Thanks Guys for your inputs so far.. exactly what Marc said is what is
happening, our primary public IP keeps getting blacklisted. This is the
reason am looking for a solution to route our mail server via another IP.
Like I mention before, as much as I would love to permit only our mail
server to send smtp traffic, we have a couple of contractors, all doing
push emails to their mail servers; blocking smtp would cause them
headaches, they would have to go thru web browser (Outlook web access) to
access email...a lot of politics involved!
We have a block of public IP's all going out thru the same outside
interface; by the way, 9.0 ASA Code.
NAT looks like a possible solution..
!!!!!!!!!!!!!!!!Current Internet NAT Statement
object network obj_Internet
subnet 0.0.0.0 0.0.0.0
object network obj_Internet
nat (inside,outside) dynamic interface
Am thinking, maybe its possible to create a funky NAT statement, that
matches smtp from the smtp server, then NAT it to another public IP.
On Thu, Feb 20, 2014 at 11:54 AM, Henrique Reis <reis.henrique_at_gmail.com>wrote:
> Follow a example:
>
>
> out2 --- 172.16.1.0/24 --- .3 ISP2 (used for SMTP only)
> /192.0.2.0/24 - dmz - ASA
> \out1 --- 10.48.66.0/23 --- .1 ISP1 (primary)
>
>
> route out1 0.0.0.0 0.0.0.0 10.48.66.1 1
> route out2 0.0.0.0 0.0.0.0 172.16.1.3 2
> !
> static (dmz,out2) 172.16.1.11 192.0.2.1 netmask 255.255.255.255
> static (out2,dmz) tcp 0.0.0.0 telnet 0.0.0.0 telnet netmask 0.0.0.0
> !
> nat (dmz) 1 0.0.0.0 0.0.0.0
> global (out1) 1 interface
> !
> access-list SRV extended permit tcp any host 172.16.1.11 eq telnet
> access-group SRV in interface out2
> !
> sysopt noproxyarp dmz
>
>
> Best regards,
> Henrique Reis
>
>
> On Thu, Feb 20, 2014 at 2:57 PM, Shaughn <maniac.smg_at_gmail.com> wrote:
>
>> On the ASA it is possible.
>>
>> Create an ACL matching SMTP from that host out.
>>
>> Create another Nat entry matching that ACL and set it to use another
>> outgoing Nat IP (2) for example
>>
>> I can send configs later on how to do it
>>
>>
>> CCIE # 23962 (SP)
>>
>> Sent from my iPhone
>>
>> > On 20 Feb 2014, at 7:52 PM, Charlie CA <spycharlies_at_gmail.com> wrote:
>> >
>> > Hi Experts, was wondering if this is even possible on a Cisco ASA or
>> > possibly someone could give me a hint.
>> >
>> >
>> > I have a scenario here whereby, I would want all my SMTP traffic (SMTP
>> > Server IP 192.168.10.1) to go through a second public IP (assume
>> 1.1.1.2),
>> > while all internet traffic continues to go through the primary IP
>> (1.1.1.1).
>> >
>> >
>> > A quick solution would have been to only permit the SMTP server from
>> > sending smtp but this is not possible as we have a couple of mobile
>> devices
>> > doing push email; so just permit only the smtp server would be a
>> nightmare.
>> >
>> > I know ASA can't do policy routing, is this possible?
>> >
>> >
>> > Thanks
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Thu Feb 20 2014 - 13:18:38 ART
This archive was generated by hypermail 2.2.0 : Sat Mar 01 2014 - 08:41:48 ART