Re: Thoughts on ESA with only one NIC setup

Michael Eriksson · ‎03-12-2024

Hi,

I've always used at least two nic's on every mail gateway I've set up, regardless of brand. Now our network department wants to change the network designs and force us to use only one nic and IP adress.

In my mind it will be a bad design, I like to have an "inside" and an "outside", it feels easier and more secure. Also when it comes to rules, policies and filters, ports etc for incoming and outgoing mail it feels easier to have two interfaces. Is it a supported design for all models of ESA?

I might be old fashioned and narrow minded, so I thought I ask the experts in the community för pros and cons.

Regards

Michael

balaji.bandi · ‎03-12-2024

sure never done myself check this guide :

In this example, the “BiDirectional” interface will both receive email off the Internet and
Send outbound emai

https://www.cisco.com/c/dam/en/us/products/collateral/security/esa-and-msa-comprehensive.pdf

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Michael Eriksson · ‎03-14-2024

Hi, thank you for your answer. I know it's doable, but I were more interested in your thoughts about it, pros and cons, good or bad design etc.

Regards

Micke

balaji.bandi · ‎03-14-2024

Pros and cons, contact Cisco TAC can help you. ( each pros and cons depends on environment).

Most use case we can not deploy 100% CVD, there are always deviations in the design based on lot of other factors. so we should know the risk and understand what we doing and carry on based on availability.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Ken Stieers · ‎03-12-2024

You can do it on one nic. I always set up 2 listeners on different ports, one public on port 25, one private on some other port.

I am also not a fan... but it works fine.

Dustin Anderson · ‎03-14-2024

Ours is also a 1-nic setup with like 6 listeners on different ports. I understand the mentality, but for us it's all behind a firewall that handles the NAT and access. We also use an F5 internally to load balance so direct access in limited. Our old engineer hated "Wasting ports" and did this with a lot of the stuff. Either work, and it's really just on how you want to do it.

Ken Stieers · ‎03-14-2024

I concur with Dustin in that it gets down to how you want to do it... chances are you're not going to overload the interface...

You might think about what it looks like if someone comes after you... will they be able to figure out what you did and why? So clarity in naming the interfaces/listeners/etc. is key.

I personally would push back on the network team... Why should you confuse things?

Dustin Anderson · ‎03-14-2024

"chances are you're not going to overload the interface... "

Honestly, if that is a factor you should have more ESAs. We have 3x C395s and we receive about 140K/day emails and send about the same. The only reason we have 3 is we can update one to test code and still have redundancy if it dies. We don't have them clustered, so it does mean doing config 3 times if you change something.

Ken Stieers · ‎03-14-2024

Right?! I didn't say it but was thinking it.
And at this point its VMs... not hardware. Spin up as many as you need...

________________________________

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.

Michael Eriksson · ‎03-14-2024

Thank you all for your thoughts.

Regards

Micke