11-05-2007 11:03 AM - edited 02-21-2020 03:21 PM
Hi all,
I have an IPSec site-to-site VPN working between 2 end-points.
Is it possible to send emails destined to the domain @mycompany.com over the VPN?
Normally, the mail server will try to resolve the domain name and end up with a public IP for the destination SMTP server.
Any idea how this can be implemented on the server and on the router?
Thanks for any help.
11-06-2007 10:06 AM
Did I post in the wrong forum or is this something impossible to implement?
11-06-2007 10:33 AM
Sounds like you either need to resolve the address to the private address of the remote mail server or make the communication with the public ip address part of the interesting traffic for the tunnel.
That should be easy enough to set up. If you need a hand, post two clean configs.
11-06-2007 11:14 AM
You could also try this in the local ASA, the one where the mail is being sent.
static (outside,inside) tcp public.ip.of.mail.server 25 private.ip.of.mail.server 25 netmask 255.255.255.255
11-06-2007 09:42 PM
Let's say the local mail server finds that the remote mail server addresses for domain @mycompany.com are mail1.mycompany.com and mail2.mycompany.com.
Should I modify the hosts file on the local mail server so that mail1.mycompany.com points to, for e.g., 192.168.200.1 and mail2.mycompany.com points to 192.168.200.2?
Interesting traffic is "permit ip 10.0.0.0 0.0.255.255 192.168.200.0 0.0.0.255". The private ip of the local mail server is 10.0.0.13/16.
Below is an excerpt of the current config on my local Cisco 2801 router:
crypto map mapVPN 10 ipsec-isakmp
set peer
set security-association lifetime seconds 43200
set transform-set TS_esp-3des-sha
set pfs group2
match address aclInterestingTraffic
!
interface Serial0/1/0
ip address
ip access-group aclIncoming in
ip nat outside
crypto map mapVPN
!
ip nat inside source route-map nonat interface Serial0/1/0 overload
ip nat inside source static tcp 10.0.0.13 25
!
ip access-list extended aclInterestingTraffic
permit ip 10.0.0.0 0.0.255.255 192.168.200.0 0.0.0.255
permit ip 10.6.0.0 0.0.255.255 192.168.200.0 0.0.0.255
ip access-list extended aclIncoming
permit tcp any host
ip access-list extended aclNAT
deny ip 10.0.0.0 0.0.255.255 192.168.200.0 0.0.0.255
deny ip 10.6.0.0 0.0.255.255 192.168.200.0 0.0.0.255
permit ip 10.0.0.0 0.0.255.255 any
permit ip 10.6.0.0 0.0.255.255 any
route-map nonat permit 10
match ip address aclNAT
!
11-07-2007 09:23 AM
Sorry, I shouldn't have assumed this was a pix/asa.
"Should I modify the hosts file on the local mail server so that mail1.mycompany.com points to, for e.g., 192.168.200.1 and mail2.mycompany.com points to 192.168.200.2?"
-That would work.
You could also make the interesting traffic include the public ip of the mail server.
ip access-list extended aclInterestingTraffic
permit ip 10.0.0.0 0.0.255.255 192.168.200.0 0.0.0.255
permit ip 10.0.0.13 0.0.0.0 x.x.x.x 0.0.0.0
ip access-list extended aclNAT
deny ip 10.0.0.0 0.0.255.255 192.168.200.0 0.0.0.255
deny ip 10.6.0.0 0.0.255.255 192.168.200.0 0.0.0.255
deny ip 10.0.0.13 0.0.0.0 x.x.x.x 0.0.0.0
permit ip 10.0.0.0 0.0.255.255 any
permit ip 10.6.0.0 0.0.255.255 any
I think that would work as well. The interesting traffic acl would need to be mirrored on the remote endpoint as well.
11-08-2007 11:42 AM
I have 2 questions:
1. Let's simulate the sending of a packet by the local mail server to the remote one.
The local mail server sends a packet with src IP of 10.0.0.13 and public dst IP x.x.x.x. When the packet reaches the local router, it's src IP is not NATted, but the packet is encrypted and "placed within another packet" having src IP equal to the public IP of the serial 0/1/0 interface and destination IP equal to that of the remote router/firewall. When it reaches the remote device, it is decrypted, ie, it now has a src IP of 10.0.0.13 and dst IP of x.x.x.x (public IP of remote mail server).
My question is: will the remote device perform NAT after decryption to change the dst IP to 192.168.200.1 or will the packet still have a dst IP of x.x.x.x after decryption?
In the latter case, will the packet be successfully sent to the remote mail server by the remote router/firewall?
2. Let's say the DNS names and/or IP addresses of the remote mail servers change without any notice. Is there a workaround for this situation, without having to manually update the access lists on the router?
11-08-2007 12:51 PM
1. Yes. I believe so, but I am basing this on my experience on a similar situation with 2 ASA's.
2. Not that I know of.
On another note, it may be easier to do something I suggested earlier, destination nat. Basically this will change the destination ip from x.x.x.x to 192.168.200.1, therefore sending the traffic across the tunnel with the new destination ip. If x.x.x.x ever changed you would of course need to update your nat statement in the router. I'm not great with routers but it would be something like this...
interface e0
ip nat inside
interface e1
ip nat outside
ip nat outside source static 192.168.200.1 x.x.x.x
11-08-2007 11:27 PM
OK.
Thanks a lot for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide