I have been asked if i can setup my ASA5510 to allow for access to a secondary Exchange server for Outlook Web Access. So that if the first server went down it would automatically send mail and OWA to the new server. Although the Domain name of the server stays the same the server is at our co-location and has a different IP Address.
The MX records won't come into picture if the exchange server and the OWA are running on two diff. IP address. If there is going to be a second exchange server in the new location then, we need a new MX record.
They just want to add a second OWA server.
If they have another available public IP address we can easily map that to a static 1-1
static (i,o) x.x.x.x 10.11.12.77
and allow permission on the outside acl to allow 443 to this x.x.x.x from the internet.
I can't think of a way to make this automatic when 192.168.1.77 fails for 10.11.12.77 to automatically kickin.
They can may be add a new "A" record for this one like webmail-bak.domainname.org and have the users go to this if
I was just thinking along the lines of a static one-to-one NAT both ways so when the mail is sent outbound it is identified by its IP rather than the default global PAT address all of the other internal users. That way for mail source validation purposes to a smarthost or other e-mail servers in case of SPF checks show up the same as the MX record.
I'm assuming you're talking about it has a different internal IP Address? If you have proper routing between the main site and your co-location, you should be able to assign another static IP to the secondary server and route through the WAN or however your sites are connected to accept requests and back through.
You would need secondary MX records for the backup server and some sort of DNS redundancy setup too so if the main server/connection goes down it will fail over.
Thank you for the reply but i am a little confused. Yes it has a different internal IP Address and they are both inside our network. let me try and explain the scenario.
A user connects from home by going to https://webmail.domainname.org. The firewall performs PAT and sends the request to the exchange server and everything is fine. Then the primary exchange server(192.168.1.77) goes down the secondary notices it and brings up it's services (10.11.12.77). The internal clients are fine because they are connecting to pheonix.domainname.org and are automatically sent to the new server. But since i cannot or atlease i think you cannot have more than one PAT statement per public IP and port how do i redirect them.
Are you suggesting that externally i have 2 MX records and 2 public IPs. Then i have to PAT statements? I am sorry if my terminology is a bit off, i am pretty new to firewalling.
A global PAT is only used to NAT internal users to the internet. If you use static NAT both inbound and outbound relationships for two different IPs and point them to two different internal servers, setup secondary MX record you will be fine.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :