02-27-2008 07:30 AM - modifié 02-21-2020 01:55 AM
I need some help with a setup for email.
Setup
I have a PIX525 and an ASA5510VPN and an internal 2950 router. The PIX does firewalling and the ASA does VPN. Currently all outbound Internet traffic goes through the PIX via the router with this command:
ip route 0.0.0.0 0.0.0.0 10.1.1.2 1
The ASA5510 with its dedicated external IP is used to allow VPN traffic in.
The problem:
I have two separate domain names and two MX records. One (mail.PIX.com)is pointed at the external IP of the PIX the other (mail.ASAVPN.com) is pointed at the ASA5510. I can receive inbound mail through both of the devices. I'd like to mail go out using both domains one through PIX and the other thru ASA. The problem is the router says all unknown traffic go to PIX.
How do I route mail from a host (10.1.1.5) to the ASA5510(10.1.1.4), while sending the mail from host (10.1.1.3) to PIX(10.1.1.2)
le 02-28-2008 03:09 AM
You need to implement Policy Based Routing (PBR). There is a differing Next Hops example in the document
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr.html
Just one thing, the 2950 is a Layer2 switch, not a router, you will need a PBR capable device as your gateway for this to work.
le 02-29-2008 06:05 AM
I setup PBR but it killed my routes to my WAN sites. I'm wondering if it had anything to do with putting the ACL on ethernet interface of the LAN. Once I use an ACL doesn't it by default block all other traffic not specified by the ACL(s)?
le 02-28-2008 04:12 PM
Why don't you just set the default gateway of 10.1.1.5 to the ASA and have 10.1.1.3 use the pix as it's default gateway.
Problem solved.
Chris
le 02-29-2008 06:45 AM
That's currently how it's setup. However my VPN users need access to the network, the inside address (10.1.1.4) of the VPN is routed the this router (10.1.1.254) and all of these devices are on the same subnet. When send a message from 10.1.1.5, which by the is running Postfix, with the default gateway set to 10.1.1.4, the header indicates that it came from mail.everfast.com(xxx.xxx.xxx.83 or 10.1.1.3) when it should have come from mail.calicocorners.com (xxx.xxx.xxx.94 or 10.1.1.4)
le 02-29-2008 08:53 AM
I am not folliwing something here. If your gateway for 10.1.1.5 is truly set to the ASA and the ASA has the nat rule on the outside for the 10.1.1.5 address there should be no issue. It sounds like you are sending your traffic back out the pix interface. If your gateway is the 10.1.1.254 address the router will send the traffic to the PIX or redirect you to do so with an ICMP redirect.
Just the simple fact that it's coming out with the wrong external address leads me to beleive that that is the issue.
Any configs/route tables on the servers and firewalls would help.
Découvrez et enregistrez vos notes préférées. Revenez pour trouver les réponses d'experts, des guides étape par étape, des sujets récents et bien plus encore.
Êtes-vous nouveau ici? Commencez par ces conseils. Comment utiliser la communauté Guide pour les nouveaux membres