In order to protect your mail server from accepting spams or malicious emails directly from Internet (since spammers will send spams to your mail host as long as it is accepting emails (open to port 25), no matter whether you publish its' public IP address in MX record or not), you should either configure your firewall to redirect inbound port 25 traffic for mx1.abc.com to IronPort private IP address, or configure mx2.abc.com (IronPort) as your primary MX instead. Your mail host should only accept incoming SMTP connections from IronPort.
Please note that you cannot configure IP addresses on same network range on two different physical interfaces on IronPort (i.e. 10.1.1.1/24 on interface 1 and 10.1.1.2/24 on interface 2). If you want to have separate IP addresses for accepting incoming and outgoing email traffic, you can configure two IP addresses on same physical interface (we call virtual gateway).
You can choose to use one IP address for both incoming and outgoing traffic (system setup wizard will guide you through - just click both "Accept mail on this interface" and "Relay mail on this interface" checkboxes, page 3-62 of ESA 7.0.1 Configuration Guide).
Please note that you should add your mail server's private IP address (instead of hostname) in "Relay Outgoing Mail" list or RELAYLIST on corresponding listener since your mail hostname is likely to resolve as public IP address by DNS server configured on IronPort.
If both your mail host and IronPort are on a private IP network segment behind firewall, your outgoing emails will be sent from mail host to IronPort (as smarthost) and IronPort will only see the connection from private IP address of your mail host.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :