01-26-2017 09:37 PM - edited 03-12-2019 01:50 AM
Dear All,
My need is for our mailserver is below:
Able to send and receive emails from - to outside internet domains with two public ip addresses from
ISP1 and ISP2. Our Dns records for ourdomain.com are on the ISP1 and ISP2's Name Servers with the same value of MX records 10.
Scenario :
If the link of ISP1 fails email relaying and sending for ourdomain.com will be able to continue from the ISP2 link.
Since we have two same MX 10 records, is the ISP2 link going to receive emails even if the ISP1 link keeps running.
We do appreciate your config examples and advise.
Thanks
Mesut
01-27-2017 03:32 AM
I am not an expert on DNS stuff but below advise is on basis of networking experience:
How is the design actually. Where are the ISPs terminating and are these 2 ISP active at the same time or one at a time. Please confirm the physical setup.
Also, please confirm if the dns reply consisting of mx record values has both entries if you do dns lookup from either ISP or it has just one mx record corresponding to that ISP.
Ideally, if the mx priority values are same, I would expect traffic to be load balanced, but then that depends where that traffic(smtp) goes(which ISP) and that depends on your physical setup.
HTH
-
AJ
01-27-2017 09:13 AM
Thanks AJ for your reply.
Our physical setup : Asa 5512x outside0 : Isp1 outside1: Isp2 inside : MailServer
Example Ips :
outside 0 : 95.95.95.1 /28 Active
outside 1 : 75.75.75.1 /28 Active at the same time. Same Mx 10 Records
inside : 192.168.1.1 /24
MailServer : 192.168.1.10 /24
No Local Network No Clients localy connected. All clients are remote clients ousite IMAP connections.
Please advise , Thanks
Mesut
01-27-2017 11:08 AM
Ok, so can I assume that this query is all about inbound access needed by outside located clients to internal exchange using IMAP protocol. Or maybe imap over ssl?
Please confirm.
-
AJ
01-27-2017 12:39 PM
So, this is my understamding of your setup, please correct me if I am wrong somewhere:
ISP1 - default gateway with preferred route towards internet
ISP2 - default gateway with less preferred route towards internet
In this case, inbound traffic should work for both ISP since reply traffic will follow the same path back as it came in.
Now, as per your scenario, lets say ISP1 fails and ISP2 is handling incoming traffic for both mx records . Now, when the ISP1 comes back up, if the inbound traffic arrives on ISP1, it will work.
It all depends on how quikcly ISP1 can punt the traffic for ISP1 towards ISP1. ASA will have a limited role to play in there since its a recipient.
Depends on ISP what criteria they have to identify of when the ISP1 is active or down. Looks like a routing question that should be pointed to the ISP.
Let me know if I missed out on something or there is some additional questions.
01-27-2017 12:01 PM
Ok, so can I assume that this query is all about inbound access needed by outside located clients to internal exchange using IMAP protocol. Or maybe imap over ssl?
Please confirm. AJ
Yes AJ it is only IMAP connections.
01-27-2017 09:48 PM
HELLO AJ
---------------------------------------------------------------------------------------------------------------------
So, this is my understamding of your setup, please correct me if I am wrong somewhere:
ISP1 - default gateway with preferred route towards internet
ISP2 - default gateway with less preferred route towards internet
In this case, inbound traffic should work for both ISP since reply traffic will follow the same path back as it came in.
Now, as per your scenario, lets say ISP1 fails and ISP2 is handling incoming traffic for both mx records . Now, when the ISP1 comes back up, if the inbound traffic arrives on ISP1, it will work.
It all depends on how quikcly ISP1 can punt the traffic for ISP1 towards ISP1. ASA will have a limited role to play in there since its a recipient.
Depends on ISP what criteria they have to identify of when the ISP1 is active or down. Looks like a routing question that should be pointed to the ISP.
Let me know if I missed out on something or there is some additional questions.
**********************************************************************
Hi AJ , You did understand everything very well. You are not missing anything else . If you have time could you please try on example setup config. Thanks a lot for your time and advice.
01-31-2017 07:59 AM
Sorry for the delay here. I am having some troubles with support forum notifications. I will search some documents or provide a sample config in a day or two max.
-
AJ
01-31-2017 08:52 AM
Hi AJ ,
Thanks for your kindly update. Please take your time . It is not so urgernt at the moment.
When you are done with your priority jobs . You are most welcome to provide example configs.
Take Care ,
Mesut
02-02-2017 12:52 PM
Ok, here is the scenario:
inside - lan segment
outside - ISP1 and having preferred default gateway
outside2 - ISP2 and having less preferred gateway
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside 10.0.99.1 255.255.255.0 manual
GigabitEthernet0/1 inside 192.168.129.222 255.255.255.0 manual
GigabitEthernet0/3 outside2 11.11.11.1 255.255.255.0 manual
ciscoasa(config)# sh run route
route outside 0.0.0.0 0.0.0.0 10.0.99.2 1
route outside2 0.0.0.0 0.0.0.0 11.11.11.254 254
Now, we have 1 public ip address on each ISP that inside email server is reachable through. Lets say that 10.0.99.10 (ISP1 mx record) and 11.11.11.10 (ISP2 mx record).
Also assume that inside email server is 192.168.129.10
Lets apply 2 NAT statement on each ISP :
object network obj-10.0.99.10
host 10.0.99.10
object network obj-192.168.129.10
host 192.168.129.10
object network obj-11.11.11.10
host 11.11.11.10
nat (inside,outside) source static obj-192.168.129.10 obj-10.0.99.10
nat (inside,outside) source static obj-192.168.129.10 obj-11.11.11.10
nat (inside,outside2) source static obj-192.168.129.10 obj-10.0.99.10
nat (inside,outside2) source static obj-192.168.129.10 obj-11.11.11.10
***skipped access-lists, need to be applied as required ports****
Now, in normal state (when both ISP are active), inbound traffic will work fine through either ISP on any ip address.
Lets say, ISP1 goes down and ISP 2 is active. In this case we would expect traffic to arrive on ISP2. No matter on what ip address it comes on, it will work fine. Lets say that a user on internet resolved the mx record to ip address 10.0.99.10 (which belongs to ISP1), then the traffic needs to arrive till ASA ISP2(thats something ISP needs to do) and then ASA will handle it just fine.
Once, the ISP1 comes back up, then inbound again will work on how the users on internet resolve mx records and where the traffic lands(which ISP).
Please let me know if there are any questions.
FYI, if you wish to add ISP failover feature here, even then this should work. I don't see any challenge as far as ASA is concerned.
-
AJ
02-06-2017 01:09 AM
Hello Dear AJ ,
Sorry for my late reply. Many thanks for your example config for my scenario.
I will be able to deploy this config on our running active asa network at the end of this month when we do half day maintanence.
I will be posting all test results here .
Once again thank you for all your great effort and support.
Best Wishes
Mesut
02-06-2017 02:04 AM
You will also need an SLA tracker to either track the interface or an IP so that the ASA knows when to insert the backup route.
Also, since traffic will be expected on both interfaces even when ISP2 is not the active route, you will need to account for asynchronous routing. depending on the ASA version you are running you can do this either by placing interfaces in traffic zones (version 9.3.2 or higher) or tcp bypass. If you are not running a version higher than 9.3.2 then I suggest upgrading and implementing traffic zones as using tcp-bypass can cause security risks.
sla monitor 123
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability
route outside1 0.0.0.0 0.0.0.0 10.0.0.2 1 track 1
route outside2 0.0.0.0 0.0.0.0 11.0.0.1 254
zone outside
interface gig0/1
description to ISP1
zone-member outside
interface gig0/2
description to ISP2
zone-member outside
--
Please remember to select a correct answer and rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide