cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
873
Views
0
Helpful
6
Replies

Suggestion is needed

SIMMN
Spotlight
Spotlight

Hey, forks

We have a hosted data center environment. We use dual ASA 5510 for connection going out to Internet. On the internal side of the ASA5510, we use unique VLANs to identify different hosted customers and also isolate traffic among them. Recently we run into an issue that one customer can not email another customer whoes email servers are both residing in our hosted environment. For Example,

Customer A email server is configured with 10.10.1.1 with public IP mapped on ASA5510 as 23.24.25.26. Customer B email server is configured with 192.168.2.1 with public IP mapped on same ASA5510 as 23.24.25.28. When customer A send email to customer B, traffic got blocked, which is expected on ASA. Now we are trying to keep the proper security while somehow allow 2 customer to communicating emails.

We could configure ACL specific to do the job but it will not be managable if there are 50 customers need to email another 50 customers in the same environment...

Please advise.

/S

6 Replies 6

nkarthikeyan
Level 7
Level 7

both the customer's residing in inside zone of the ASA box by having the sub interfaces created on the ASA?????

That is correct. That is I guess the main reason I am searching for alternative way to allow certain communication while maintaining the setup.

SIMMN
Spotlight
Spotlight

Still waiting for suggestions...

BTW, Do other big hosting environment use single routing/firewall instance for each customer?

Hi Bro

To resolve your issue, you'll need to configure Cisco DNS Doctoring. This will work like a charm.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

In most enterprise deployment, that hosts hundreds of tenants, they would normally use Cisco FWSM running in multi-context mode. This mean one virtual FW per customer. On the switching side, Cisco Nexus 7K is used instead.

P/S: if you think this comment is useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

Thanks for the suggestion. But multi-context on Asa will not be applicable for us. IPSec VPNs are used between data enter and customers.

Plus, we prefer to not configure acl/nay rules to accomplish this. What if there are 10 or 20 customers need this setup? Just don't want to loss configuration control.

We are considering the email relay server or CSR1000v.

If u have any other suggestion, please post.

Sent from Cisco Technical Support iPad App

nkarthikeyan
Level 7
Level 7

Hi Shuai Yu,

You can do a hairpinning enabled to make this work.

Please refer the below document as well along with doctoring concept which ramraj has suggested. Here you are doing within the sub interfaces. Both are almost similar in concepts.

You have to create nat rules in such a way to achive this.

http://ckdake.com/content/2009/hairpinning-with-a-cisco-asa.html

!

Please do rate if the given information helps.

by

Karthik

Review Cisco Networking for a $25 gift card