Re: Cisco ASA: Nating SMTP traffic to a second public IP from marc abel on 2014-02-20 (Ccielab archives 02/2014)

From: marc abel <marcabel_at_gmail.com>
Date: Thu, 20 Feb 2014 12:46:29 -0600

One more comment. As a matter of security, SMTP should be denied from all
inside hosts except your mail servers. Have the mobile clients relay
through the servers. This will keep you from getting your IP address SPAM
blacklisted every time someone gets a mass mailing virus.

On Thu, Feb 20, 2014 at 12:42 PM, marc abel <marcabel_at_gmail.com> wrote:

> If the two public IP addresses are on the same interface then it should be
> as simple as creating a static NAT specific to the SMTP ports, and then
> letting everything else hit the default NAT. If the Public IPs were on
> different interfaces of the ASA then you are in a situation where PBR type
> behavior would be needed. You used to be able to do this in some versions
> of 8.x code. The order of operations was such that the NAT would get
> processed before the route lookup so you could use this to do a PBR of
> sorts.
>
> This was changed in version 9 or 9.1 and not well documented. I got burned
> pretty bad when this functionality would no longer work after an upgrade.
>
>
> On Thu, Feb 20, 2014 at 11:52 AM, Charlie CA <spycharlies_at_gmail.com>wrote:
>
>> Hi Experts, was wondering if this is even possible on a Cisco ASA or
>> possibly someone could give me a hint.
>>
>>
>> I have a scenario here whereby, I would want all my SMTP traffic (SMTP
>> Server IP 192.168.10.1) to go through a second public IP (assume 1.1.1.2),
>> while all internet traffic continues to go through the primary IP
>> (1.1.1.1).
>>
>>
>> A quick solution would have been to only permit the SMTP server from
>> sending smtp but this is not possible as we have a couple of mobile
>> devices
>> doing push email; so just permit only the smtp server would be a
>> nightmare.
>>
>> I know ASA can't do policy routing, is this possible?
>>
>>
>> Thanks
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Marc Abel
> CCIE #35470
> (Routing and Switching)
>

-- 
Marc Abel
CCIE #35470
(Routing and Switching)
Blogs and organic groups at http://www.ccie.net

Received on Thu Feb 20 2014 - 12:46:29 ART

This archive was generated by hypermail 2.2.0 : Sat Mar 01 2014 - 08:41:48 ART