Enable SMTP Services in VPN

Answered Question
Jul 7th, 2010
User Badges:

Hi

I did configure ASA for remote VPN users to access internal Exchange server and sync with email system. And they should be able to access LAN servers using the VPN. Before we did configure two servers (10.10.10.170 and 10.10.10.112) for different service. Now we need to configure for remote VPN user to access our Exchange server (10.10.10.8) also they can ping. I configured it without SMTP and they can ping each other and when I configured with SMTP they can not ping also other site also unable to ping. I have marked my new configuration with color underline. Any help would be highly appreciated. Please have a look attachment my configuration.

Thanks

Aminul

Attachment: 
Correct Answer by Diego Armando C... about 6 years 10 months ago

Why you don just leave the ACL



access-list inside_nat0_outbound extended permit ip host 10.10.10.8 192.168.100.0 255.255.255.0 (Newly added this exchange IP It's ping each other )



With that ACL traffico from 10.10.10.8 to 192.168.100.0 will NOT be NATed.. This include ALL IP (ICMP TCP UDP ...etc)  With the second line ONLY traffic from 10.10.10.8 to 192.168.100.0 on port 25 will be proccess by the not NAT.


The ACL es wrong for several reasons. First the Destination port is not 25... that would be the source port so I would be like


permit host 10.10.10.8 eq smtp 192.168.100.0 255.255.255.0

and NOT

permit tcp host 10.10.10.8 192.168.100.0 255.255.255.0 eq smtp



Go aheah and work with the ACL ......permit ip host 10.10.10.8 192.168.100.0 255.255.255.0




Is That a problem?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Diego Armando C... Wed, 07/07/2010 - 10:41
User Badges:
  • Bronze, 100 points or more

Why you don just leave the ACL



access-list inside_nat0_outbound extended permit ip host 10.10.10.8 192.168.100.0 255.255.255.0 (Newly added this exchange IP It's ping each other )



With that ACL traffico from 10.10.10.8 to 192.168.100.0 will NOT be NATed.. This include ALL IP (ICMP TCP UDP ...etc)  With the second line ONLY traffic from 10.10.10.8 to 192.168.100.0 on port 25 will be proccess by the not NAT.


The ACL es wrong for several reasons. First the Destination port is not 25... that would be the source port so I would be like


permit host 10.10.10.8 eq smtp 192.168.100.0 255.255.255.0

and NOT

permit tcp host 10.10.10.8 192.168.100.0 255.255.255.0 eq smtp



Go aheah and work with the ACL ......permit ip host 10.10.10.8 192.168.100.0 255.255.255.0




Is That a problem?

aminulnt Wed, 07/07/2010 - 11:34
User Badges:

Hi

Thank you so much for your reply.You right.If i add this command (access-list inside_nat0_outbound extended permit ip host 10.10.10.8 192.168.100.0 255.255.255.0) it also working.Is it wondering?


Aminul

Diego Armando C... Wed, 07/07/2010 - 12:34
User Badges:
  • Bronze, 100 points or more

WHat do you mean with ....Is it wondering?


Sorry I did not understand.

aminulnt Wed, 07/07/2010 - 12:55
User Badges:

Hi

Sorry for any misunderstanding .I mean if apply only this command (access-list inside_nat0_outbound extended permit ip host 10.10.10.8 192.168.100.0 255.255.255.0).It also working. Remote site vpn user can send and receive mail.

Thanks

Aminul

Actions

This Discussion