cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2281
Views
0
Helpful
7
Comments

I have 2 ISP. I just want to implement mail server behind the ASA.Requirement is traffic regarding mail will go in & out using ISP2 and all other traffic will go to ISP1. Right now trafic goes well with the ISP1. IF PBR is not supported with ASA  then any workarround????.Can anyone help me out??thanks in advance.

regards,

Munim.

Comments
varrao
Level 10
Level 10

ASA cannot do load-balancing or PBR, but there can be a work around for it, you can use this doc for it:

https://supportforums.cisco.com/docs/DOC-13015

Hope that helps.

Thanks,

Varun

Hi Varun,

Many thanks for reply. It's mean that need a router on top of ASA. So we can't do it using only ASA?

Can You pls go to the link: 

https://supportforums.cisco.com/docs/DOC-15622

and see the below part

    2.  Route traffic based on destination ports:

Is this config tested/verified...Pls review

regards,

Munim.


varrao
Level 10
Level 10

Hi Muhammad,

Its just a workaround and not a supported configuration, but I have seen it working and it should not be an issue, if your requirement needs this to be done.

Thanks,

Varun

Many thanks for the confirmmation. So if I put mail server at inside then configuration like:

By adding the configuration below, the  ASA can be set up to send mail traffic(smtp,pop3) out through ISP2 and  all other traffic is sent through ISP1 as shown above.

route ISP1 0 0 1.1.1.2 // Default route pointing to ISP1

route ISP2 0 0 2.2.2.2 2  // Default route with Metric 2 via ISP2

static (ISP2,inside) tcp 0.0.0.0 25 0.0.0.0 25

static (ISP2,inside) tcp 0.0.0.0 110 0.0.0.0 110

sysopt noproxyarp inside // important, otherwise it will cause routing issues as the ASA will start sending proxy-arps for all hosts on the inside.

nat (inside) 1 0 0

global (ISP1) 1 interface

global (ISP2) 1 interface

=================================================================================

And another solution referencing the doc:

https://supportforums.cisco.com/docs/DOC-8137

If I put mail server on DMZ, Then config may like this:

interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0/1
nameif backup
security-level 0
ip address 2.2.2.1 255.255.255.0
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/3
nameif dmz
security-level 50
ip address 172.16.1.1 255.255.255.0

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,backup) 2.2.2.4 172.16.1.2 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 1.1.1.3 1
route backup 0.0.0.0 0.0.0.0 2.2.2.2 2

In this case if static will work then mail going out and in will work through ISP2. Another thing is added there is if inside user access dmz then i think it needs to add:

global (dmz) 1 interface

Pls cheek and reply.Waiting for Your expertise solution

varrao
Level 10
Level 10

Hi Muhammad,

You are absolutely correct with the configuration, it should work after that.

Thanks,

Varun

Hi Varun,

So both the solution will work---Right.If so i have one query regarding the case one:

By adding the configuration below, the   ASA can be set up to send mail traffic(smtp,pop3) out through ISP2 and   all other traffic is sent through ISP1 as shown above.

route ISP1 0 0 1.1.1.2 // Default route pointing to ISP1

route ISP2 0 0 2.2.2.2 2  // Default route with Metric 2 via ISP2

static (ISP2,inside) tcp 0.0.0.0 25 0.0.0.0 25

static (ISP2,inside) tcp 0.0.0.0 110 0.0.0.0 110

sysopt noproxyarp inside // important, otherwise it will cause routing issues as the ASA will start sending proxy-arps for all hosts on the inside.

nat (inside) 1 0 0

global (ISP1) 1 interface

global (ISP2) 1 interface

mails are comming in(pop3) through ISP2

In which way mails are going out from inside-- ISP1 or ISP2???

Thanks,

Munim.

Hi Varun,

Putting mail server in DMZ will not work.---option 1 fail.

By doing :

route ISP1 0 0 1.1.1.2 // Default route pointing to ISP1

route ISP2 0 0 2.2.2.2 2  // Default route with Metric 2 via ISP2

static (ISP2,inside) tcp 0.0.0.0 25 0.0.0.0 25

static (ISP2,inside) tcp 0.0.0.0 110 0.0.0.0 110

sysopt noproxyarp inside // important, otherwise it will cause routing issues as the ASA will start sending proxy-arps for all hosts on the inside.

nat (inside) 1 0 0

global (ISP1) 1 interface

global (ISP2) 1 interface

in this case mail going out but not comming in. In this case I port forword to inside mail server:

static (inside,isp2) tcp interface smtp 192.168.1.32 smtp netmask 255.255.255.255

static (inside,isp2) tcp interface pop3 192.168.1.32 pop3 netmask 255.255.255.255

static (inside,isp2) tcp interface imap4 192.168.1.32 imap4 netmask 255.255.255.255

it will work then but ISP2 prover report us they are finding huge broadcast from our network and need to disconnect our network.

What's the issue of this??

Thanks

Munim.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: