Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Suggestion is needed

Hey, forks

We have a hosted data center environment. We use dual ASA 5510 for connection going out to Internet. On the internal side of the ASA5510, we use unique VLANs to identify different hosted customers and also isolate traffic among them. Recently we run into an issue that one customer can not email another customer whoes email servers are both residing in our hosted environment. For Example,

Customer A email server is configured with 10.10.1.1 with public IP mapped on ASA5510 as 23.24.25.26. Customer B email server is configured with 192.168.2.1 with public IP mapped on same ASA5510 as 23.24.25.28. When customer A send email to customer B, traffic got blocked, which is expected on ASA. Now we are trying to keep the proper security while somehow allow 2 customer to communicating emails.

We could configure ACL specific to do the job but it will not be managable if there are 50 customers need to email another 50 customers in the same environment...

Please advise.

/S

6 REPLIES

Suggestion is needed

both the customer's residing in inside zone of the ASA box by having the sub interfaces created on the ASA?????

New Member

Suggestion is needed

That is correct. That is I guess the main reason I am searching for alternative way to allow certain communication while maintaining the setup.

New Member

Suggestion is needed

Still waiting for suggestions...

BTW, Do other big hosting environment use single routing/firewall instance for each customer?

Suggestion is needed

Hi Bro

To resolve your issue, you'll need to configure Cisco DNS Doctoring. This will work like a charm.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

In most enterprise deployment, that hosts hundreds of tenants, they would normally use Cisco FWSM running in multi-context mode. This mean one virtual FW per customer. On the switching side, Cisco Nexus 7K is used instead.

P/S: if you think this comment is useful, please do rate them nicely :-)

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
New Member

Re: Suggestion is needed

Thanks for the suggestion. But multi-context on Asa will not be applicable for us. IPSec VPNs are used between data enter and customers.

Plus, we prefer to not configure acl/nay rules to accomplish this. What if there are 10 or 20 customers need this setup? Just don't want to loss configuration control.

We are considering the email relay server or CSR1000v.

If u have any other suggestion, please post.

Sent from Cisco Technical Support iPad App

Suggestion is needed

Hi Shuai Yu,

You can do a hairpinning enabled to make this work.

Please refer the below document as well along with doctoring concept which ramraj has suggested. Here you are doing within the sub interfaces. Both are almost similar in concepts.

You have to create nat rules in such a way to achive this.

http://ckdake.com/content/2009/hairpinning-with-a-cisco-asa.html

!

Please do rate if the given information helps.

by

Karthik

433
Views
0
Helpful
6
Replies
CreatePlease login to create content