Thanks AJ for your reply.

  Our physical setup : Asa 5512x     outside0 : Isp1   outside1: Isp2    inside  :  MailServer

Example Ips :

outside 0 :  95.95.95.1 /28   Active

outside 1 :   75.75.75.1 /28  Active   at the same time. Same Mx 10 Records

inside : 192.168.1.1 /24

MailServer : 192.168.1.10 /24    

No Local Network No Clients localy connected. All clients are remote clients ousite IMAP connections.

Please advise , Thanks

Mesut

Ok, so can I assume that this query is all about inbound access needed by outside located clients to internal exchange using IMAP protocol. Or maybe imap over ssl?

Please confirm.

-

AJ

So, this is my understamding of your setup, please correct me if I am wrong somewhere:

ISP1 - default gateway with preferred route towards internet
ISP2 - default gateway with less preferred route towards internet

In this case, inbound traffic should work for both ISP since reply traffic will follow the same path back as it came in.

Now, as per your scenario, lets say ISP1 fails and ISP2 is handling incoming traffic for both mx records . Now, when the ISP1 comes back up, if the inbound traffic arrives on ISP1, it will work.
It all depends on how quikcly ISP1 can punt the traffic for ISP1 towards ISP1. ASA will have a limited role to play in there since its a recipient.
Depends on ISP what criteria they have to identify of when the ISP1 is active or down. Looks like a routing question that should be pointed to the ISP.

Let me know if I missed out on something or there is some additional questions.

Ok, so can I assume that this query is all about inbound access needed by outside located clients to internal exchange using IMAP protocol. Or maybe imap over ssl?

Please confirm. AJ

Yes  AJ  it is  only IMAP connections.

HELLO AJ

---------------------------------------------------------------------------------------------------------------------

So, this is my understamding of your setup, please correct me if I am wrong somewhere:

ISP1 - default gateway with preferred route towards internet
ISP2 - default gateway with less preferred route towards internet

In this case, inbound traffic should work for both ISP since reply traffic will follow the same path back as it came in.

Now, as per your scenario, lets say ISP1 fails and ISP2 is handling incoming traffic for both mx records . Now, when the ISP1 comes back up, if the inbound traffic arrives on ISP1, it will work.
It all depends on how quikcly ISP1 can punt the traffic for ISP1 towards ISP1. ASA will have a limited role to play in there since its a recipient.
Depends on ISP what criteria they have to identify of when the ISP1 is active or down. Looks like a routing question that should be pointed to the ISP.

Let me know if I missed out on something or there is some additional questions.

**********************************************************************

Hi AJ ,  You did understand everything  very well. You are not missing anything else . If you have time could you please  try on example  setup config. Thanks a lot for your  time and advice.

Sorry for the delay here. I am having some troubles with support forum notifications. I will search some documents or provide a sample config in a day or two max. 

-

AJ

Hi AJ ,

Thanks for your kindly update. Please take your time . It is not so urgernt at the moment.

When you are  done with your priority jobs . You are most welcome to provide example configs.

Take Care ,

Mesut

Ok, here is the scenario:

inside  -  lan segment

outside - ISP1 and having preferred default gateway

outside2 - ISP2 and having less preferred gateway 

Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside 10.0.99.1 255.255.255.0 manual
GigabitEthernet0/1 inside 192.168.129.222 255.255.255.0 manual
GigabitEthernet0/3 outside2 11.11.11.1 255.255.255.0 manual

ciscoasa(config)# sh run route
route outside 0.0.0.0 0.0.0.0 10.0.99.2 1
route outside2 0.0.0.0 0.0.0.0 11.11.11.254 254        

Now, we have 1 public ip address on each ISP that inside email server is reachable through. Lets say that 10.0.99.10 (ISP1 mx record) and 11.11.11.10 (ISP2 mx record).

Also assume that inside email server is 192.168.129.10

Lets apply 2 NAT statement on each ISP :

object network obj-10.0.99.10
host 10.0.99.10
object network obj-192.168.129.10
host 192.168.129.10
object network obj-11.11.11.10
host 11.11.11.10

nat (inside,outside) source static obj-192.168.129.10 obj-10.0.99.10
nat (inside,outside) source static obj-192.168.129.10 obj-11.11.11.10

nat (inside,outside2) source static obj-192.168.129.10 obj-10.0.99.10
nat (inside,outside2) source static obj-192.168.129.10 obj-11.11.11.10

***skipped access-lists, need to be applied as required ports****

Now, in normal state (when both ISP are active), inbound traffic will work fine through either ISP on any ip address.

Lets say, ISP1 goes down and ISP 2 is active. In this case we would expect traffic to arrive on ISP2. No matter on what ip address it comes on, it will work fine. Lets say that a user on internet resolved the mx record to ip address 10.0.99.10 (which belongs to ISP1), then the traffic needs to arrive till ASA ISP2(thats something ISP needs to do) and then ASA will handle it just fine.

Once, the ISP1 comes back up, then inbound again will work on how the users on internet resolve mx records and where the traffic lands(which ISP).

Please let me know if there are any questions.

FYI, if you wish to add ISP failover feature here, even then this should work. I don't see any challenge as far as ASA is concerned.

-

AJ

Hello Dear AJ ,

Sorry for my late reply.  Many thanks for your  example config for my scenario.

I will be able to deploy this config on our running active  asa network at the end of this month  when we do  half day maintanence.

I will be posting  all test results here .

Once again thank you for all your great effort and support.

Best Wishes

Mesut

You will also need an SLA tracker to either track the interface or an IP so that the ASA knows when to insert the backup route.  

Also, since traffic will be expected on both interfaces even when ISP2 is not the active route, you will need to account for asynchronous routing.  depending on the ASA version you are running you can do this either by placing interfaces in traffic zones (version 9.3.2 or higher) or tcp bypass.  If you are not running a version higher than 9.3.2 then I suggest upgrading and implementing traffic zones as using tcp-bypass can cause security risks.

sla monitor 123

  type echo protocol ipIcmpEcho 4.2.2.2 interface outside

sla monitor schedule 123 life forever start-time now

track 1 rtr 123 reachability

route outside1 0.0.0.0 0.0.0.0 10.0.0.2 1 track 1

route outside2 0.0.0.0 0.0.0.0 11.0.0.1 254

zone outside

interface gig0/1

  description to ISP1

  zone-member outside

interface gig0/2

  description to ISP2

  zone-member outside

--

Please remember to select a correct answer and rate helpful posts