Send email for a given domain over VPN

Unanswered Question
Nov 5th, 2007
User Badges:

Hi all,


I have an IPSec site-to-site VPN working between 2 end-points.


Is it possible to send emails destined to the domain @mycompany.com over the VPN?


Normally, the mail server will try to resolve the domain name and end up with a public IP for the destination SMTP server.


Any idea how this can be implemented on the server and on the router?


Thanks for any help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
netsysadmin Tue, 11/06/2007 - 10:06
User Badges:

Did I post in the wrong forum or is this something impossible to implement?

acomiskey Tue, 11/06/2007 - 10:33
User Badges:
  • Green, 3000 points or more

Sounds like you either need to resolve the address to the private address of the remote mail server or make the communication with the public ip address part of the interesting traffic for the tunnel.


That should be easy enough to set up. If you need a hand, post two clean configs.

acomiskey Tue, 11/06/2007 - 11:14
User Badges:
  • Green, 3000 points or more

You could also try this in the local ASA, the one where the mail is being sent.


static (outside,inside) tcp public.ip.of.mail.server 25 private.ip.of.mail.server 25 netmask 255.255.255.255

netsysadmin Tue, 11/06/2007 - 21:42
User Badges:

Let's say the local mail server finds that the remote mail server addresses for domain @mycompany.com are mail1.mycompany.com and mail2.mycompany.com.


Should I modify the hosts file on the local mail server so that mail1.mycompany.com points to, for e.g., 192.168.200.1 and mail2.mycompany.com points to 192.168.200.2?


Interesting traffic is "permit ip 10.0.0.0 0.0.255.255 192.168.200.0 0.0.0.255". The private ip of the local mail server is 10.0.0.13/16.


Below is an excerpt of the current config on my local Cisco 2801 router:


crypto map mapVPN 10 ipsec-isakmp

set peer

set security-association lifetime seconds 43200

set transform-set TS_esp-3des-sha

set pfs group2

match address aclInterestingTraffic

!

interface Serial0/1/0

ip address 255.255.255.252

ip access-group aclIncoming in

ip nat outside

crypto map mapVPN

!

ip nat inside source route-map nonat interface Serial0/1/0 overload

ip nat inside source static tcp 10.0.0.13 25 25 extendable

!

ip access-list extended aclInterestingTraffic

permit ip 10.0.0.0 0.0.255.255 192.168.200.0 0.0.0.255

permit ip 10.6.0.0 0.0.255.255 192.168.200.0 0.0.0.255

ip access-list extended aclIncoming

permit tcp any host eq smtp

ip access-list extended aclNAT

deny ip 10.0.0.0 0.0.255.255 192.168.200.0 0.0.0.255

deny ip 10.6.0.0 0.0.255.255 192.168.200.0 0.0.0.255

permit ip 10.0.0.0 0.0.255.255 any

permit ip 10.6.0.0 0.0.255.255 any

route-map nonat permit 10

match ip address aclNAT

!


acomiskey Wed, 11/07/2007 - 09:23
User Badges:
  • Green, 3000 points or more

Sorry, I shouldn't have assumed this was a pix/asa.


"Should I modify the hosts file on the local mail server so that mail1.mycompany.com points to, for e.g., 192.168.200.1 and mail2.mycompany.com points to 192.168.200.2?"


-That would work.


You could also make the interesting traffic include the public ip of the mail server.


ip access-list extended aclInterestingTraffic

permit ip 10.0.0.0 0.0.255.255 192.168.200.0 0.0.0.255

permit ip 10.0.0.13 0.0.0.0 x.x.x.x 0.0.0.0


ip access-list extended aclNAT

deny ip 10.0.0.0 0.0.255.255 192.168.200.0 0.0.0.255

deny ip 10.6.0.0 0.0.255.255 192.168.200.0 0.0.0.255

deny ip 10.0.0.13 0.0.0.0 x.x.x.x 0.0.0.0

permit ip 10.0.0.0 0.0.255.255 any

permit ip 10.6.0.0 0.0.255.255 any


I think that would work as well. The interesting traffic acl would need to be mirrored on the remote endpoint as well.

netsysadmin Thu, 11/08/2007 - 11:42
User Badges:

I have 2 questions:


1. Let's simulate the sending of a packet by the local mail server to the remote one.

The local mail server sends a packet with src IP of 10.0.0.13 and public dst IP x.x.x.x. When the packet reaches the local router, it's src IP is not NATted, but the packet is encrypted and "placed within another packet" having src IP equal to the public IP of the serial 0/1/0 interface and destination IP equal to that of the remote router/firewall. When it reaches the remote device, it is decrypted, ie, it now has a src IP of 10.0.0.13 and dst IP of x.x.x.x (public IP of remote mail server).


My question is: will the remote device perform NAT after decryption to change the dst IP to 192.168.200.1 or will the packet still have a dst IP of x.x.x.x after decryption?


In the latter case, will the packet be successfully sent to the remote mail server by the remote router/firewall?


2. Let's say the DNS names and/or IP addresses of the remote mail servers change without any notice. Is there a workaround for this situation, without having to manually update the access lists on the router?

acomiskey Thu, 11/08/2007 - 12:51
User Badges:
  • Green, 3000 points or more

1. Yes. I believe so, but I am basing this on my experience on a similar situation with 2 ASA's.


2. Not that I know of.


On another note, it may be easier to do something I suggested earlier, destination nat. Basically this will change the destination ip from x.x.x.x to 192.168.200.1, therefore sending the traffic across the tunnel with the new destination ip. If x.x.x.x ever changed you would of course need to update your nat statement in the router. I'm not great with routers but it would be something like this...


interface e0

ip nat inside

interface e1

ip nat outside

ip nat outside source static 192.168.200.1 x.x.x.x


Actions

This Discussion