cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
886
Views
0
Helpful
8
Replies

ASA Site to Site and Direct Acces to Server at the same time

s.hofmann
Level 1
Level 1

We have two Site ( Site A and Site B).

Between this two Sites we have normally a site to site tunnel which works fine.

Match cause for the tunnel only the Lan Network on both sides.

Additional we have a smtp Server on LAN Site B which is reachable over the offical IP on Site B from our mobile worker with Natting.

Both situation work fine !

Now we want to access From Site A (PAT to public IP ) over the Internet to the smtp server on Side B.

That doesn't work ! 

We have removed the SIte to Site tunnel between A & B than we can access the SMTP Server in LAN B over the internet.

ANy Idea ? Should that be possible ?

STephan

8 Replies 8

rizwanr74
Level 7
Level 7

"Now we want to access From Site A (PAT to public IP ) over the Internet to the smtp server on Side B. That doesn't work !" 

I believe it is DNS issue, your Site-A users are using private address of SMTP server located at SiteB to access and secondly you cannot PAT or NAT or static-nat a public ip address which is not routed to a circuit at the SiteA.

I assume, the SMTP server is located at SiteB and public to private static-nat in placed at SiteB as per your description.

thanks

We use the public IP of Side B for the smtp; which is transfered for port 25 request to the smtp Server;

If we clear the tunnel config from Side B ( ASA ) the request to the SMTP Server works .........

so it can't be an DNS issue

"We use the public IP of Side B for the smtp; which is transfered for port 25 request to the smtp Server"

Is your SMTP server’s private address part of interesting traffic located in the SiteB for the vpn tunnel?

When you do a nslookup at SiteA for the SMTP FQDN, what ip address is being return?

Thanks

Look forward to hear from you.

Rizwan Rafeek

Hello,

Another option could be to remove that traffic from the nat 0 ACL and the crypto ACL, because the thing is that the traffic is going over the VPN tunnel.

Julio

Do rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

satya mothukuri
Level 1
Level 1

Hi STephan,

Apply a acc-list on the tunnel. deny this SMTP traffic and then apply on the interface.

Last week i have met the same problem.

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key asindiaplus address x.x.x.x
!
crypto ipsec transform-set 3DES-SHA-HMAC esp-3des esp-sha-hmac
!
crypto map HQ-IND-MAP 1 ipsec-isakmp
set peer x.x.x.x

set transform-set 3DES-SHA-HMAC
match address 101
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
ip address x.x.x.x 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
--More--                            ip nat outside
ip virtual-reassembly
speed 100
full-duplex
crypto map HQ-IND-MAP
!
interface FastEthernet0/1
ip address 10.126.168.1 255.255.255.0 secondary
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1436
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/0/1
no ip address
shutdown
--More--                            clock rate 2000000
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map VPN_PAT interface FastEthernet0/0 overload
ip nat inside source static 10.126.168.60 x.x.x.x

no crypto ipsec nat-transparency udp-encapsulation
!
access-list 10 permit 192.168.0.0 0.0.0.255
access-list 10 permit 10.126.168.0 0.0.0.255
access-list 101 permit ip 10.126.168.0 0.0.0.255 host x.x.x.x
access-list 102 deny   ip 10.126.168.0 0.0.0.255 host x.x.x.x

access-list 102 permit ip 10.126.168.0 0.0.0.255 any
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
!
route-map VPN_PAT permit 10
match ip address 102

(plz rate if it helpful)

Regards,

Satya.M

Hello together !

Any additional hints ?

additional researches

-     I'm now sure that it has to do with the Update from 8.0 to 8.4.2;

          Before the problem was not there

-     The reason for that issue is somewhere in the nat

STephan

Hello all,

after some more investigation we delete the tunnel and configured it new;

a "show conf" displays no difference but now it works !!!

Thanks for your replies !!!!!!!!!