I have a issue at a client with an IPSEC site to site VPN set up on a Cisco 877 router. The issue is partially described here http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
but with some differences.
Firstly the client has an SBS Server that static NATs have been configured to port forward 25 and 443 to,
eg: ip nat inside source static tcp 192.168.0.2 25 interface Dialer0 25.
The remote site network is a public IP range not Public , and has rules that restricts the VPN to rdp and web ports from our Private network.
There is an ACL to tell the router not to Nat the private (Our Network) to public (remote site) traffic. I haven't configured a route map as I actually want the static nat to take precedence
The VPN works fine except for Mail. The remote site has a Mail server that cannot send mail to the SBS Server. What I see happening is the remote site tries to send mail to our external address using our MX record , this traffic arrives unencrypted and I see the Translation in the show IP Nat translations. But the connection times out. When I try to send mail from the SBS server to the remote site, there is no translation in the table and again the connection times out. I am assuming that in my case the static translation is not taking precedence.
This is confusing me as if Static nat worked as described in the above article without the use of a route map I wouldn't have an issue.
Has anybody else seen this behavour.
I read somewhere that NAT access-lists dont work with port numbers. I was thinking of putting in deny statements based only on the ports allowed over the VPN in the NAT ACL.
Any help would be appreciated.