Re: Cisco ASA: Nating SMTP traffic to a second public IP from Carlos G Mendioroz on 2014-02-21 (Ccielab archives 02/2014)

From: Carlos G Mendioroz <tron_at_huapi.ba.ar>
Date: Fri, 21 Feb 2014 08:52:35 -0300

+1 here,
if the contractor wants to use his own MTA, then they should be using
SMTP on port 587 to their home server, not 25.

-Carlos

marc abel @ 20/02/2014 15:46 -0300 dixit:
> One more comment. As a matter of security, SMTP should be denied from all
> inside hosts except your mail servers. Have the mobile clients relay
> through the servers. This will keep you from getting your IP address SPAM
> blacklisted every time someone gets a mass mailing virus.
>
>
> On Thu, Feb 20, 2014 at 12:42 PM, marc abel <marcabel_at_gmail.com> wrote:
>
>> If the two public IP addresses are on the same interface then it should be
>> as simple as creating a static NAT specific to the SMTP ports, and then
>> letting everything else hit the default NAT. If the Public IPs were on
>> different interfaces of the ASA then you are in a situation where PBR type
>> behavior would be needed. You used to be able to do this in some versions
>> of 8.x code. The order of operations was such that the NAT would get
>> processed before the route lookup so you could use this to do a PBR of
>> sorts.
>>
>> This was changed in version 9 or 9.1 and not well documented. I got burned
>> pretty bad when this functionality would no longer work after an upgrade.
>>
>>
>> On Thu, Feb 20, 2014 at 11:52 AM, Charlie CA <spycharlies_at_gmail.com>wrote:
>>
>>> Hi Experts, was wondering if this is even possible on a Cisco ASA or
>>> possibly someone could give me a hint.
>>>
>>>
>>> I have a scenario here whereby, I would want all my SMTP traffic (SMTP
>>> Server IP 192.168.10.1) to go through a second public IP (assume 1.1.1.2),
>>> while all internet traffic continues to go through the primary IP
>>> (1.1.1.1).
>>>
>>>
>>> A quick solution would have been to only permit the SMTP server from
>>> sending smtp but this is not possible as we have a couple of mobile
>>> devices
>>> doing push email; so just permit only the smtp server would be a
>>> nightmare.
>>>
>>> I know ASA can't do policy routing, is this possible?
>>>
>>>
>>> Thanks
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> Marc Abel
>> CCIE #35470
>> (Routing and Switching)
>>
>
>
>

-- 
Carlos G Mendioroz  <tron_at_huapi.ba.ar>  LW7 EQI  Argentina
Blogs and organic groups at http://www.ccie.net

Received on Fri Feb 21 2014 - 08:52:35 ART

This archive was generated by hypermail 2.2.0 : Sat Mar 01 2014 - 08:41:48 ART