Exernal SMTP from client initiates ISAKMP

j1behelpdesk · ‎10-17-2007

In the past month we have suddenly become unable to receive inbound smtp traffic from a specific client.

After some packet capture footwork it appears that whenever the external mail server tries to access our internal mail server via smtp our PIX treats the connection as a VPN session as is noted by the ISAKMP transaction that is initiated.

It turns out that the external mail server is on the same network as a Lan-2-Lan that we have set up @ a colo. I'm under the impression that perhaps our Lan-2-Lan setup between our 515E and the ASA5510 on the colo end is misconfigured and instead of simply passing smtp traffic to the server, tries to initiate a VPN session.

I'd be happy to provide further details but wanted to put the basics out there to see if anyone had some suggestions I could follow up on.

I'm currently unable to disable the lan-2-lan due to service disruption at this time but think that this would quickly confirm whether the lan-2-lan is the actual culprit.

Thanks in advance for any input.

~Pete

dciccaro · ‎10-19-2007

If you can see the incoming TCP SYN towards your local mail server - the remote side is correctly configured and NOT trying to encrypt that traffic. Otherwise, the remote side would try first to establish and IKE and then an IPSec SA with your side.

Looks like you have to tune your ACL - the one that defines traffic to be encrypted. Say the remote lan is 10.10.10.0/24, and the remote mail server is 10.10.10.1 - the ACL should then be something like

deny [local_net] host 10.10.10.1

permit [local_net] 10.10.10.0 255.255.255.0

check the ACLs on the other side too - remember that for this to work, ACLs have to be mirror images.