Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
518
Views
0
Helpful
4
Replies

Route mail to 2 separate servers using Cisco asa 5520

r.knaggs
Level 1
Level 1

‎08-15-2013 01:27 AM - edited ‎03-11-2019 07:25 PM

Hi I need to route mail on port 25 through a Cisco ASA 5520 to 2 separate servers.  I have one set up already which works fine but am introducing the second one now. The mail will be coming from "any" so I cannot tie it down by source. I have a block of 5 external ips so hoped i could do something by passing traffic coming to 1 ip to one internal server and to a second ip to the other. I have set up a NAT rule for the passage of smtp traffic from the second ip to the second mail server but cannot think what access rule I need to make to get the traffic from the second ip passing through as the external interface can only have 1 ip. I have seen lots of people running 2 servers for sending out but none seem to do it for receiving. Is this even possible?

Labels:
0 Helpful
4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

‎08-15-2013 07:27 AM

Hi,

Some questions about your setup

  • Since you have several public IP addresses, were you planning on giving both of these servers their own public IP addresses of all traffic? This would be done with Static NAT. If you just want to forward single port TCP/25 with 2 public IP addresses then we would use Static PAT.
  • What is the software version of the firewall? You can use the command "show version" to determine this
  • Can you provide the ASA configurations (wihtout any sensitive information) or do you just want example configurations to help you setup the NATs yourself?

- Jouni

0 Helpful

r.knaggs
Level 1
Level 1
In response to Jouni Forss

‎08-15-2013 07:34 AM

Hi Jouni

  • Plan would be 2 public ip addresses for port 25 traffic - if mail was coming from any for one domain it would go to server A and if for another domain it would be server B
  • 8.2(1)
  • Just example configs would be great

Thanks

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to r.knaggs

‎08-15-2013 07:52 AM

Hi,

Ok, so if you want to perform Static PAT for port TCP/25 only to enable inbound traffic from Internet then you would need configurations like these

Example source information

  • Interfaces "inside" and "outside"
  • External IP addresses 1.1.1.2 and 1.1.1.3 of which 1.1.1.2 is the one configured on the "outside" interface
  • Internal IP addresses 10.10.10.2 and 10.10.10.3
  • ACL attached to "outside" interface is called OUTSIDE-IN

static (inside,outside) tcp interface 25 10.10.10.2 25 netmask 255.255.255.255

static (inside,outside) tcp 1.1.1.3 25 10.10.10.3 25 netmask 255.255.255.255

access-list OUTSIDE-IN remark Allow inbound SMTP traffic

access-list OUTSIDE-IN permit tcp any host 1.1.1.2 eq 25

access-list OUTSIDE-IN permit tcp any host 1.1.1.3 eq 25

access-group OUTSIDE-IN in interface outside

Only use "access-group" command if you dont have any ACL configured for "outside" interface. If you have an ACL then use its name in the above ACL configurations and dont add any additional "access-group" command.

The above configurations should enable external SMTP connections to these 2 public IP addresses.

Incase you need both servers outbound connections to show with the same IP addresses as in the Static PAT configurations you need additional NAT configurations. What I mean is if you want the connections initiated from the servers to the external network to show up with the same IP addresses then you will need something like this

access-list SMTP-SRV-1-POLICYPAT remark Dynamic Policy PAT for SMTP Server 1

access-list SMTP-SRV-1-POLICYPAT permit tcp host 10.10.10.2 any eq 25

access-list SMTP-SRV-2-POLICYPAT remark Dynamic Policy PAT for SMTP Server 2

access-list SMTP-SRV-2-POLICYPAT permit tcp host 10.10.10.3 any eq 25

global (outside) 100 interface

nat (inside) 100 access-list SMTP-SRV1-POLICYPAT

global (outside) 200 1.1.1.3

nat (inside) 200 access-list SMTP-SRV-2-POLICYPAT

The above ACLs defines the condition when this translations should be done. The "global" and "nat" perform the actual NAT/PAT.

I would imagine that you might not need the ID 100 rule since you probably already PAT outbound traffic to it but it might be clearer to read the configuration when both servers had their own configurations still.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed though.

- Jouni

0 Helpful

r.knaggs
Level 1
Level 1
In response to Jouni Forss

‎08-15-2013 07:56 AM

Hi Jouni

Great thanks - i will give that a go now and let you know.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card