<span class="content"></span><a name="asym"><b> </b>ASA supports Asymmetric routing in version 8.2(1) and later.<br><br>You will need to configure TCP state bypass on the ASA<br><br>http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html<br>
<br><br><br></a><br><div class="gmail_quote">On Thu, Jul 29, 2010 at 6:40 PM, wolfz <span dir="ltr"><<a href="mailto:lobo@netadm.com.br">lobo@netadm.com.br</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Jimmy,<br>
<br>
Do you enable DSR?<br>
<br>
Regards,<br>
<br>
<br>
<br>
-----Mensagem original-----<br>
De: <a href="mailto:foundry-nsp-bounces@puck.nether.net">foundry-nsp-bounces@puck.nether.net</a><br>
[mailto:<a href="mailto:foundry-nsp-bounces@puck.nether.net">foundry-nsp-bounces@puck.nether.net</a>] Em nome de Jimmy Stewpot<br>
Enviada em: Thursday, July 29, 2010 4:29 AM<br>
Para: Jimmy Stewpot<br>
Cc: <a href="mailto:foundry-nsp@puck.nether.net">foundry-nsp@puck.nether.net</a><br>
Assunto: Re: [f-nsp] serveriron traffic flow for SMTP<br>
<div><div></div><div class="h5"><br>
Hi All,<br>
<br>
When I set the servers default gateway to the VIP IP rather than the router<br>
IP the system began to function as I had hoped.<br>
<br>
Regards,<br>
<br>
Jimmy.<br>
<br>
----- Original Message -----<br>
From: "Jimmy Stewpot" <<a href="mailto:mailers@oranged.to">mailers@oranged.to</a>><br>
To: <a href="mailto:foundry-nsp@puck.nether.net">foundry-nsp@puck.nether.net</a><br>
Sent: Thursday, 29 July, 2010 3:43:15 PM<br>
Subject: [f-nsp] serveriron traffic flow for SMTP<br>
<br>
Hello,<br>
<br>
I currently have a problem which I am trying to find a simple solution to. I<br>
am hoping that someone here will be able to provide some tips. We have an<br>
SMTP VIP which has two real servers associated with them. In front of the<br>
Load balancer we have a Cisco ASA firewall which has permit rules for SMTP<br>
to both real servers and the VIP on port 25 both directions. The inbound<br>
email comes to port 25 on the VIP and then gets load balanced to the<br>
respective real servers without any problems. However the return connection<br>
comes back directly to the gateway which resides on the ASA. The problem is<br>
that the ASA then has no session and rejects the SYN ACK and the connections<br>
are not established. The simple solution is to use source-nat but that<br>
removes any possible use of rbl's and black lists because every source<br>
address appears as the VIP IP.<br>
<br>
Is there any easy way around that while still allowing us to have the smtp<br>
restrictions required (e.g. rbls etc).<br>
<br>
<br>
sh ver<br>
SW: Version 10.2.01nTI4 Copyright (c) 1996-2007 Foundry Networks, Inc.<br>
Compiled on Feb 01 2010 at 20:02:55 labeled as WJR10201n<br>
HW: Stackable Router, SYSIF version 21, Serial #: Non-exist<br>
<br>
Regards,<br>
<br>
Jimmy Stewpot.<br>
_______________________________________________<br>
foundry-nsp mailing list<br>
<a href="mailto:foundry-nsp@puck.nether.net">foundry-nsp@puck.nether.net</a><br>
<a href="http://puck.nether.net/mailman/listinfo/foundry-nsp" target="_blank">http://puck.nether.net/mailman/listinfo/foundry-nsp</a><br>
_______________________________________________<br>
foundry-nsp mailing list<br>
<a href="mailto:foundry-nsp@puck.nether.net">foundry-nsp@puck.nether.net</a><br>
<a href="http://puck.nether.net/mailman/listinfo/foundry-nsp" target="_blank">http://puck.nether.net/mailman/listinfo/foundry-nsp</a><br>
<br>
_______________________________________________<br>
foundry-nsp mailing list<br>
<a href="mailto:foundry-nsp@puck.nether.net">foundry-nsp@puck.nether.net</a><br>
<a href="http://puck.nether.net/mailman/listinfo/foundry-nsp" target="_blank">http://puck.nether.net/mailman/listinfo/foundry-nsp</a><br>
</div></div></blockquote></div><br>