[f-nsp] RES: serveriron traffic flow for SMTP

George B. georgeb at gmail.com
Thu Jul 29 23:20:26 EDT 2010 

* *ASA supports Asymmetric routing in version 8.2(1) and later.

You will need to configure TCP state bypass on the ASA

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html




On Thu, Jul 29, 2010 at 6:40 PM, wolfz <lobo at netadm.com.br> wrote:

> Jimmy,
>
>        Do you enable DSR?
>
> Regards,
>
>
>
> -----Mensagem original-----
> De: foundry-nsp-bounces at puck.nether.net
> [mailto:foundry-nsp-bounces at puck.nether.net] Em nome de Jimmy Stewpot
> Enviada em: Thursday, July 29, 2010 4:29 AM
> Para: Jimmy Stewpot
> Cc: foundry-nsp at puck.nether.net
> Assunto: Re: [f-nsp] serveriron traffic flow for SMTP
>
> Hi All,
>
> When I set the servers default gateway to the VIP IP rather than the router
> IP the system began to function as I had hoped.
>
> Regards,
>
> Jimmy.
>
> ----- Original Message -----
> From: "Jimmy Stewpot" <mailers at oranged.to>
> To: foundry-nsp at puck.nether.net
> Sent: Thursday, 29 July, 2010 3:43:15 PM
> Subject: [f-nsp] serveriron traffic flow for SMTP
>
> Hello,
>
> I currently have a problem which I am trying to find a simple solution to.
> I
> am hoping that someone here will be able to provide some tips. We have an
> SMTP VIP which has two real servers associated with them. In front of the
> Load balancer we have a Cisco ASA firewall which has permit rules for SMTP
> to both real servers and the VIP on port 25 both directions. The inbound
> email comes to port 25 on the VIP and then gets load balanced to the
> respective real servers without any problems. However the return connection
> comes back directly to the gateway which resides on the ASA. The problem is
> that the ASA then has no session and rejects the SYN ACK and the
> connections
> are not established. The simple solution is to use source-nat but that
> removes any possible use of rbl's and black lists because every source
> address appears as the VIP IP.
>
> Is there any easy way around that while still allowing us to have the smtp
> restrictions required (e.g. rbls etc).
>
>
> sh ver
>  SW: Version 10.2.01nTI4 Copyright (c) 1996-2007 Foundry Networks, Inc.
>      Compiled on Feb 01 2010 at 20:02:55 labeled as WJR10201n
>  HW: Stackable Router, SYSIF version 21, Serial #: Non-exist
>
> Regards,
>
> Jimmy Stewpot.
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20100729/d90605d8/attachment.html>

More information about the foundry-nsp mailing list