Setting up a new system what are the pros and cons of putting the Ironport behind a firewall.
In the past I have set them up "in series" with the firewall and never had an issue. By "in series" I mean one ethernet interface is numbered with a routable (public) IP address, the other with a non-routable (private) IP address. The world talks directly to the Ironport on port 25 traffic goes through the Ironport, is filtered and on to our Exchange server out the private interface and does not go through the corporate firewall. The inbound mail listener is configured on the public interface.
Any thoughts or advice would be appreciated.
FYI, Ironport support claims that both setups (in front of or behind a firewall) are valid.
If you disable all (management) protocols on you public interface that interface will not listen on anything else that the configured listeners on that interface. I think you would be pretty safe with this setup, bu I personally prefer to have a firewall between the Ironport and the Internet. Since only incoming SMTP traffic is important for your Ironport, the firewall configuration is rather simple. (Outgoing traffic is also not hard to configure, you need SMTP. DNS and HTTP(s) to specific websites noted in the AsyncOS help file (search for “firewall”)) Keeping a firewall in between prevents you (most likely) from being hacked when there is a bug on your Ironport system.
While I've run a test IronPort out in the wild and unprotected for a few years now, I always put the IronPort behind a firewall for my customers. The IronPort "firmware" is pretty well stripped down and hardened, but it never hurts to have an added layer of protection to protect yourself from misconfiguration on the IronPort or an unknown vulnerability.
Just make sure you disable any sort of protocol fixups on your firewall (i.e. PIX/ASA).
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :