Enable SMTP Services in VPN

Answered Question
Jul 7th, 2010

Hi

I did configure ASA for remote VPN users to access internal Exchange server and sync with email system. And they should be able to access LAN servers using the VPN. Before we did configure two servers (10.10.10.170 and 10.10.10.112) for different service. Now we need to configure for remote VPN user to access our Exchange server (10.10.10.8) also they can ping. I configured it without SMTP and they can ping each other and when I configured with SMTP they can not ping also other site also unable to ping. I have marked my new configuration with color underline. Any help would be highly appreciated. Please have a look attachment my configuration.

Thanks

Aminul

Attachment: 
I have this problem too.
0 votes
Correct Answer by Diego Armando C... about 6 years 6 months ago

Why you don just leave the ACL

access-list inside_nat0_outbound extended permit ip host 10.10.10.8 192.168.100.0 255.255.255.0 (Newly added this exchange IP It's ping each other )

With that ACL traffico from 10.10.10.8 to 192.168.100.0 will NOT be NATed.. This include ALL IP (ICMP TCP UDP ...etc)  With the second line ONLY traffic from 10.10.10.8 to 192.168.100.0 on port 25 will be proccess by the not NAT.

The ACL es wrong for several reasons. First the Destination port is not 25... that would be the source port so I would be like

permit host 10.10.10.8 eq smtp 192.168.100.0 255.255.255.0

and NOT

permit tcp host 10.10.10.8 192.168.100.0 255.255.255.0 eq smtp

Go aheah and work with the ACL ......permit ip host 10.10.10.8 192.168.100.0 255.255.255.0

Is That a problem?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Diego Armando C... Wed, 07/07/2010 - 10:41

Why you don just leave the ACL

access-list inside_nat0_outbound extended permit ip host 10.10.10.8 192.168.100.0 255.255.255.0 (Newly added this exchange IP It's ping each other )

With that ACL traffico from 10.10.10.8 to 192.168.100.0 will NOT be NATed.. This include ALL IP (ICMP TCP UDP ...etc)  With the second line ONLY traffic from 10.10.10.8 to 192.168.100.0 on port 25 will be proccess by the not NAT.

The ACL es wrong for several reasons. First the Destination port is not 25... that would be the source port so I would be like

permit host 10.10.10.8 eq smtp 192.168.100.0 255.255.255.0

and NOT

permit tcp host 10.10.10.8 192.168.100.0 255.255.255.0 eq smtp

Go aheah and work with the ACL ......permit ip host 10.10.10.8 192.168.100.0 255.255.255.0

Is That a problem?

aminulnt Wed, 07/07/2010 - 11:34

Hi

Thank you so much for your reply.You right.If i add this command (access-list inside_nat0_outbound extended permit ip host 10.10.10.8 192.168.100.0 255.255.255.0) it also working.Is it wondering?

Aminul

aminulnt Wed, 07/07/2010 - 12:55

Hi

Sorry for any misunderstanding .I mean if apply only this command (access-list inside_nat0_outbound extended permit ip host 10.10.10.8 192.168.100.0 255.255.255.0).It also working. Remote site vpn user can send and receive mail.

Thanks

Aminul

Actions

This Discussion