cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
546
Views
0
Helpful
6
Replies

configuring secondary OWA access

dbasterash
Level 1
Level 1

I have been asked if i can setup my ASA5510 to allow for access to a secondary Exchange server for Outlook Web Access. So that if the first server went down it would automatically send mail and OWA to the new server. Although the Domain name of the server stays the same the server is at our co-location and has a different IP Address.

6 Replies 6

Kureli Sankar
Cisco Employee
Cisco Employee

I do not understand the reasoning behind

static (outside,inside) inside_1 outside_1 netmask 255.255.255.255

static (outside,inside) inside_2 outside_2 netmask 255.255.255.255

What are these two for?

The MX records won't come into picture if the exchange server and the OWA are running on two diff. IP address. If there is going to be a second exchange server in the new location then, we need a new MX record.

They just want to add a second OWA server.

If they have another available public IP address we can easily map that to a static 1-1

static (i,o) x.x.x.x 10.11.12.77

and allow permission on the outside acl to allow 443 to this x.x.x.x from the internet.

I can't think of a way to make this automatic when 192.168.1.77 fails for 10.11.12.77 to automatically kickin.

They can may be add a new "A" record for this one like webmail-bak.domainname.org and have the users go to this if

webmail.domainname.org fails to load.

I was just thinking along the lines of a static one-to-one NAT both ways so when the mail is sent outbound it is identified by its IP rather than the default global PAT address all of the other internal users. That way for mail source validation purposes to a smarthost or other e-mail servers in case of SPF checks show up the same as the MX record.

Those destination nat may not be used at all (static (o,i)).

All inside hosts would be configured to send e-mail via outlook to the exchange server and then the exchange server will use the static (i,o) or nat/global and send it out to the internet.

jj27
Spotlight
Spotlight

I'm assuming you're talking about it has a different internal IP Address? If you have proper routing between the main site and your co-location, you should be able to assign another static IP to the secondary server and route through the WAN or however your sites are connected to accept requests and back through.

You would need secondary MX records for the backup server and some sort of DNS redundancy setup too so if the main server/connection goes down it will fail over.

Thank you for the reply but i am a little confused. Yes it has a different internal IP Address and they are both inside our network. let me try and explain the scenario.

A user connects from home by going to https://webmail.domainname.org. The firewall performs PAT and sends the request to the exchange server and everything is fine. Then the primary exchange server(192.168.1.77) goes down the secondary notices it and brings up it's services (10.11.12.77). The internal clients are fine because they are connecting to pheonix.domainname.org and are automatically sent to the new server. But since i cannot or atlease i think you cannot have more than one PAT statement per public IP and port how do i redirect them.

Are you suggesting that externally i have 2 MX records and 2 public IPs. Then i have to PAT statements? I am sorry if my terminology is a bit off, i am pretty new to firewalling.

A global PAT is only used to NAT internal users to the internet. If you use static NAT both inbound and outbound relationships for two different IPs and point them to two different internal servers, setup secondary MX record you will be fine.

static (inside,outside) outside_1 inside_1 netmask 255.255.255.255

static (outside,inside) inside_1 outside_1 netmask 255.255.255.255

static (inside,outside) outside_2 inside_2 netmask 255.255.255.255

static (outside,inside) inside_2 outside_2 netmask 255.255.255.255

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: