Backup ISP with ASA5510 and Natting when on the failover ISP

Unanswered Question
Jan 22nd, 2009

Hello, I have an ASA5510 (8.04). I have configured it so my primary T1 and my backup DSL run into the device. The ASA monitors a router in my primary ISPs network and fails over to the backup DSL when the primary monitored host is not reachable. That part works great. When it fails over, I can continue surfing the internet via the backup DSL, etc. My static NATs are bypassed and all devices (even those with the defined statics) go out the backup ISP via PAT on the backup interface.

My question is this. I have an exchange server behind the firewall. Is there a way that I can open port 25 from the outside and forward that to my internal exchange server when the firewall has switched over to the backup ISP?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Fernando_Meza Thu, 01/22/2009 - 13:57

Hi,

"My question is this. I have an exchange server behind the firewall. Is there a way that I can open port 25 from the outside and forward that to my internal exchange server when the firewall has switched over to the backup ISP?"

The type of redundancy scenario could be achieved using BGP peering with your ISPs (this needs a bit of design). In your particular scenario .. I suggest to create another static for your exchange server using the backup interface i.e

static (inside,backup) tcp interface 25 X.X.X.X 25 netmask 255.255.255.255

where X.X.X.X is the real IP of the exchange server

you would also need to allow access for port TCP/25 on the access-list applied ot the backup interface .i.e

access-list Backup-In permit tcp any host Y.Y.Y.Y eq 25

where Y.Y.Y.Y is the public ip of your backup interafce

access-group Backup-In in interface backup

NOTE: instead of the 'interface' parameter you could use a routable IP address as provided by your DSL provider instead.

You could then publish another MX record with lower preference for your domain using the public address (as provided by your DSL provider). So when the primary link goes down, the exchange server should still be reachable by the secondary IP address ..

I hope it helps .. please rate helpful posts

joneschw1 Thu, 01/22/2009 - 14:25

Thanks for the quick reply. I was getting caught up in the static part because I was thinking the firewall would not like 2 static xlates to the same internal IP. But, it is 2 different interfaces, so that makes sense. Thanks for the help.

Actions

This Discussion