Showing results for 
Search instead for 
Did you mean: 

ASA Site to Site and Direct Acces to Server at the same time

We have two Site ( Site A and Site B).

Between this two Sites we have normally a site to site tunnel which works fine.

Match cause for the tunnel only the Lan Network on both sides.

Additional we have a smtp Server on LAN Site B which is reachable over the offical IP on Site B from our mobile worker with Natting.

Both situation work fine !

Now we want to access From Site A (PAT to public IP ) over the Internet to the smtp server on Side B.

That doesn't work ! 

We have removed the SIte to Site tunnel between A & B than we can access the SMTP Server in LAN B over the internet.

ANy Idea ? Should that be possible ?


Rising star

"Now we want to access From Site A (PAT to public IP ) over the Internet to the smtp server on Side B. That doesn't work !" 

I believe it is DNS issue, your Site-A users are using private address of SMTP server located at SiteB to access and secondly you cannot PAT or NAT or static-nat a public ip address which is not routed to a circuit at the SiteA.

I assume, the SMTP server is located at SiteB and public to private static-nat in placed at SiteB as per your description.


We use the public IP of Side B for the smtp; which is transfered for port 25 request to the smtp Server;

If we clear the tunnel config from Side B ( ASA ) the request to the SMTP Server works .........

so it can't be an DNS issue

"We use the public IP of Side B for the smtp; which is transfered for port 25 request to the smtp Server"

Is your SMTP server’s private address part of interesting traffic located in the SiteB for the vpn tunnel?

When you do a nslookup at SiteA for the SMTP FQDN, what ip address is being return?


Look forward to hear from you.

Rizwan Rafeek


Another option could be to remove that traffic from the nat 0 ACL and the crypto ACL, because the thing is that the traffic is going over the VPN tunnel.


Do rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
satya mothukuri

Hi STephan,

Apply a acc-list on the tunnel. deny this SMTP traffic and then apply on the interface.

Last week i have met the same problem.

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key asindiaplus address x.x.x.x
crypto ipsec transform-set 3DES-SHA-HMAC esp-3des esp-sha-hmac
crypto map HQ-IND-MAP 1 ipsec-isakmp
set peer x.x.x.x

set transform-set 3DES-SHA-HMAC
match address 101
interface FastEthernet0/0
ip address x.x.x.x
no ip redirects
no ip unreachables
no ip proxy-arp
--More--                            ip nat outside
ip virtual-reassembly
speed 100
crypto map HQ-IND-MAP
interface FastEthernet0/1
ip address secondary
ip address
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1436
duplex auto
speed auto
interface Serial0/0/0
no ip address
clock rate 2000000
interface Serial0/0/1
no ip address
--More--                            clock rate 2000000
ip forward-protocol nd
ip route x.x.x.x
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map VPN_PAT interface FastEthernet0/0 overload
ip nat inside source static x.x.x.x

no crypto ipsec nat-transparency udp-encapsulation
access-list 10 permit
access-list 10 permit
access-list 101 permit ip host x.x.x.x
access-list 102 deny   ip host x.x.x.x

access-list 102 permit ip any
access-list 102 permit ip any
route-map VPN_PAT permit 10
match ip address 102

(plz rate if it helpful)



Hello together !

Any additional hints ?

additional researches

-     I'm now sure that it has to do with the Update from 8.0 to 8.4.2;

          Before the problem was not there

-     The reason for that issue is somewhere in the nat


Hello all,

after some more investigation we delete the tunnel and configured it new;

a "show conf" displays no difference but now it works !!!

Thanks for your replies !!!!!!!!!

Content for Community-Ad