[f-nsp] serveriron traffic flow for SMTP
Jimmy Stewpot
mailers at oranged.to
Thu Jul 29 01:43:15 EDT 2010
Hello,
I currently have a problem which I am trying to find a simple solution to. I am hoping that someone here will be able to provide some tips. We have an SMTP VIP which has two real servers associated with them. In front of the Load balancer we have a Cisco ASA firewall which has permit rules for SMTP to both real servers and the VIP on port 25 both directions. The inbound email comes to port 25 on the VIP and then gets load balanced to the respective real servers without any problems. However the return connection comes back directly to the gateway which resides on the ASA. The problem is that the ASA then has no session and rejects the SYN ACK and the connections are not established. The simple solution is to use source-nat but that removes any possible use of rbl's and black lists because every source address appears as the VIP IP.
Is there any easy way around that while still allowing us to have the smtp restrictions required (e.g. rbls etc).
sh ver
SW: Version 10.2.01nTI4 Copyright (c) 1996-2007 Foundry Networks, Inc.
Compiled on Feb 01 2010 at 20:02:55 labeled as WJR10201n
HW: Stackable Router, SYSIF version 21, Serial #: Non-exist
Regards,
Jimmy Stewpot.
More information about the foundry-nsp
mailing list