Solved: Re: Accessing internal mail server ( Exchange ) through remote a

pranavam_dileep · ‎02-10-2009

hi all,

I have a problem in configuring ASA 5510 to access my internal mail server ( Exchange ) through Remote access VPN

a..I configure my D-Link ADSL router to port forward the SMPTP ( 25 ) & POP3 ( 110 ) to the outside interface of ASA 5510 ( 192.168.5.101 255.255.255.0

b. how can I configure ASA 5510 ( using ASDM ) to portforward ( SMTP 25 POP3 110 )to my internal mail server having IP 192.168.50.2 255.255.255.0

c. My internal LAN network ( 192.168.50.0 255.255.255.0 ) is nated to 10.1.1.0 255.255.255.224 for vpn clients

d. My mail server IP ( 192.168.50.2 255.255.255.0 )will also be nated while the clients are accesing through Remote access VPN

e.What IP(Exchange server IP ( 192.168.50.2 ) should I configure in Microsoft Outlook (incoming & outgoing mail server ),as vpn clients are getting nated IP 10.1.1.10

Below are my configuration details for Remote access vpn

: Saved

: Written by enable_15 at 13:42:51.243 UTC Thu Nov 27 2008

!

ASA Version 7.0(6)

!

hostname xxxx

domain-name xxxx

enable password xxxxx encrypted

passwd xxxxx encrypted

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 192.168.5.101 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.50.101 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

!

interface Management0/0

nameif management

security-level 100

management-only

ip address 192.168.1.1 255.255.255.0

!

ftp mode passive

access-list inside _nat0_outbound extended permit ip any 10.1.1.0 255.255.255.224

access-list vpn standard permit any

access-list outside_cryptomap_dyn_20 extended permit ip any 10.1.1.0 255.255.255.224

ip local pool vpn-ip-pool 10.1.1.10-10.1.1.25 mask 255.255.255.0

global ( outside) 10 interface

nat ( inside )0 access-list inside_nat0_outbound

nat ( inside )10 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 192.168.5.1( D-Link ADSL Router LAN IP ) 1

group-policy vpn internal

group-policy vpn attributes

split-tunnel-policy excludespecified

split-tunnel-network-list value vpn

webvpn

username xxxxx password xxxx encrypted privilege 0

username xxxxx attributes

vpn-group-policy vpn

webvpn

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-edes esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 655535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group vpn type ipsec-ra

tunnel-group vpn general-attributes

address-pool vpn-ip-pool

default-group-policy vpn

tunnel-group vpn ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

: end

So can any one help me , how can I configure these task

Ivan Martinon · ‎02-12-2009

You will without a problem

View solution in original post

Ivan Martinon · ‎02-10-2009

Having your ASA to accept remote access connections saves you the trouble of needing to forward SMTP and POP ports to your exchange server, when you connect to your ASA with a vpn client logically you are directly connected to your LAN and you should be able to reach the exchange server with it's real ip address.

pranavam_dileep · ‎02-11-2009

Dear imartino,

Ya, Iam able to ping my exchange server through vpn client.Is it enough for to get the mail.

but in some cisco document they are mentioning that we need to forward SMTP & POP as communication from the outside to inside is not allowed

expecting your valuable reply

Ivan Martinon · ‎02-11-2009

You would need those in case you were coming via the internet without any vpn connection. In your case the fact that you are able to ping the server means that basic connectivity is possible hence by configuring your outlook to go to your exchange should be enough.

pranavam_dileep · ‎02-11-2009

Dear imartino,

Now I understand, thank u , One more thing I have to clarify is that VPN clients are getting IP from a DHCP pool which is nated.ie my internal network 192.168.50.0/24 is natted to 10.1.1.0/24( dhcp pool )

So my question is ,can I configure the smptp & pop3 server in microsoft outlook of the client machine, which is connected via remote access VPN with the IP of mail server ie. 192.168.50.2

Ivan Martinon · ‎02-12-2009

You will without a problem

pranavam_dileep · ‎02-13-2009

Than u so much imartino

Accessing internal mail server ( Exchange ) through remote aceess VPN