Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

SMTP out with VPN?

I Don't exactly understand this, but after recently setting up a PIX 501 and establishing a VPN between two offices, I at the time tested email and only emailed to myself which worked, but was only within the same email pop3 server.

Since that time my users in the remote office have informed me that they are unable to email anyone outside our They receive emails just fine, but cant send.

The message is:

The following recipient(s) could not be reached:

'***' on 01/04/2003 11:48 AM

550 5.7.1 <***>... Relaying denied. Please check your mail first.

Now the part that confuses me is that I have a permit IP any on outbound traffic. That shouldnt be limiting smtp traffic out.

Is the VPN possibly causing the mail to attempt to jump across the VPN to send out and that the issue? If so, is there a way for me to tell the firewall to directly send smtp traffic out to the internet?




Re: SMTP out with VPN?

Is this a mesage they recieve in the form of an e-mail from the e-mail server? The first thing that popped to mind was that since they are at a different IP address the e-mail server sees them as an outside entitiy trying to relay out the SMTP in the same manner as a spammer would do. Is this an Exchange box? If so then it can be corrected by allowing certain IP address to relay.

New Member

Re: SMTP out with VPN?

Yes, it is a message they receive from the email server as an undeliverable.

Our email is run outside the company for the time being. It is a pop3 server at that I just setup the outlook clients to point to for both pop3 and smtp.

So if the email server sees smtp traffic coming from x.x.71.8 which is the outside interface of that PIX, are you saying it might not think that IP is allowable?

Just for histories sake, I took out a VPN supplied by the ISP (DSL) and the same external IP addresses were used there and I didnt have any issues then, but I also couldnt tell you what sort of rulesets they had on those routers that did the VPN and NAT'ing.

New Member

Re: SMTP out with VPN?

Hi Dave,

From what you describe here is seems that your mail server is on network. Just wanted you to check if you have a "global" statement on your configs using which outbound connection from your network to the INTERNET is made.

If not i suggest you add a global statement with a public IP Addresses using which outbound traffic can flow.

From the NDR which you have mentioned it clearly seems that the PIX Cannot communicate on SMTP outbound to any other mail server on the open internet.



New Member

Re: SMTP out with VPN?

Im sorry, I must not have described it well. The mail server is external. That server is on x.x.6.213. I do not control that server, it is controlled by an ISP as a service we are renting.

The clients from the main office,, all connect and send to email fine through the 515e placed in that office.

The clients from the remote office,, can connect and pull down email from pop3, but cannot send email via smtp.

The access-lists on both pix's has a permit (or 51.0 respectively) to any.

On the remote site with the 501 I have a global and nat statements as such:

global (outside) 2 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 0 0

New Member

Re: SMTP out with VPN?

If anyone has any more ideas on this, I would greatly appreciate it, I need to get this offices emails going out as soon as possible.


New Member

Re: SMTP out with VPN?

I guess u r not able to connect on SMTP after your VPN/Firewall implementation. Can u check a) whether u are able to connect on SMTP to your mail server. I mean can u do a telnet x.x.6.213 25 and see if you can connect.

If u cant i guess the SMTP is going thru the NAT 0 command and hence unable to connect. U would need to check ACL inside_nat0_outbound in that scenario.

New Member

Re: SMTP out with VPN?

yes, i can connect via smtp at that office. Now something that sorta dawns on me here, I only have one DNS server, and its located at my 515e site. The 501 site users that cant send email out are getting their dns over the vpn from the 515e site.

Im gonna try going over to that site and changing the email smtp from the dns name to the actual ip address and see if it makes a difference,

if anyone can think of anything else that would help, I appreciate it.


CreatePlease to create content