Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Route mail to 2 separate servers using Cisco asa 5520

Hi I need to route mail on port 25 through a Cisco ASA 5520 to 2 separate servers.  I have one set up already which works fine but am introducing the second one now. The mail will be coming from "any" so I cannot tie it down by source. I have a block of 5 external ips so hoped i could do something by passing traffic coming to 1 ip to one internal server and to a second ip to the other. I have set up a NAT rule for the passage of smtp traffic from the second ip to the second mail server but cannot think what access rule I need to make to get the traffic from the second ip passing through as the external interface can only have 1 ip. I have seen lots of people running 2 servers for sending out but none seem to do it for receiving. Is this even possible?

4 REPLIES
Super Bronze

Route mail to 2 separate servers using Cisco asa 5520

Hi,

Some questions about your setup

  • Since you have several public IP addresses, were you planning on giving both of these servers their own public IP addresses of all traffic? This would be done with Static NAT. If you just want to forward single port TCP/25 with 2 public IP addresses then we would use Static PAT.
  • What is the software version of the firewall? You can use the command "show version" to determine this
  • Can you provide the ASA configurations (wihtout any sensitive information) or do you just want example configurations to help you setup the NATs yourself?

- Jouni

New Member

Route mail to 2 separate servers using Cisco asa 5520

Hi Jouni

  • Plan would be 2 public ip addresses for port 25 traffic - if mail was coming from any for one domain it would go to server A and if for another domain it would be server B
  • 8.2(1)
  • Just example configs would be great

Thanks

Super Bronze

Route mail to 2 separate servers using Cisco asa 5520

Hi,

Ok, so if you want to perform Static PAT for port TCP/25 only to enable inbound traffic from Internet then you would need configurations like these

Example source information

  • Interfaces "inside" and "outside"
  • External IP addresses 1.1.1.2 and 1.1.1.3 of which 1.1.1.2 is the one configured on the "outside" interface
  • Internal IP addresses 10.10.10.2 and 10.10.10.3
  • ACL attached to "outside" interface is called OUTSIDE-IN

static (inside,outside) tcp interface 25 10.10.10.2 25 netmask 255.255.255.255

static (inside,outside) tcp 1.1.1.3 25 10.10.10.3 25 netmask 255.255.255.255

access-list OUTSIDE-IN remark Allow inbound SMTP traffic

access-list OUTSIDE-IN permit tcp any host 1.1.1.2 eq 25

access-list OUTSIDE-IN permit tcp any host 1.1.1.3 eq 25

access-group OUTSIDE-IN in interface outside

Only use "access-group" command if you dont have any ACL configured for "outside" interface. If you have an ACL then use its name in the above ACL configurations and dont add any additional "access-group" command.

The above configurations should enable external SMTP connections to these 2 public IP addresses.

Incase you need both servers outbound connections to show with the same IP addresses as in the Static PAT configurations you need additional NAT configurations. What I mean is if you want the connections initiated from the servers to the external network to show up with the same IP addresses then you will need something like this

access-list SMTP-SRV-1-POLICYPAT remark Dynamic Policy PAT for SMTP Server 1

access-list SMTP-SRV-1-POLICYPAT permit tcp host 10.10.10.2 any eq 25

access-list SMTP-SRV-2-POLICYPAT remark Dynamic Policy PAT for SMTP Server 2

access-list SMTP-SRV-2-POLICYPAT permit tcp host 10.10.10.3 any eq 25

global (outside) 100 interface

nat (inside) 100 access-list SMTP-SRV1-POLICYPAT

global (outside) 200 1.1.1.3

nat (inside) 200 access-list SMTP-SRV-2-POLICYPAT

The above ACLs defines the condition when this translations should be done. The "global" and "nat" perform the actual NAT/PAT.

I would imagine that you might not need the ID 100 rule since you probably already PAT outbound traffic to it but it might be clearer to read the configuration when both servers had their own configurations still.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed though.

- Jouni

New Member

Route mail to 2 separate servers using Cisco asa 5520

Hi Jouni

Great thanks - i will give that a go now and let you know.

307
Views
0
Helpful
4
Replies
CreatePlease login to create content