[f-nsp] RES: serveriron traffic flow for SMTP

George B. georgeb at gmail.com
Thu Jul 29 23:21:42 EDT 2010 

Oh, and configure the load balancer for DSR.

Or just set the default back to the load balancer, like you did already.

On Thu, Jul 29, 2010 at 8:20 PM, George B. <georgeb at gmail.com> wrote:

> * *ASA supports Asymmetric routing in version 8.2(1) and later.
>
> You will need to configure TCP state bypass on the ASA
>
>
> http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html
>
>
>
>
> On Thu, Jul 29, 2010 at 6:40 PM, wolfz <lobo at netadm.com.br> wrote:
>
>> Jimmy,
>>
>>        Do you enable DSR?
>>
>> Regards,
>>
>>
>>
>> -----Mensagem original-----
>> De: foundry-nsp-bounces at puck.nether.net
>> [mailto:foundry-nsp-bounces at puck.nether.net] Em nome de Jimmy Stewpot
>> Enviada em: Thursday, July 29, 2010 4:29 AM
>> Para: Jimmy Stewpot
>> Cc: foundry-nsp at puck.nether.net
>> Assunto: Re: [f-nsp] serveriron traffic flow for SMTP
>>
>> Hi All,
>>
>> When I set the servers default gateway to the VIP IP rather than the
>> router
>> IP the system began to function as I had hoped.
>>
>> Regards,
>>
>> Jimmy.
>>
>> ----- Original Message -----
>> From: "Jimmy Stewpot" <mailers at oranged.to>
>> To: foundry-nsp at puck.nether.net
>> Sent: Thursday, 29 July, 2010 3:43:15 PM
>> Subject: [f-nsp] serveriron traffic flow for SMTP
>>
>> Hello,
>>
>> I currently have a problem which I am trying to find a simple solution to.
>> I
>> am hoping that someone here will be able to provide some tips. We have an
>> SMTP VIP which has two real servers associated with them. In front of the
>> Load balancer we have a Cisco ASA firewall which has permit rules for SMTP
>> to both real servers and the VIP on port 25 both directions. The inbound
>> email comes to port 25 on the VIP and then gets load balanced to the
>> respective real servers without any problems. However the return
>> connection
>> comes back directly to the gateway which resides on the ASA. The problem
>> is
>> that the ASA then has no session and rejects the SYN ACK and the
>> connections
>> are not established. The simple solution is to use source-nat but that
>> removes any possible use of rbl's and black lists because every source
>> address appears as the VIP IP.
>>
>> Is there any easy way around that while still allowing us to have the smtp
>> restrictions required (e.g. rbls etc).
>>
>>
>> sh ver
>>  SW: Version 10.2.01nTI4 Copyright (c) 1996-2007 Foundry Networks, Inc.
>>      Compiled on Feb 01 2010 at 20:02:55 labeled as WJR10201n
>>  HW: Stackable Router, SYSIF version 21, Serial #: Non-exist
>>
>> Regards,
>>
>> Jimmy Stewpot.
>> _______________________________________________
>> foundry-nsp mailing list
>> foundry-nsp at puck.nether.net
>> http://puck.nether.net/mailman/listinfo/foundry-nsp
>> _______________________________________________
>> foundry-nsp mailing list
>> foundry-nsp at puck.nether.net
>> http://puck.nether.net/mailman/listinfo/foundry-nsp
>>
>> _______________________________________________
>> foundry-nsp mailing list
>> foundry-nsp at puck.nether.net
>> http://puck.nether.net/mailman/listinfo/foundry-nsp
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20100729/05605222/attachment.html>

More information about the foundry-nsp mailing list