Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4009
Views
0
Helpful
6
Replies

Unable to route mail from SMTP server on same subnet as my management interface.

Go to solution
Jason Meyer
Level 1
Level 1

‎09-18-2013 04:20 PM

I have a couple of IronPort C670s in my environment and have three physical interfaces configured for basically public Internet access, internal private network, and management.  The default gateway for the appliance is on the public internet side, then I have a 10.0.0.0/8 static route to use the internal private network gateway.  I think this is pretty standard in the IronPort world.

I have a client with a server on the same subnet as my management interface and we are unable to get a SMTP conversation going, he is generating e-mail and trying to route it via my appliance.  Talked to my network guys and am told that this is not possible because the IronPort appliance is trying to route the traffic back out my management interface because it is on the same subnet as the destination.  True?

If so, why doesn't it work? 

I tried putting in a static route for the client's server x.x.x.x/32 but still a connection cannot be made.

So far the best idea is to move my management interface to a new subnet.   Any other thoughts?

Appreciate the feedback.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rick Williams
Level 1
Level 1

‎09-19-2013 02:07 AM

Hi,

Your network guys are half-right. The traffic from the sending server should be sending to the IP of your internal private network. The Ironport is indeed trying to send the SMTP response back through the management interface.

In the past I have resolved this by simply adding a route in on the Ironport for the server. Network > Routing and ensure the gateway is the gateway of the internal private network. All should be well after this.

ie if your "internal private network" has the IP of 172.16.1.2/24 and the gateway for the interface is 172.16.1.1. Use the 172.16.1.1 as the gateway.

Server: Server01 Destination: 10.1.1.9 Gateway: 172.16.1.1

Note: You will no longer be able to manage the Ironport Appliance from this server.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Nasir Abbas
Cisco Employee
Cisco Employee

‎09-18-2013 05:30 PM

Hello Jason,

There are three features that control which IP interface will be used for message delivery:

The deliveryconfig CLI command controls primary IP interface for all mail delivery. By default, this is set to "Auto," which will deliver mail based on destination IP subnet. If the destination IP is a local subnet, it will use an IP interface that is on that subnet. If the destination IP is not a local subnet, the messages will be delivered from an IP interface on the same subnet as the default gateway.

The altsrchost table overrides the deliveryconfig setting for specific messages. In this table, you must specify the source IP address or Envelope From to match on and the IP interface to use when the match occurs. This table is configured using the altsrchost CLI command.

The alt-src-host Message Filter action can be used to specify the IP interface for message delivery as an action for your choice of criteria using Message Filter rules. This will override both deliveryconfig and the altsrchost table. Should you choose to set up a filter, reviewing the section titled Message Filters in the AsyncOS Advanced User Guide is highly recommended.

As you can see, there are several options for how to configure the IP address used for message delivery. In order to decide which method to use, you have to determine:

From which IP interface should the majority of your messages be delivered?

Are there any special cases?

For each special case, what is the unique trigger that should be used to set the IP address used for message delivery?

Once you know the answers to these questions, you will know which method or combination of methods is best for your environment. More details on these features can be found in the IronPort User Guides.

Which is the default used IP Address (AUTO) if the there are multiple IP Addresses on the same subnet?

http://tools.cisco.com/squish/5C028

Thanks

Nasir Abbas

0 Helpful

Go to solution
Jason Meyer
Level 1
Level 1
In response to Nasir Abbas

‎09-18-2013 07:49 PM

Will any of this help the IronPort appliance RECEIVE e-mail.  

In this issue I haven't been able to establish a successful SMTP conversation.  I have 20k+ other smtp servers sending me e-mail successfully but none on the same subnet as my MANAGEMENT interface.

Appreciate the volume of information, but I'm not sure it will apply to my issue.

0 Helpful

Go to solution
David Miller
Level 1
Level 1
In response to Jason Meyer

‎09-19-2013 12:38 AM

I am pretty sure the NIC firmware on the ESA does not allow you to have two interfaces on the same subnet. You an define them but one of them won't work.  This is from appendix B of the ESA Config Guide:

"

When you configure the network, the Cisco IronPort appliance must be able to uniquely select an interface to send an outgoing packet. This requirement will drive some of the decisions regarding IP address and netmask selection for the Ethernet interfaces. The rule is that only one interface can be on a single network (as determined through the applications of netmasks to the IP addresses of the interfaces).

0 Helpful

Go to solution
Jason Meyer
Level 1
Level 1
In response to David Miller

‎09-19-2013 07:09 AM

The interfaces on the ESA are all configured to different subnets, the unique challenge with this SMTP server trying to talk SMTP with the ESA is it (the SMTP server) was talking from the same subnet as my management interface.  So the ESA was trying to route the traffic out of my management interface.  Why that didn't work I'm not sure yet, I suspect the ESA will not do SMTP via a MANAGEMENT configured interface.  Rick had me put a more specific route than the existing 10.0.0.0/8 route I already had and it began working.

0 Helpful

Go to solution
Rick Williams
Level 1
Level 1

‎09-19-2013 02:07 AM

Hi,

Your network guys are half-right. The traffic from the sending server should be sending to the IP of your internal private network. The Ironport is indeed trying to send the SMTP response back through the management interface.

In the past I have resolved this by simply adding a route in on the Ironport for the server. Network > Routing and ensure the gateway is the gateway of the internal private network. All should be well after this.

ie if your "internal private network" has the IP of 172.16.1.2/24 and the gateway for the interface is 172.16.1.1. Use the 172.16.1.1 as the gateway.

Server: Server01 Destination: 10.1.1.9 Gateway: 172.16.1.1

Note: You will no longer be able to manage the Ironport Appliance from this server.

0 Helpful

Go to solution
Jason Meyer
Level 1
Level 1
In response to Rick Williams

‎09-19-2013 07:05 AM

Thanks Rick, I added a (using your numbers) destination 10.1.1.9/32 gateway 172.16.1.1 and it worked.  Talking to my network guys, they agree. 

I was thining that the static route of 10.0.0.0/8 would have covered it but I learned that the more specific route wins so having a 10.1.1.9/32 is more specific.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents