Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Maintain email from outside while switching ISP/IP addresses

We are switching to new ISP with new public IP addresses and need to keep mail flowing to email server during cutover period.

Configuration is listed in table below. Successfully NAT SMTP on both public IPs to inside mail server IP. But only replies through the Public IP who is the current default route.

I believe I need a way for traffic to always flow back the interface it came in from. Is this possible on the ASA?

ASA 5505 v7.3 os

DeviceIP AddressSubnet MaskDefault RouterNOTE
ISPExisting
65.65.65.66 
255.255.255.248 65.65.65.65  
ISPNew70.70.70.70255.255.255.24870.70.70.65 
Inside10.0.0.254255.255.0.065.65.65.65Will change to 70.70.70.65
eMailHost10.0.0.10255.255.0.010.0.0.254 

 

NAT Static commands are 

static (LAN,ISPExist) tcp interface smtp 10.0.0.10 smtp netmask 255.255.255.255
static (LAN,ISPNew) tcp interface smtp 10.0.0.10 smtp netmask 255.255.255.255

route ISPExisting 0.0.0.0 0.0.0.0 65.65.65.65 1

ROUTE changing to route ISPNew 0.0.0.0 0.0.0.0 70.70.70.65 1

Any suggestions on commands or configurations to make this happen smoothly would be appreciated.

 

3 REPLIES
Hall of Fame Super Silver

If you only had flows

If you only had flows outbound (initiated from your eMailHost), the simple route change would take care of the smtp flows.

Assuming you also have inbound flows (initiated from a client or another server sending mail to your domain), then there must be an access list allowing smtp inbound to the public (NATted) address. If there's not one already referencing the 70.x address, you will need one.

You must also have a DNS record that points to the 65.x address. That must be updated to point to the 70.x address. Actually the DNS is usually the longest bit to get updated because until the DNS TTL expires (typically most DNS providers only allow you to set that to no less than one hour), external hosts will continue to try to use the old address.

New Member

Thanks for replying. I have

Thanks for replying. I have the ACL setup to send and receive SMTP and have tested it successfully.

We are preparing to change the DNS but here is the issue I tried to describe above.

With the default route out the existing ISP, we are good sending/receiving SMTP on IP 65.65.65.66.

When I change the default route to the New ISP, I can receive SMTP on the new IP address 70.70.70.70 but no longer receive SMTP on the existing IP 65.65.65.66.

I believe this is because the packet comes in one interface/IP and goes back the other interface/IP and gets rejected as a response.

Q#) Is there a way to tell the ASA to send the packet back out the interface it came in? A dynamic default route for packets coming in the other interface. OR is there a different way I should be doing this?

 

Hall of Fame Super Silver

You can have one or the other

You can have one or the other but not both routes. The ASA is, at best, a poor router. It will not do policy-based routing like an IOS-based router and asymmetric paths will typically cause issues with stateful firewalls.

You can hack around the latter issue to allow a given flow to come through but the former is pretty hard and fast. Thus the cutover needs to be done all at once. Mail should queue both in house and externally and start flowing inbound once DNS sorts out which IP address to use. Outbound should work pretty much straight away.

58
Views
0
Helpful
3
Replies
CreatePlease to create content