you need to setup two  MX record in DNS.

 

Following is the sample configuration:-

 

Let's say "OUTSIDE" & "OUTSIDE2" are the two nameif's for ISP facing interfaces.

 

nat (INSIDE,OUTSIDE) source static  <Private IP of mail server> <ISP1 routeable IP>
nat (INSIDE,OUTSIDE2) source static  <Private IP of mail server> <ISP2 routeable IP>
access-list OUTSIDE-ACCESS-IN extended permit tcp any4 <Private IP of mail server> eq 25

Spooster IT Services Team

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Kias
Level 1
Level 1

‎10-11-2017 09:11 AM

Is it something similar to this?

 

https://supportforums.cisco.com/t5/security-documents/dual-isp-implementation-on-asa/ta-p/3144475

Kias
Fonicom Limited
raiseaticket Malta
0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎10-11-2017 11:09 AM

That's quite easy. If you already have two default-routes (with different ADs) to both ISPs, then it's just a second static NAT-entry and ACE for the second ISP.

0 Helpful

Go to solution
Spooster IT Services
Level 7
Level 7

‎10-11-2017 11:17 AM

Hi  Lee Dress,

 

You need to setup two NAT rules and then allow access to private IP of mail server in access-list (if you are using two access-list for each ISP then in both and if single access-list then in that one only). 

 

Then you need to setup two  MX record in DNS.

 

Following is the sample configuration:-

 

Let's say "OUTSIDE" & "OUTSIDE2" are the two nameif's for ISP facing interfaces.

 

nat (INSIDE,OUTSIDE) source static  <Private IP of mail server> <ISP1 routeable IP>
nat (INSIDE,OUTSIDE2) source static  <Private IP of mail server> <ISP2 routeable IP>
access-list OUTSIDE-ACCESS-IN extended permit tcp any4 <Private IP of mail server> eq 25

Spooster IT Services Team
0 Helpful

Go to solution
Lee Dress
Level 1
Level 1
In response to Spooster IT Services

‎10-11-2017 01:38 PM

Thanks for the help.

I didn't think it was going to be that simple.

I assumed I would get barked at by the asa for having 2 rules with the same protocol.

All done. I just need to setup the second mx record in external DNS

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card