01-22-2009 01:26 PM - edited 03-11-2019 07:40 AM
Hello, I have an ASA5510 (8.04). I have configured it so my primary T1 and my backup DSL run into the device. The ASA monitors a router in my primary ISPs network and fails over to the backup DSL when the primary monitored host is not reachable. That part works great. When it fails over, I can continue surfing the internet via the backup DSL, etc. My static NATs are bypassed and all devices (even those with the defined statics) go out the backup ISP via PAT on the backup interface.
My question is this. I have an exchange server behind the firewall. Is there a way that I can open port 25 from the outside and forward that to my internal exchange server when the firewall has switched over to the backup ISP?
01-22-2009 01:57 PM
Hi,
"My question is this. I have an exchange server behind the firewall. Is there a way that I can open port 25 from the outside and forward that to my internal exchange server when the firewall has switched over to the backup ISP?"
The type of redundancy scenario could be achieved using BGP peering with your ISPs (this needs a bit of design). In your particular scenario .. I suggest to create another static for your exchange server using the backup interface i.e
static (inside,backup) tcp interface 25 X.X.X.X 25 netmask 255.255.255.255
where X.X.X.X is the real IP of the exchange server
you would also need to allow access for port TCP/25 on the access-list applied ot the backup interface .i.e
access-list Backup-In permit tcp any host Y.Y.Y.Y eq 25
where Y.Y.Y.Y is the public ip of your backup interafce
access-group Backup-In in interface backup
NOTE: instead of the 'interface' parameter you could use a routable IP address as provided by your DSL provider instead.
You could then publish another MX record with lower preference for your domain using the public address (as provided by your DSL provider). So when the primary link goes down, the exchange server should still be reachable by the secondary IP address ..
I hope it helps .. please rate helpful posts
01-22-2009 02:25 PM
Thanks for the quick reply. I was getting caught up in the static part because I was thinking the firewall would not like 2 static xlates to the same internal IP. But, it is 2 different interfaces, so that makes sense. Thanks for the help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide