08-30-2010 10:01 AM - edited 03-04-2019 09:36 AM
I have a LAN to LAN VPN tunnel established between a Cisco ASA 5505 and a Cisco 2811, but for some reason, I am unable to get SMTP communication between the two LAN's over the tunnel. Do I need to create a specific access rule for SMTP? The 2811's internal IP scheme is 10.4.167.X, and the ASA 5505,'s internal IP scheme is 192.168.1.0. I've attached the running-configs for both the ASA and the 2811. The tunnel establishes successfully, I can maps drives and replicate DNS data without any problems, but canot send email (SMTP) thru the tunnel. Any help would be greatly appreciated.
Solved! Go to Solution.
08-31-2010 11:34 AM
Hello,
Did you remove the existing NAT statement before entering the new one? Also,
I noticed that the name of the route-map seems to be different (not
SDM_RMAP_1)
CISCO2811(config)#route-map SDM_RMAP_
CISCO2811(config-route-map)#match ip address 104
CISCO2811(config-route-map)#exit
Regards,
NT
08-30-2010 10:32 AM
I have looked through the configs, focusing on the VPN configuration. I do not see obvious issues in the config. So we need to dig a bit deeper into the issue. Can you tell us who (what device/what address) is sending SMTP and to whom it is sending it?
Also to clarify, are we talking real SMTP (mail server to mail server) or are we talking mail client to mail server?
HTH
Rick
08-30-2010 10:44 AM
The mail server resides on the 10.4.167.x network. It's IP is 10.4.167.102. This is the side of the 2811 router. On the other end (with the ASA), I have clients connected to that mail server using Outlook. They can connect to the server successfully to create their Outlook profiles, but when they attempt to send email, an error is generated that there is no SMTP server available. If I go into the ASA network and type: telnet 10.4.167.102 25 (to establish a connection with the SMTP server for SMTP testing purposes), it will not connect, generating an error that reads: Could not open a connection to the host on port 25: Connect failed.
08-30-2010 11:14 AM
Hello,
The issue is due to the NAT rule you have configured.
ip nat inside source static tcp 10.4.167.102 25 <2811 Public IP> 25
extendable
It will force the router to use NAT for all outgoing packets. Please try the
following:
access-list 199 deny tcp host 10.4.167.102 eq 25 192.168.1.0 0.0.0.255
access-list 199 permit tcp host 10.4.167.102 eq 25 any
route-map Mail
match ip address 199
exit
ip nat inside source static tcp 10.4.167.102 25 <2811 Public IP> 25
route-map Mail extendable
Hope this helps.
Regards,
NT
08-30-2010 01:27 PM
That makes perfect sense. If I remove the NAT statement that forwards inbound email to my server, I can connect using the telnet command from the rmote network just fine. However, I added the statements which you recommended and it still does not work. Was there a reason for creating a separate route map that the one currently in use? Couldn't I just add the access-list statements to my current NAT rules that are used by the route map already deployed? Example. I have NAT rule 104 which is used by route map SDM_RMAP_1. Couldn't I create your rule entries there, instead of creating an entirely new route map called Mail?
08-30-2010 01:44 PM
Hello,
You can certainly use an existing route-map.
Regards,
NT
08-30-2010 02:10 PM
Alright, I made the modifications to the current NAT rule entry, but I'm still unable to access SMTP from the remote network. Any other ideas?
08-30-2010 02:48 PM
Hello,
Can you post the current configuration with the route-maps applied?
Regards,
NT
08-31-2010 07:27 AM
08-31-2010 09:24 AM
Hi,
If you are able to connect with the SMTP server on port 25 , create outlook profiles etc over the vpn then it sound more like an MTU issue with DF bit set to me. try the following from a user machine to smtp server :-
c:\user> ping
Thanks
manish
08-31-2010 09:40 AM
I am not able to access the SMTP server without removing the current static NAT rule that routes all inbound SMTP packets to our internal email server (ip nat inside source static tcp 10.4.167.102 25 <2811 Public IP> 25 extendable). If I remove that NAT statement, then I'm able to connect successfully by using the: 'telnet 10.4.167.102 25' command from the remote peer network. The problem is that I need that statement in there, so that inbound Internet email gets routed successfully. I just need to figure out a way to not NAT SMTP traffic that is traveling thru the tunnel from the remote peer network. I entered the commands that were suggested by NTHANTHR (he was correct in his assessment of the problem), but still have the same issues.
08-31-2010 10:24 AM
Hello,
I just tested this setup in my lab and it works fine. Please try the
original configuration I had suggested:
Access-list 101 deny tcp host 10.4.167.102 eq 25 192.168.1.0 0.0.0.255
Access-list 101 permit tcp host 10.4.167.102 eq 25 any
Route-map Mail
Match ip address 101
Exit
ip nat source static tcp 10.4.167.102 25 "2811 public ip" 25 route-map Mail
This will ensure that the traffic from mail server is not natted when going
to remote vpn subnets.
Hope this helps.
Regards,
NT
08-31-2010 11:12 AM
Hello,
Also, do not forget to remove the old static for the mail server before
adding the new one.
Regards,
NT
08-31-2010 11:23 AM
I'm entering the statements as follows, but keep getting an error when I try to re-enter the static NAT rule:
CISCO2811#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CISCO2811(config)#access-list 104 deny tcp host 10.4.167.102 eq 25 192.168.1.0$
CISCO2811(config)#access-list 104 permit tcp host 10.4.167.102 eq 25 any
CISCO2811(config)#route-map SDM_RMAP_
CISCO2811(config-route-map)#match ip address 104
CISCO2811(config-route-map)#exit
CISCO2811(config)#ip nat source static tcp 10.4.167.102 <2811 Public IP> 25 route-map SDM_RMAP_1
ip nat source static tcp 10.4.167.102 <2811 Public IP> 25 route-map SDM_RMAP_1
^
% Invalid input detected at '^' marker.
CISCO2811(config)#ip nat source static TCP 10.4.167.102 25 <2811 Public IP> 25 route-map SDM_RMAP_1
ip nat source static TCP 10.4.167.102 25 <2811 Public IP> 25 route-map SDM_RMAP_1
^
% Invalid input detected at '^' marker.
08-31-2010 11:26 AM
The marker was under the r at route-map SDM_RMAP_1. My post didn't show that very well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide