Screen OS

Hi,

I have  slight issue in configureing the PBR's on a SSG-140, please refer the attached diagram. I have 2 ISP links onto the SSG-140 for Inbound and Outbound  E-Mails and Outbound Internet access. I want to achieve the following -

1. All outbound EMails and DNS querries for email routeing from the mail servers   should be sent via the ISP-1

1.1 In an event of ISP-1 Link is Down All the Outbound Emails and DNS Querries for email routeing from the mail servers  Should  go through ISP-2 

2. All the Outbound Internet Access Via Proxy-1 and Proxy-2 and the DNS querries from Proxy1/2  should be sent via ISP-2

2.1 In an event of ISP-2 Link is Down the  Proxy-1 and Proxy-2 should route their requests via ISP-1

I belive the way forward for the above is through PBR's can somebody please enlighten me as to the best way to setup the PBR;s cos it;s a bit cryptic for me .... All necessary MX records and Reverse MX Records are in place for EMails and outbound and inbound emails have no issue as of now..

Appreciate any help please....

Many Thanks,

Ruwini...

 EWIS - Sri Lanka

Hi,

One thing i would like to mention that with PBR u can control that outbound mail traffic pass through isp1 and proxy traffic pass through isp 2 but u can not configure failover i mean if isp 1 is down then all mail traffic now should pass through isp2.

U can achieve failover over with policy based routing using souce based routing. For example ur proxy server should have private ip lets say 192.168.1.110. u can use source based routing :

source 192.168.1.110 then next hop isp1 with metric 1

source 192.168.1.110 then next hop isp2 with metric 2

U also need to track both isp1 and isp2 using ip tracking so that link failover is detected by firewall and first route with metric 1 become inactive and second route with metric 2 is active.

U can repeat same procedure for outgoing smtp traffic

Hope this helps

Thanks

Dear Rana,

well boss if there is a different scenerio that....

Branch ofc----------Head office------Internet. (2 internet connection) (ISP-1, ISP-2)

if we have an ISA server at headoffice with the IP of 1.1.1.1/32 . and we uses Source-Based-Routing (for ISP-1) at Headoffice, like 1.1.1.1/32 -- >  gateway 10.1.1.1 -- > interface eth0/3.

the Branch office will not access the ISA server at Headoffice after the Source-Based-Routing. if I disable the SBR from the Headoffice, then the BRanchoffice starts pinging the ISA Address 1.1.1.1 .

PBR also not working in this scenerio, can you kindly help me out on this scenerio ?

fast reply will be appritiated.

Haider Ali

Hello,

I guess the problem may be due to asymmetric routing.

Can u tell me the routing table  for isp1 and isp2 of ur headoffice SSG?

Thanks

HEadoffice have 2 default routes to internet, 1 is from ISP-1, and the other is from ISP-2.

no else routes are there other than connected.

Hi rana,

In Ruwini's scenario We have 2 ISPs - ISP1 & ISP2. We have mx records in both ISPs. All emails should be received through ISP1 and sending also through ISP1. 

Then, All the Internet traffic should go through ISP2 all the time.

If ISP1 mail sending or recieving fails, mails sending & receiving should work through ISP2.

If anyone have an idea, pls let us know with an example.

Thanks.

Chaturanga.