10-02-2011 03:32 AM - edited 03-10-2019 01:17 PM
I have 2 ISP. I just want to implement mail server behind the ASA.Requirement is traffic regarding mail will go in & out using ISP2 and all other traffic will go to ISP1. Right now trafic goes well with the ISP1. IF PBR is not supported with ASA then any workarround????.Can anyone help me out??thanks in advance.
regards,
Munim.
ASA cannot do load-balancing or PBR, but there can be a work around for it, you can use this doc for it:
https://supportforums.cisco.com/docs/DOC-13015
Hope that helps.
Thanks,
Varun
Hi Varun,
Many thanks for reply. It's mean that need a router on top of ASA. So we can't do it using only ASA?
Can You pls go to the link:
https://supportforums.cisco.com/docs/DOC-15622
and see the below part
2. Route traffic based on destination ports:
Is this config tested/verified...Pls review
regards,
Munim.
Hi Muhammad,
Its just a workaround and not a supported configuration, but I have seen it working and it should not be an issue, if your requirement needs this to be done.
Thanks,
Varun
Many thanks for the confirmmation. So if I put mail server at inside then configuration like:
By adding the configuration below, the ASA can be set up to send mail traffic(smtp,pop3) out through ISP2 and all other traffic is sent through ISP1 as shown above.
route ISP1 0 0 1.1.1.2 // Default route pointing to ISP1
route ISP2 0 0 2.2.2.2 2 // Default route with Metric 2 via ISP2
static (ISP2,inside) tcp 0.0.0.0 25 0.0.0.0 25
static (ISP2,inside) tcp 0.0.0.0 110 0.0.0.0 110
sysopt noproxyarp inside // important, otherwise it will cause routing issues as the ASA will start sending proxy-arps for all hosts on the inside.
nat (inside) 1 0 0
global (ISP1) 1 interface
global (ISP2) 1 interface
=================================================================================
And another solution referencing the doc:
https://supportforums.cisco.com/docs/DOC-8137
If I put mail server on DMZ, Then config may like this:
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0/1
nameif backup
security-level 0
ip address 2.2.2.1 255.255.255.0
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/3
nameif dmz
security-level 50
ip address 172.16.1.1 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,backup) 2.2.2.4 172.16.1.2 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 1.1.1.3 1
route backup 0.0.0.0 0.0.0.0 2.2.2.2 2
In this case if static will work then mail going out and in will work through ISP2. Another thing is added there is if inside user access dmz then i think it needs to add:
global (dmz) 1 interface
Pls cheek and reply.Waiting for Your expertise solution
Hi Muhammad,
You are absolutely correct with the configuration, it should work after that.
Thanks,
Varun
Hi Varun,
So both the solution will work---Right.If so i have one query regarding the case one:
By adding the configuration below, the ASA can be set up to send mail traffic(smtp,pop3) out through ISP2 and all other traffic is sent through ISP1 as shown above.
route ISP1 0 0 1.1.1.2 // Default route pointing to ISP1
route ISP2 0 0 2.2.2.2 2 // Default route with Metric 2 via ISP2
static (ISP2,inside) tcp 0.0.0.0 25 0.0.0.0 25
static (ISP2,inside) tcp 0.0.0.0 110 0.0.0.0 110
sysopt noproxyarp inside // important, otherwise it will cause routing issues as the ASA will start sending proxy-arps for all hosts on the inside.
nat (inside) 1 0 0
global (ISP1) 1 interface
global (ISP2) 1 interface
mails are comming in(pop3) through ISP2
In which way mails are going out from inside-- ISP1 or ISP2???
Thanks,
Munim.
Hi Varun,
Putting mail server in DMZ will not work.---option 1 fail.
By doing :
route ISP1 0 0 1.1.1.2 // Default route pointing to ISP1
route ISP2 0 0 2.2.2.2 2 // Default route with Metric 2 via ISP2
static (ISP2,inside) tcp 0.0.0.0 25 0.0.0.0 25
static (ISP2,inside) tcp 0.0.0.0 110 0.0.0.0 110
sysopt noproxyarp inside // important, otherwise it will cause routing issues as the ASA will start sending proxy-arps for all hosts on the inside.
nat (inside) 1 0 0
global (ISP1) 1 interface
global (ISP2) 1 interface
in this case mail going out but not comming in. In this case I port forword to inside mail server:
static (inside,isp2) tcp interface smtp 192.168.1.32 smtp netmask 255.255.255.255
static (inside,isp2) tcp interface pop3 192.168.1.32 pop3 netmask 255.255.255.255
static (inside,isp2) tcp interface imap4 192.168.1.32 imap4 netmask 255.255.255.255
it will work then but ISP2 prover report us they are finding huge broadcast from our network and need to disconnect our network.
What's the issue of this??
Thanks
Munim.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: