Solved

How support two SMTP with two distint ISP for distinct MX records

Posted on 2014-01-24
15
795 Views
Last Modified: 2014-03-14
Puzzle!  smtp return traffic to internet gets dropped due to no adjacent traffic found (guess NAT).
We have two distinct internal smart host appliance providing SMTP services (smtp1 & smtp2).
We also have two (2) distinct ISP providers behind Cisco ASA 5510 (isp1 & isp2)
Dual ISP and Dual SMTP behind ASA
smtp1 is successfully exchanging emails via ISP1, as this also correspond to default route on ASA:  route outside 0.0.0.0 0.0.0.0 1.1.1.99

but smtp2 failed while trying to exchange smtp traffic.  
Mainly, the return smtp traffic from smtp1 back to isp2 is actually being divert by the default route at the ASA.

We understand Cisco ASA 5510 do not support PBR (Policy Based Routing), which would have allow to detect the return smtp traffic coming from source smtp2 (192.168.1.5) and force it to get out via E0/2 using static route.

Is there a way to overcome this problem/limitation?

The idea is to be able to offer SMTP redundancy by dedicating each MX pointer to one dedicated set of SMTP host and ISP provider.

Some sites mention using two distinct ASA and one (1) router for PBR.

Ideas?
0
Comment
Question by:SeguraY
15 Comments
 
LVL 61

Expert Comment

by:gheist
ID: 39808497
Go to netalyzr.icsi.berkeley.edu and run offline check from your mail servers. It happens that providers decide to tackle spam on behalf of their customers leaving home workers without comms
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39808554
Unfortunately as you have already discovered you have to use a router to terminate the ISP links.  This will let you use PBR to send the SMTP traffic from back through the ASA via the correct ISP.

It's very simple to do with an additional router but what you have to remember is that the ASA isn't distinctly a router - it is just a firewall with 'some' routing capability.
0
 
LVL 61

Expert Comment

by:gheist
ID: 39808686
According to internet standards ASA and Catalyst with their rudimentary IP forwarding capabilities are full-fledged routers, just like Windows 95 or 7
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39808793
Hmmmm apologies if I'm being stupid here but I don't know whether to actually take what you just said as a joke...

The Cisco ASA is a firewall and although it has routing capabilities it is not a fully-fledged router by any stretch.  Similarly, Layer 3 switches such as the 3750 can obviously route (as they're Layer-3), but they can't do some things such as NAT or routing via two default routes at the same time.  Furthermore some features are restricted either by the software features contained within IOS, or simply the hardware they run on, and some features just aren't included in the software for that specific platform.

Cisco continue to make separate products such as routers, multilayer switches and firewalls for a good reason.
0
 
LVL 7

Expert Comment

by:unfragmented
ID: 39808815
can you source nat the traffic on the asa?  Not sure if its a valid config for the asa, but it will help keep the traffic flow from ISP2 symmetric.  This is how it'd be done if it were a loadbalancer instead of a firewall.
0
 
LVL 61

Expert Comment

by:gheist
ID: 39808819
I am serious. An internetwork router is a very simple thing. NAT capable router is called A stub router WITH NAT.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39808827
Well unfortunately I don't think the rest of the Cisco networking community would agree with you there.

As I said, a layer-3 switch is routing-capable, yet it can't do NAT, even when configured as a stub router.

A router which can do NAT is called a 'router'.  A router is defined as a stub when defined as a stub within a routing process.  A router can be a stub and a non-stub at the same time, depending on its configuration, and it can also run NAT with or without a routing process running.
0
Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

 
LVL 45

Expert Comment

by:Craig Beck
ID: 39808829
@unfragmented - you can use policy NAT to tell the traffic which IP address to use as the source when it leaves the ASA, but unless the traffic can route via the appropriate upstream router this won't work.  The ASA can't use more than one default gateway at a time, so if you set specific static routes via different circuits you could get it to do what you want, but with a default route this won't work.
0
 
LVL 61

Expert Comment

by:gheist
ID: 39808960
You dont need nat policy. You need static NAT for broken path.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39808983
If possible can you post a cleaned up version of your config?

What should occur is that since there should be a XLATE entry showing the traffic coming in from E0/2, the traffic should go out that interfaces.

At least according to:

http://www.packetu.com/2011/11/28/egress-interface-selection-on-the-cisco-asa/

Which references:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_overview.html#wp1095480
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39808986
You can have all the NAT you want but it won't help.

If the ASA has two ISP links you can't send traffic over the ISP link which is not being used as the default gateway unless you use a static route.  That's not a solution as that would stop outbound traffic using one link permanently.

The issue is if one SMTP server sends mail to both your mail servers.  It could send email to both, but the return traffic would only ever come back over one path (as it is at the moment).  This would be due to a different reason, but the effect would be the same.

Therefore you need a router in-between the ASA and the internet feeds which can decide which ISP to send the traffic via.  If a connection comes in via ISP1 to 1.1.1.1 your ASA can use a NAT policy to change the source IP address of the return traffic to 1.1.1.1, then route any SMTP (or all) traffic from 1.1.1.1 back via ISP1.  The same could be done for the other ISP which is used to receive email for 2.2.2.2.

The thing about this is that the ASA is ALWAYS using the default gateway here, so it only needs to worry about where the packet came from and apply the appropriate NAT rule to the outbound packet.  The router does all of the ROUTING decisions.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39808992
@giltjr - if there is no outbound route the traffic won't go anywhere.  It's only good for connected subnets.

From the first link...
At this point, packets destined to 0-127.x.x.x will go to isp1.  Packets with a destination of 128-255.x.x.x will go to ISP2.  That still is not too interesting.  This could actually be accomplished with two routes in the route table.
That's half the issue - you would only be able to 'return' traffic down specific ISP links, so the same problem would likely exist depending on the link which the traffic originates from.
0
 
LVL 61

Expert Comment

by:gheist
ID: 39809210
You need to add static NAT runle for other mailserver to use other link...
0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 500 total points
ID: 39809252
But it won't ROUTE out of the second link.  That's the point.  You need a NAT statement, and a ROUTE statement.

An SMTP server sends and receives.  When a mail originates from the SMTP server behind the ASA it will HAVE to use the default route on the ASA if static routes to specific destinations don't exist.  Therefore you can't get BOTH ISP links to work in this scenario.

Trust me... I've done it hundreds of times.  You must use a router in addition to the ASA for this to work properly.

The link that giltjr posted confirms this.
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 39928836
fun to see how the cisco world can't handle stuff that many software firewalls have been handling elegantly for years : they implement reply-to and will answer to the original router if you just set reply-to "interface_name"

source nat would work but is a no-go if you expect proper antispam downstream

a single cisco can usually handle it by PATing each connection to a specific set of ports and setting up the required policy routes so the answers from each set of port is sent to the proper router.

if policy routes are not supported, you can duplicate the traffic that should reach the non-default router to that router in the same way you'd setup a sniffer... and block the corresponding traffic so you don't hammer the default router with traffic it is not supposed to receive. undoubtedly this is overly complicated
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Email signatures have numerous marketing benefits. Here are 8 top reasons to turn your email signature into a marketing channel.
Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now