06-07-2012 06:24 PM - edited 03-11-2019 04:16 PM
Hey, forks
We have a hosted data center environment. We use dual ASA 5510 for connection going out to Internet. On the internal side of the ASA5510, we use unique VLANs to identify different hosted customers and also isolate traffic among them. Recently we run into an issue that one customer can not email another customer whoes email servers are both residing in our hosted environment. For Example,
Customer A email server is configured with 10.10.1.1 with public IP mapped on ASA5510 as 23.24.25.26. Customer B email server is configured with 192.168.2.1 with public IP mapped on same ASA5510 as 23.24.25.28. When customer A send email to customer B, traffic got blocked, which is expected on ASA. Now we are trying to keep the proper security while somehow allow 2 customer to communicating emails.
We could configure ACL specific to do the job but it will not be managable if there are 50 customers need to email another 50 customers in the same environment...
Please advise.
/S
06-08-2012 04:29 AM
both the customer's residing in inside zone of the ASA box by having the sub interfaces created on the ASA?????
06-08-2012 04:38 AM
That is correct. That is I guess the main reason I am searching for alternative way to allow certain communication while maintaining the setup.
06-14-2012 06:59 AM
Still waiting for suggestions...
BTW, Do other big hosting environment use single routing/firewall instance for each customer?
07-28-2012 07:23 PM
Hi Bro
To resolve your issue, you'll need to configure Cisco DNS Doctoring. This will work like a charm.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml
In most enterprise deployment, that hosts hundreds of tenants, they would normally use Cisco FWSM running in multi-context mode. This mean one virtual FW per customer. On the switching side, Cisco Nexus 7K is used instead.
P/S: if you think this comment is useful, please do rate them nicely :-)
07-29-2012 07:46 AM
Thanks for the suggestion. But multi-context on Asa will not be applicable for us. IPSec VPNs are used between data enter and customers.
Plus, we prefer to not configure acl/nay rules to accomplish this. What if there are 10 or 20 customers need this setup? Just don't want to loss configuration control.
We are considering the email relay server or CSR1000v.
If u have any other suggestion, please post.
Sent from Cisco Technical Support iPad App
07-29-2012 07:22 AM
Hi Shuai Yu,
You can do a hairpinning enabled to make this work.
Please refer the below document as well along with doctoring concept which ramraj has suggested. Here you are doing within the sub interfaces. Both are almost similar in concepts.
You have to create nat rules in such a way to achive this.
http://ckdake.com/content/2009/hairpinning-with-a-cisco-asa.html
!
Please do rate if the given information helps.
by
Karthik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide