Chris

Thank you for your post. What Static Routes would I have to add to get the Cisco VPN client IPSEC/UDP working?

Thanks again,

Mike

Mike,

That should fix both problems.  Keep in mind these are not static routes; they are static translations on the ASA.  Static routes are in reference to seting a next hop at the IP (network) layer versus translating a public address to a private address.

The translation above will forward TCP port 25 to your mail server.  The ASA interface won't need a translation and will be listening for IKE (UDP port 500) and IPSEC (UDP port 4500 and ESP protocol number 50).

If you could spare a dedicated public IP for you mail server it would work out better; especially since reverse DNS is so critical in regard to the helo message your mail server sends at connection establishment.  If these don't match your traffic will often be deemed spam.

Chris

Chris,

You are correct dropping my old static route and using static translation for smtp and other services did get everything flowing. I just finished testing. We have a block of 5 ip's so I should be able to dedicate 1 to mail traffic.

Thank you again for your fast and accurate response.

-Mike

Chris,

I thought I had this beat last night. Sadly not! Can you please have a peek at my config file. I'm signing up for classes as soon as I can, this is driving me nuts.

Thank you,

Mike

: Saved

:

ASA Version 7.2(2)

!

hostname NutmegASA

domain-name default.domain.invalid

enable password ************* encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.16.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address XXX.XXX.28.13 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd ****************** encrypted

boot system disk0:/asa722-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list fw extended permit tcp any any eq pop3

access-list fw extended permit tcp any any eq imap4

access-list fw extended permit tcp any any eq https

access-list fw extended permit tcp any any eq smtp

access-list fw extended permit tcp any any eq 4125

access-list inside_nat0_outbound extended permit ip any 172.16.116.96 255.255.255.240

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool ippool 172.16.116.100-172.16.116.109 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp XXX.XXX.28.13 smtp 192.168.16.3 smtp netmask 255.255.255.255

access-group fw in interface outside

route outside 0.0.0.0 0.0.0.0 XXX.XXX.28.14 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server DefaultRAGroup protocol radius

aaa-server DefaultRAGroup host 192.168.16.3

timeout 5

key D1gital!

group-policy NutmegVPNgrp internal

group-policy NutmegVPNgrp attributes

wins-server value 192.168.16.3

dns-server value 192.168.16.3

vpn-tunnel-protocol IPSec

username nutmegadmin password *********** encrypted privilege 15

http server enable

http 192.168.16.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

tunnel-group NutmegVPNgrp type ipsec-ra

tunnel-group NutmegVPNgrp general-attributes

address-pool ippool

authentication-server-group DefaultRAGroup

default-group-policy NutmegVPNgrp

tunnel-group NutmegVPNgrp ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:******************

: end

asdm image disk0:/asdm-522.bin

no asdm history enable

end

Mike,

Is it mail, IPSEC or something else that's not working? If it's a mail problem is it sending mail or receiving mail that is troublesome?

Another thing to attempt with the static command is to use the keyword 'interface' if it will let you with PAT; I can't recall.

static (inside,outside) tcp interface 25 192.168.16.3 25 netmask 255.255.255.255

Chris

Hi Chris.

SMTP Inbound is the issue with the current config. I will test the Interface vs IP.

Thank you,

Mike

Chris,

The keyword interface was usable, but SMTP inbound traffic was blocked as soon as I applied the PAT.

Thank you,

Mike

Hello,

What is the FQDN address for your mail server? If it is not pointing to the

interface IP, then it will not work. Also, you need to make sure that

outside devices are contacting your mail server on port 25 alone. Do you

have any mail relay on the outside through which you are getting the mails?

Can you check the port settings and make sure that we are configuring the

correct port here?

Regards,

NT

Chris,

It was my access-list. I used the "interface outside" instead of "any" and it worked.

Wrong entry - access-list fw extended permit tcp any any eq smtp

Working Entry - access-list fw extended permit tcp any interface outside eq smtp

Thank you for your quick replies and knowledge, without it I would probably be bashing my head against an old monster crt.

-Mike