L2L Tunnel not allowing SMTP communication

Answered Question
Aug 30th, 2010
User Badges:

I have a LAN to LAN VPN tunnel established between a Cisco ASA 5505 and a Cisco 2811, but for some reason, I am unable to get SMTP communication between the two LAN's over the tunnel. Do I need to create a specific access rule for SMTP? The 2811's internal IP scheme is 10.4.167.X, and the ASA 5505,'s internal IP scheme is 192.168.1.0. I've attached the running-configs for both the ASA and the 2811. The tunnel establishes successfully, I can maps drives and replicate DNS data without any problems, but canot send email (SMTP) thru the tunnel. Any help would be greatly appreciated.

Correct Answer by Nagaraja Thanthry about 6 years 10 months ago

Hello,


Did you remove the existing NAT statement before entering the new one? Also,

I noticed that the name of the route-map seems to be different (not

SDM_RMAP_1)


CISCO2811(config)#route-map SDM_RMAP_

CISCO2811(config-route-map)#match ip address 104

CISCO2811(config-route-map)#exit


Regards,


NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Mon, 08/30/2010 - 10:32
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

I have looked through the configs, focusing on the VPN configuration. I do not see obvious issues in the config. So we need to dig a bit deeper into the issue. Can you tell us who (what device/what address) is sending SMTP and to whom it is sending it?


Also to clarify, are we talking real SMTP (mail server to mail server) or are we talking mail client to mail server?


HTH


Rick

kltconsulting Mon, 08/30/2010 - 10:44
User Badges:

The mail server resides on the 10.4.167.x network. It's IP is 10.4.167.102. This is the side of the 2811 router. On the other end (with the ASA), I have clients connected to that mail server using Outlook. They can connect to the server successfully to create their Outlook profiles, but when they attempt to send email, an error is generated that there is no SMTP server available. If I go into the ASA network and type: telnet 10.4.167.102 25 (to establish a connection with the SMTP server for SMTP testing purposes), it will not connect, generating an error that reads: Could not open a connection to the host on port 25: Connect failed.

Nagaraja Thanthry Mon, 08/30/2010 - 11:14
User Badges:
  • Cisco Employee,

Hello,


The issue is due to the NAT rule you have configured.


ip nat inside source static tcp 10.4.167.102 25 <2811 Public IP> 25
extendable

It will force the router to use NAT for all outgoing packets. Please try the
following:

access-list 199 deny tcp host 10.4.167.102 eq 25 192.168.1.0 0.0.0.255
access-list 199 permit tcp host 10.4.167.102 eq 25 any

route-map Mail
match ip address 199
exit

ip nat inside source static tcp 10.4.167.102 25 <2811 Public IP> 25

route-map Mail extendable


Hope this helps.


Regards,


NT

kltconsulting Mon, 08/30/2010 - 13:27
User Badges:

That makes perfect sense. If I remove the NAT statement that forwards inbound email to my server, I can connect using the telnet command from the rmote network just fine. However, I added the statements which you recommended and it still does not work. Was there a reason for creating a separate route map that the one currently in use? Couldn't I just add the access-list statements to my current NAT rules that are used by the route map already deployed? Example. I have NAT rule 104 which is used by route map SDM_RMAP_1. Couldn't I create your rule entries there, instead of creating an entirely new route map called Mail?

kltconsulting Mon, 08/30/2010 - 14:10
User Badges:

Alright, I made the modifications to the current NAT rule entry, but I'm still unable to access SMTP from the remote network. Any other ideas?

Nagaraja Thanthry Mon, 08/30/2010 - 14:48
User Badges:
  • Cisco Employee,

Hello,


Can you post the current configuration with the route-maps applied?


Regards,


NT

manish arora Tue, 08/31/2010 - 09:24
User Badges:
  • Silver, 250 points or more

Hi,

If you are able to connect with the SMTP server on port 25 , create outlook profiles etc over the vpn then it sound more like an MTU issue with DF bit set to me. try the following from a user machine to smtp server :-


c:\user> ping -l 1300 -f


Thanks

manish

kltconsulting Tue, 08/31/2010 - 09:40
User Badges:

I am not able to access the SMTP server without removing the current static NAT rule that routes all inbound SMTP packets to our internal email server (ip nat inside source static tcp 10.4.167.102 25 <2811 Public IP> 25 extendable). If I remove that NAT statement, then I'm able to connect successfully by using the: 'telnet 10.4.167.102 25' command from the remote peer network. The problem is that I need that statement in there, so that inbound Internet email gets routed successfully. I just need to figure out a way to not NAT SMTP traffic that is traveling thru the tunnel from the remote peer network. I entered the commands that were suggested by NTHANTHR (he was correct in his assessment of the problem), but still have the same issues.

Nagaraja Thanthry Tue, 08/31/2010 - 10:24
User Badges:
  • Cisco Employee,

Hello,


I just tested this setup in my lab and it works fine. Please try the

original configuration I had suggested:


Access-list 101 deny tcp host 10.4.167.102 eq 25 192.168.1.0 0.0.0.255

Access-list 101 permit tcp host 10.4.167.102 eq 25 any


Route-map Mail

Match ip address 101

Exit


ip nat source static tcp 10.4.167.102 25 "2811 public ip" 25 route-map Mail


This will ensure that the traffic from mail server is not natted when going

to remote vpn subnets.


Hope this helps.


Regards,


NT

Nagaraja Thanthry Tue, 08/31/2010 - 11:12
User Badges:
  • Cisco Employee,

Hello,


Also, do not forget to remove the old static for the mail server before

adding the new one.


Regards,


NT

kltconsulting Tue, 08/31/2010 - 11:23
User Badges:

I'm entering the statements as follows, but keep getting an error when I try to re-enter the static NAT rule:


CISCO2811#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
CISCO2811(config)#access-list 104 deny tcp host 10.4.167.102 eq 25 192.168.1.0$
CISCO2811(config)#access-list 104 permit tcp host 10.4.167.102 eq 25 any
CISCO2811(config)#route-map SDM_RMAP_
CISCO2811(config-route-map)#match ip address 104
CISCO2811(config-route-map)#exit

CISCO2811(config)#ip nat source static tcp 10.4.167.102 <2811 Public IP> 25 route-map SDM_RMAP_1
ip nat source static tcp 10.4.167.102 <2811 Public IP> 25 route-map SDM_RMAP_1
                                                                                    ^
% Invalid input detected at '^' marker.

CISCO2811(config)#ip nat source static TCP 10.4.167.102 25 <2811 Public IP> 25 route-map SDM_RMAP_1
ip nat source static TCP 10.4.167.102 25 <2811 Public IP> 25 route-map SDM_RMAP_1
                                                                                           ^
% Invalid input detected at '^' marker.

kltconsulting Tue, 08/31/2010 - 11:26
User Badges:

The marker was under the r at route-map SDM_RMAP_1. My post didn't show that very well.

Correct Answer
Nagaraja Thanthry Tue, 08/31/2010 - 11:34
User Badges:
  • Cisco Employee,

Hello,


Did you remove the existing NAT statement before entering the new one? Also,

I noticed that the name of the route-map seems to be different (not

SDM_RMAP_1)


CISCO2811(config)#route-map SDM_RMAP_

CISCO2811(config-route-map)#match ip address 104

CISCO2811(config-route-map)#exit


Regards,


NT

kltconsulting Tue, 08/31/2010 - 12:27
User Badges:

You're the MAN!!!!! Thank you soooooo much. That resolved it. I had mistyped the SDM_RMAP_1 as you pointed out.

Everything appears to be working now. Again, thank you for your efforts in helping me resolve this.

Actions

This Discussion