?
Solved

How support two SMTP with two distint ISP for distinct MX records

Posted on 2014-01-24
15
Medium Priority
?
812 Views
Last Modified: 2014-03-14
Puzzle!  smtp return traffic to internet gets dropped due to no adjacent traffic found (guess NAT).
We have two distinct internal smart host appliance providing SMTP services (smtp1 & smtp2).
We also have two (2) distinct ISP providers behind Cisco ASA 5510 (isp1 & isp2)
Dual ISP and Dual SMTP behind ASA
smtp1 is successfully exchanging emails via ISP1, as this also correspond to default route on ASA:  route outside 0.0.0.0 0.0.0.0 1.1.1.99

but smtp2 failed while trying to exchange smtp traffic.  
Mainly, the return smtp traffic from smtp1 back to isp2 is actually being divert by the default route at the ASA.

We understand Cisco ASA 5510 do not support PBR (Policy Based Routing), which would have allow to detect the return smtp traffic coming from source smtp2 (192.168.1.5) and force it to get out via E0/2 using static route.

Is there a way to overcome this problem/limitation?

The idea is to be able to offer SMTP redundancy by dedicating each MX pointer to one dedicated set of SMTP host and ISP provider.

Some sites mention using two distinct ASA and one (1) router for PBR.

Ideas?
0
Comment
Question by:SeguraY
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
15 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 39808497
Go to netalyzr.icsi.berkeley.edu and run offline check from your mail servers. It happens that providers decide to tackle spam on behalf of their customers leaving home workers without comms
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39808554
Unfortunately as you have already discovered you have to use a router to terminate the ISP links.  This will let you use PBR to send the SMTP traffic from back through the ASA via the correct ISP.

It's very simple to do with an additional router but what you have to remember is that the ASA isn't distinctly a router - it is just a firewall with 'some' routing capability.
0
 
LVL 62

Expert Comment

by:gheist
ID: 39808686
According to internet standards ASA and Catalyst with their rudimentary IP forwarding capabilities are full-fledged routers, just like Windows 95 or 7
0
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

 
LVL 46

Expert Comment

by:Craig Beck
ID: 39808793
Hmmmm apologies if I'm being stupid here but I don't know whether to actually take what you just said as a joke...

The Cisco ASA is a firewall and although it has routing capabilities it is not a fully-fledged router by any stretch.  Similarly, Layer 3 switches such as the 3750 can obviously route (as they're Layer-3), but they can't do some things such as NAT or routing via two default routes at the same time.  Furthermore some features are restricted either by the software features contained within IOS, or simply the hardware they run on, and some features just aren't included in the software for that specific platform.

Cisco continue to make separate products such as routers, multilayer switches and firewalls for a good reason.
0
 
LVL 7

Expert Comment

by:unfragmented
ID: 39808815
can you source nat the traffic on the asa?  Not sure if its a valid config for the asa, but it will help keep the traffic flow from ISP2 symmetric.  This is how it'd be done if it were a loadbalancer instead of a firewall.
0
 
LVL 62

Expert Comment

by:gheist
ID: 39808819
I am serious. An internetwork router is a very simple thing. NAT capable router is called A stub router WITH NAT.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39808827
Well unfortunately I don't think the rest of the Cisco networking community would agree with you there.

As I said, a layer-3 switch is routing-capable, yet it can't do NAT, even when configured as a stub router.

A router which can do NAT is called a 'router'.  A router is defined as a stub when defined as a stub within a routing process.  A router can be a stub and a non-stub at the same time, depending on its configuration, and it can also run NAT with or without a routing process running.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39808829
@unfragmented - you can use policy NAT to tell the traffic which IP address to use as the source when it leaves the ASA, but unless the traffic can route via the appropriate upstream router this won't work.  The ASA can't use more than one default gateway at a time, so if you set specific static routes via different circuits you could get it to do what you want, but with a default route this won't work.
0
 
LVL 62

Expert Comment

by:gheist
ID: 39808960
You dont need nat policy. You need static NAT for broken path.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39808983
If possible can you post a cleaned up version of your config?

What should occur is that since there should be a XLATE entry showing the traffic coming in from E0/2, the traffic should go out that interfaces.

At least according to:

http://www.packetu.com/2011/11/28/egress-interface-selection-on-the-cisco-asa/

Which references:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_overview.html#wp1095480
0
 
LVL 46

Accepted Solution

by:
Craig Beck earned 1500 total points
ID: 39808986
You can have all the NAT you want but it won't help.

If the ASA has two ISP links you can't send traffic over the ISP link which is not being used as the default gateway unless you use a static route.  That's not a solution as that would stop outbound traffic using one link permanently.

The issue is if one SMTP server sends mail to both your mail servers.  It could send email to both, but the return traffic would only ever come back over one path (as it is at the moment).  This would be due to a different reason, but the effect would be the same.

Therefore you need a router in-between the ASA and the internet feeds which can decide which ISP to send the traffic via.  If a connection comes in via ISP1 to 1.1.1.1 your ASA can use a NAT policy to change the source IP address of the return traffic to 1.1.1.1, then route any SMTP (or all) traffic from 1.1.1.1 back via ISP1.  The same could be done for the other ISP which is used to receive email for 2.2.2.2.

The thing about this is that the ASA is ALWAYS using the default gateway here, so it only needs to worry about where the packet came from and apply the appropriate NAT rule to the outbound packet.  The router does all of the ROUTING decisions.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39808992
@giltjr - if there is no outbound route the traffic won't go anywhere.  It's only good for connected subnets.

From the first link...
At this point, packets destined to 0-127.x.x.x will go to isp1.  Packets with a destination of 128-255.x.x.x will go to ISP2.  That still is not too interesting.  This could actually be accomplished with two routes in the route table.
That's half the issue - you would only be able to 'return' traffic down specific ISP links, so the same problem would likely exist depending on the link which the traffic originates from.
0
 
LVL 62

Expert Comment

by:gheist
ID: 39809210
You need to add static NAT runle for other mailserver to use other link...
0
 
LVL 46

Assisted Solution

by:Craig Beck
Craig Beck earned 1500 total points
ID: 39809252
But it won't ROUTE out of the second link.  That's the point.  You need a NAT statement, and a ROUTE statement.

An SMTP server sends and receives.  When a mail originates from the SMTP server behind the ASA it will HAVE to use the default route on the ASA if static routes to specific destinations don't exist.  Therefore you can't get BOTH ISP links to work in this scenario.

Trust me... I've done it hundreds of times.  You must use a router in addition to the ASA for this to work properly.

The link that giltjr posted confirms this.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 39928836
fun to see how the cisco world can't handle stuff that many software firewalls have been handling elegantly for years : they implement reply-to and will answer to the original router if you just set reply-to "interface_name"

source nat would work but is a no-go if you expect proper antispam downstream

a single cisco can usually handle it by PATing each connection to a specific set of ports and setting up the required policy routes so the answers from each set of port is sent to the proper router.

if policy routes are not supported, you can duplicate the traffic that should reach the non-default router to that router in the same way you'd setup a sniffer... and block the corresponding traffic so you don't hammer the default router with traffic it is not supposed to receive. undoubtedly this is overly complicated
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing attempts can come in all forms, shapes and sizes. No matter how familiar you think you are with them, always remember to take extra precaution when opening an email with attachments or links.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month14 days, 16 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question