Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!

ASA 5505 - Newbie - Static Route Issue

I have an ASA 5505 v7.2(2)

Can someone please clarify this for me.

Setting: static (inside,outside) XXX.XXX.XXX.XXX netmask

Result: Cisco VPN Client can connect and smtp traffic does not pass    

Setting: static (inside,outside) interface netmask

Result: smtp traffic passes but VPN Clients can't connect.

I have way more time into this than I would like to admit.

Thank you,



If the interface IP is used in a 1-to-1 NAT with an inside host then the IPSEC session will be forwared to that inside address; I'm assuming your email server.  If you only have one public IP you can try a PAT (Port address Translation) intsead.  If you are using version 8.2 or older try something like this:

static (inside,outside) tcp XXX.XXX.XXX.XXX 25 25 netmask




Thank you for your post. What Static Routes would I have to add to get the Cisco VPN client IPSEC/UDP working?

Thanks again,




That should fix both problems.  Keep in mind these are not static routes; they are static translations on the ASA.  Static routes are in reference to seting a next hop at the IP (network) layer versus translating a public address to a private address.

The translation above will forward TCP port 25 to your mail server.  The ASA interface won't need a translation and will be listening for IKE (UDP port 500) and IPSEC (UDP port 4500 and ESP protocol number 50).

If you could spare a dedicated public IP for you mail server it would work out better; especially since reverse DNS is so critical in regard to the helo message your mail server sends at connection establishment.  If these don't match your traffic will often be deemed spam.




You are correct dropping my old static route and using static translation for smtp and other services did get everything flowing. I just finished testing. We have a block of 5 ip's so I should be able to dedicate 1 to mail traffic.

Thank you again for your fast and accurate response.




I thought I had this beat last night. Sadly not! Can you please have a peek at my config file. I'm signing up for classes as soon as I can, this is driving me nuts.

Thank you,


: Saved


ASA Version 7.2(2)


hostname NutmegASA

domain-name default.domain.invalid

enable password ************* encrypted



interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address XXX.XXX.28.13


interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


passwd ****************** encrypted

boot system disk0:/asa722-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list fw extended permit tcp any any eq pop3

access-list fw extended permit tcp any any eq imap4

access-list fw extended permit tcp any any eq https

access-list fw extended permit tcp any any eq smtp

access-list fw extended permit tcp any any eq 4125

access-list inside_nat0_outbound extended permit ip any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool ippool mask

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

static (inside,outside) tcp XXX.XXX.28.13 smtp smtp netmask

access-group fw in interface outside

route outside XXX.XXX.28.14 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server DefaultRAGroup protocol radius

aaa-server DefaultRAGroup host

timeout 5

key D1gital!

group-policy NutmegVPNgrp internal

group-policy NutmegVPNgrp attributes

wins-server value

dns-server value

vpn-tunnel-protocol IPSec

username nutmegadmin password *********** encrypted privilege 15

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

tunnel-group NutmegVPNgrp type ipsec-ra

tunnel-group NutmegVPNgrp general-attributes

address-pool ippool

authentication-server-group DefaultRAGroup

default-group-policy NutmegVPNgrp

tunnel-group NutmegVPNgrp ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside



class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http


service-policy global_policy global

prompt hostname context


: end

asdm image disk0:/asdm-522.bin

no asdm history enable




Is it mail, IPSEC or something else that's not working? If it's a mail problem is it sending mail or receiving mail that is troublesome?

Another thing to attempt with the static command is to use the keyword 'interface' if it will let you with PAT; I can't recall.

static (inside,outside) tcp interface 25 25 netmask



Hi Chris.

SMTP Inbound is the issue with the current config. I will test the Interface vs IP.

Thank you,




The keyword interface was usable, but SMTP inbound traffic was blocked as soon as I applied the PAT.

Thank you,




What is the FQDN address for your mail server? If it is not pointing to the

interface IP, then it will not work. Also, you need to make sure that

outside devices are contacting your mail server on port 25 alone. Do you

have any mail relay on the outside through which you are getting the mails?

Can you check the port settings and make sure that we are configuring the

correct port here?





It was my access-list. I used the "interface outside" instead of "any" and it worked.

Wrong entry - access-list fw extended permit tcp any any eq smtp

Working Entry - access-list fw extended permit tcp any interface outside eq smtp

Thank you for your quick replies and knowledge, without it I would probably be bashing my head against an old monster crt.