cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2220
Views
0
Helpful
3
Replies

Site to site VPN (1801 <-> PIX) NAT problems with SMTP

shane.henderson
Level 1
Level 1

Hello all,

I am having a problem which I can't work out with my site VPN.

High level config is as follows:

- main LAN:  Cisco 1801 router, IOS 12.4(15)T10 , 128 MB RAM/32 MB Flash, ADSL 2+

- remote LAN:  Cisco PIX 506E, OS 6.3(5), 2 MB RAM/8 MB Flash

The main LAN hosts an SMTP server which connects to the Internet.

The VPN is IPsec site to site, with no restrictions between the sites.

The site to site VPN appears to work fine with most protocols (MS Remote Desktop, telnet, HTTP, DNS, LDAP) but the one thing which does not work SMTP to the internal SMTP host.  The connection is dropped without anything being logged on the 1801 router.

I can see the outoging connection being logged on the PIX, as follows:

2009-12-20 19:53:37    Local4.Info    192.168.1.1    Dec 20 2009 01:54:07 pix : %PIX-6-302013: Built outbound TCP connection 4340 for outside:192.168.0.25/25 (192.168.0.25/25) to inside:192.168.1.3/3828 (192.168.1.3/3828)

but the telnet connection to port 25 fails.


I configured another server as a test SMTP server on the main LAN and the connection to port 25 works fine across the VPN, so I think it must be a NAT problem.  Any suggestions would be greatfully received.

The 1801 config (truncated for VPN, NAT, firewall) is as follows:


Using 21556 out of 196600 bytes

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
!
hostname router
!
!
!
!
aaa session-id common
clock timezone Sydney 10
clock summer-time Sydney date Mar 30 2003 3:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-88913503
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-88913503
revocation-check none
rsakeypair TP-self-signed-88913503
!
!
crypto pki certificate chain TP-self-signed-88913503
certificate self-signed 01 nvram:IOS-Self-Sig#3.cer
dot11 syslog
!
!
ip cef
!
!
!
multilink bundle-name authenticated
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com

parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com

parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com

!
crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 5
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key password address a.b.c.d no-xauth
!
!
crypto ipsec transform-set High esp-aes 256 esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toa.b.c.d
set peer a.b.c.d.
set transform-set High
set pfs group5
match address 100
!
archive
log config
  hidekeys
!
!
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 105
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
match access-group 112
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 111
class-map type inspect match-all sdm-nat-smtp-1
match access-group 106
match protocol smtp
class-map type inspect match-any service-smtp-out
match protocol smtp
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any smtp_out_allow
match protocol smtp
class-map type inspect imap match-any sdm-app-imap
match  invalid-command
class-map type inspect match-any sdm-cls-protocol-p2p
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any SDM_WEBVPN
match access-group name SDM_WEBVPN
class-map type inspect match-all SDM_WEBVPN_TRAFFIC
match class-map SDM_WEBVPN
match access-group 110
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 104
match class-map SDM_VPN_TRAFFIC
class-map type inspect gnutella match-any sdm-app-gnutella
match  file-transfer
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect ymsgr match-any sdm-app-yahoo-otherservices
match  service any
class-map type inspect msnmsgr match-any sdm-app-msn-otherservices
match  service any
class-map type inspect match-all sdm-protocol-pop3
match protocol pop3
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any service-smtp-out2
match protocol smtp
class-map type inspect match-all sdm-cls-sdm-inspect-2
match class-map service-smtp-out2
match access-group name smtp_out
class-map type inspect match-any sdm-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect match-all sdm-cls-sdm-inspect-3
match class-map smtp_out_allow
match access-group name smtp_out_allow
class-map type inspect match-all sdm-cls-sdm-inspect-1
match class-map service-smtp-out
match access-group name traffic-smtp-out
class-map type inspect aol match-any sdm-app-aol-otherservices
match  service any
class-map type inspect pop3 match-any sdm-app-pop3
match  invalid-command
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 103
class-map type inspect kazaa2 match-any sdm-app-kazaa2
match  file-transfer
class-map type inspect match-all sdm-protocol-p2p
match class-map sdm-cls-protocol-p2p
class-map type inspect http match-any sdm-http-blockparam
match  request port-misuse im
match  request port-misuse p2p
match  req-resp protocol-violation
class-map type inspect match-all sdm-protocol-im
match class-map sdm-cls-protocol-im
class-map type inspect match-all sdm-invalid-src
match access-group 102
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect ymsgr match-any sdm-app-yahoo
match  service text-chat
class-map type inspect msnmsgr match-any sdm-app-msn
match  service text-chat
class-map type inspect edonkey match-any sdm-app-edonkey
match  file-transfer
match  text-chat
match  search-file-name
class-map type inspect http match-any sdm-app-httpmethods
match  request method bcopy
match  request method bdelete
match  request method bmove
match  request method bpropfind
match  request method bproppatch
match  request method connect
match  request method copy
match  request method delete
match  request method edit
match  request method getattribute
match  request method getattributenames
match  request method getproperties
match  request method index
match  request method lock
match  request method mkcol
match  request method mkdir
match  request method move
match  request method notify
match  request method options
match  request method poll
match  request method propfind
match  request method proppatch
match  request method put
match  request method revadd
match  request method revlabel
match  request method revlog
match  request method revnum
match  request method save
match  request method search
match  request method setattribute
match  request method startrev
match  request method stoprev
match  request method subscribe
match  request method trace
match  request method unedit
match  request method unlock
match  request method unsubscribe
class-map type inspect edonkey match-any sdm-app-edonkeychat
match  search-file-name
match  text-chat
class-map type inspect http match-any sdm-http-allowparam
match  request port-misuse tunneling
class-map type inspect fasttrack match-any sdm-app-fasttrack
match  file-transfer
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect edonkey match-any sdm-app-edonkeydownload
match  file-transfer
class-map type inspect match-all sdm-protocol-imap
match protocol imap
class-map type inspect aol match-any sdm-app-aol
match  service text-chat
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
  inspect
class class-default
  pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
  inspect
class type inspect sdm-nat-smtp-1
  inspect
class type inspect sdm-cls-VPNOutsideToInside-2
  pass
class type inspect sdm-cls-VPNOutsideToInside-3
  pass
class class-default
  drop log
policy-map type inspect p2p sdm-action-app-p2p
class type inspect edonkey sdm-app-edonkeychat
  log
  allow
class type inspect edonkey sdm-app-edonkeydownload
  log
  allow
class type inspect fasttrack sdm-app-fasttrack
  log
  allow
class type inspect gnutella sdm-app-gnutella
  log
  allow
class type inspect kazaa2 sdm-app-kazaa2
  log
  allow
class class-default
policy-map type inspect imap sdm-action-imap
class type inspect imap sdm-app-imap
  log
class class-default
policy-map type inspect pop3 sdm-action-pop3
class type inspect pop3 sdm-app-pop3
  log
class class-default
policy-map type inspect im sdm-action-app-im
class type inspect aol sdm-app-aol
  log
  allow
class type inspect msnmsgr sdm-app-msn
  log
  allow
class type inspect ymsgr sdm-app-yahoo
  log
  allow
class type inspect aol sdm-app-aol-otherservices
  log
  reset
class type inspect msnmsgr sdm-app-msn-otherservices
  log
  reset
class type inspect ymsgr sdm-app-yahoo-otherservices
  log
  reset
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
  drop log
class type inspect sdm-cls-sdm-inspect-3
  inspect
class type inspect sdm-cls-sdm-inspect-2
  drop log
class type inspect sdm-protocol-http
  inspect
class type inspect sdm-protocol-imap
  inspect
  service-policy imap sdm-action-imap
class type inspect sdm-protocol-pop3
  inspect
  service-policy pop3 sdm-action-pop3
class type inspect sdm-protocol-im
  inspect
  service-policy im sdm-action-app-im
class type inspect sdm-insp-traffic
  inspect
class type inspect SDM-Voice-permit
  inspect
class type inspect sdm-cls-sdm-inspect-1
  inspect
class class-default
  pass
policy-map type inspect http sdm-action-app-http
class type inspect http sdm-http-blockparam
  log
  allow
class type inspect http sdm-app-httpmethods
  log
  allow
class type inspect http sdm-http-allowparam
  log
  allow
class class-default
policy-map type inspect sdm-permit
class type inspect SDM_VPN_PT
  pass
class type inspect sdm-access
  inspect
class class-default
  drop log
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 8/35
  pppoe-client dial-pool-number 1
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
ip access-group 107 in
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip route-cache flow
ip tcp adjust-mss 1412
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
crypto map SDM_CMAP_1
!
ip local pool remote 192.168.4.1 192.168.4.5
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip nat inside source static tcp 192.168.0.25 25 interface Dialer0 25
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark SDM_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark SDM_ACL Category=1
permit tcp any any eq 22
ip access-list extended SDM_WEBVPN
remark SDM_ACL Category=1
permit tcp any any eq 443
ip access-list extended smtp_out
remark SDM_ACL Category=128
permit ip any any
ip access-list extended smtp_out_allow
remark SDM_ACL Category=128
permit ip host 192.168.0.25 any
ip access-list extended traffic-smtp-out
remark SDM_ACL Category=128
permit ip host 192.168.0.25 any
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 3 remark Auto generated by SDM Management Access feature
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 3 permit 192.168.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 remark VPN
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark VPN
access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=128
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 103 remark SDM_ACL Category=128
access-list 103 permit ip any any
access-list 104 remark SDM_ACL Category=128
access-list 104 permit ip host a.b.c.d any
access-list 105 remark SDM_ACL Category=0
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 106 remark SDM_ACL Category=0
access-list 106 permit ip any host 192.168.0.25
access-list 107 remark Auto generated by SDM Management Access feature
access-list 107 remark SDM_ACL Category=1
access-list 107 permit udp host 192.168.0.13 eq 1645 host 192.168.0.1
access-list 107 permit udp host 192.168.0.13 eq 1646 host 192.168.0.1
access-list 107 permit udp host 192.168.0.15 eq 1645 host 192.168.0.1
access-list 107 permit udp host 192.168.0.15 eq 1646 host 192.168.0.1
access-list 107 permit tcp 192.168.1.0 0.0.0.255 host 192.168.0.1 eq telnet
access-list 107 permit tcp 192.168.0.0 0.0.0.255 host 192.168.0.1 eq telnet
access-list 107 permit tcp 192.168.1.0 0.0.0.255 host 192.168.0.1 eq 22
access-list 107 permit tcp 192.168.0.0 0.0.0.255 host 192.168.0.1 eq 22
access-list 107 permit tcp 192.168.1.0 0.0.0.255 host 192.168.0.1 eq www
access-list 107 permit tcp 192.168.0.0 0.0.0.255 host 192.168.0.1 eq www
access-list 107 permit tcp 192.168.1.0 0.0.0.255 host 192.168.0.1 eq 443
access-list 107 permit tcp 192.168.0.0 0.0.0.255 host 192.168.0.1 eq 443
access-list 107 permit tcp 192.168.1.0 0.0.0.255 host 192.168.0.1 eq cmd
access-list 107 permit tcp 192.168.0.0 0.0.0.255 host 192.168.0.1 eq cmd
access-list 107 permit udp 192.168.1.0 0.0.0.255 host 192.168.0.1 eq snmp
access-list 107 permit udp 192.168.0.0 0.0.0.255 host 192.168.0.1 eq snmp
access-list 107 deny   tcp any host 192.168.0.1 eq telnet
access-list 107 deny   tcp any host 192.168.0.1 eq 22
access-list 107 deny   tcp any host 192.168.0.1 eq www
access-list 107 deny   tcp any host 192.168.0.1 eq 443
access-list 107 deny   tcp any host 192.168.0.1 eq cmd
access-list 107 deny   udp any host 192.168.0.1 eq snmp
access-list 107 permit ip any host 192.168.0.1
access-list 107 permit ip any any
access-list 108 remark Auto generated by SDM Management Access feature
access-list 108 remark SDM_ACL Category=1
access-list 108 permit ip 192.168.1.0 0.0.0.255 any
access-list 108 permit ip 192.168.0.0 0.0.0.255 any
access-list 109 remark Auto generated by SDM Management Access feature
access-list 109 remark SDM_ACL Category=1
access-list 109 permit ip 192.168.1.0 0.0.0.255 any
access-list 109 permit ip 192.168.0.0 0.0.0.255 any
access-list 110 remark SDM_ACL Category=128
access-list 110 permit ip any host 123.243.16.114
access-list 111 remark SDM_ACL Category=0
access-list 111 remark IPSec Rule
access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 111 remark VPN
access-list 111 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 112 remark SDM_ACL Category=0
access-list 112 remark IPSec Rule
access-list 112 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 112 remark VPN
access-list 112 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
end

The PIX config is as follows (truncated for VPN, NAT, firewall):

Result of firewall command: "show run"

: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
domain-name dyndns.org
fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.0 Remote_LAN
name 192.168.0.0 Main_LAN
name 192.168.2.0 Remote_Access
access-list inside_outbound_nat0_acl permit ip Remote_LAN 255.255.255.0 Main_LAN 255.255.255.0
access-list inside_outbound_nat0_acl permit ip Remote_LAN 255.255.255.0 Remote 255.255.255.240
access-list inside_outbound_nat0_acl permit ip Remote_Access 255.255.255.0 Main_LAN 255.255.255.0
access-list outside_cryptomap_20 permit ip Remote_LAN 255.255.255.0 Main_LAN 255.255.255.0
access-list outside_cryptomap_20 permit ip Remote_Access 255.255.255.0 Main_LAN 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 4
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Remote_Access 192.168.2.1-192.168.2.10 mask 255.255.255.0
pdm location Main_LAN 255.255.255.0 outside
pdm location 192.168.1.248 255.255.255.248 outside
pdm location Remote 255.255.255.240 outside
pdm location Remote 255.255.255.0 inside
pdm location 192.168.1.3 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
floodguard enable
sysopt connection tcpmss 0
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs group5
crypto map outside_map 20 set peer a.b.c.d
crypto map outside_map 20 set transform-set ESP-AES-256-MD5
crypto map outside_map 20 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address a.b.c.d netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash md5
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash md5
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
dhcpd lease 3600
dhcpd ping_timeout 100
dhcpd domain dyndns.org
dhcpd auto_config outside\terminal width 80
Cryptochecksum:1fd1b33942e397114ce7cfd1657e1c22
: end

3 Replies 3

Laurent Aubert
Cisco Employee
Cisco Employee

Hi Shane,

I think you need to tell the 1841 not to translate the SMTP server if the destination is reachable via the VPN because NAT occurs before crypto-map check:

ip nat inside source static tcp 192.168.0.25 25 interface Dialer0 25 route-map nonat

!

access-list 120 deny ip host 192.168.0.25 192.168.1.0 0.0.0.255

access-list 120 deny ip host 192.168.0.25 192.168.2.0 0.0.0.255

access-list 120 permit ip host 192.168.0.25 any

!

route-map nonat permit 10

match ip address 120

!

HTH

Laurent.

Thanks for that Laurent,

Now I understand what the problem is and what the fix has to be.  However, I tried to configure the router as per your suggestion but the router returned "Unrecognized command" with the first command:

ip nat inside source static tcp 192.168.0.25 25 interface Dialer0 25 route-map nonat

The router expected a carriage return after the Dialer0 25 entry (i.e. it did not recognize the route-map command after the global port number).  Could this be related to my IOS version or router hardware (1801) perhaps?

Thanks again for your kind assistance.


Cheers,

Shane

HI,

Your version supports route-map with static translation but it may be not supported with the interface keyword..

I don't have access to a lab right now so can't confirm but try ip nat inside source static tcp 192.168.0.25 25 1.1.1.1 25 ? just to see if the route-map keyword appears in the list.

I know it will not solve your issue but it's just to be sure the route-map is here.

Thanks

Laurent.