Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Ironport C170 IP Source Preservation


We have a customer using an Ironport C170 Email firewall device. It seems the Ironport proxies Email traffic to the configured MTA using its own source IP instead of the client IP address. This is causing an issue for our customer as they need to be able to filter and do some post processing based on source IP. I am totally unfamiliar with the Ironport series as we do not use them here and searches do not reveal a way to have the Ironport preserve the source address. Could anyone more familiar with this device enlighten me on if source preservation is possible with this. Seems to be a true proxy device so I am not sure there is a way but thought I would throw it to the experts to be sure. Thanks in advance for replies.

Everyone's tags (2)
Cisco Employee

Ironport C170 IP Source Preservation


As soon as the ESA recieves the traffic from the email server will be processed and then it will be send using its interface IP address. What is the source IP address that should be preserved? What device owns it?


Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach us"

Luis Silva "If you need PDI (Planning, Design, Implement) assistance feel free to reach us"
Community Member

Ironport C170 IP Source Preservation

Thanks for the reply. I should have been more clear. So for connections inbound from Internet clients, it seems the source IP is that of the C170 from the perspective of the Email server. Connection path would look like this:

client-------->C170--------->Email Server

For these connections, when the connection goes from the C170 to the Email server, the source IP is changed from that of the client, to that of the C170 because I believe the connection is actually being proxied. I would like to know if there is some configuration that would allow the source IP (in this case the clients source IP) to be preserved when the connection is sent to the Email server. Some sort of transparent proxy option perhaps? I really do not know anything about this C170 device, but things I read do not seem to indicate there is a way to do this. Just trying to see if anyone can confirm. Thanks.

Community Member

Ironport C170 IP Source Preservation

Anyone......I have a hard time believing this has never come up before. I know the Barracuda devices can do this somehow. Again, I am not at all familiar with Ironport gear so I am at a disadvantage here. Any help would be great. Thanks.

CreatePlease to create content