We have two Site ( Site A and Site B).
Between this two Sites we have normally a site to site tunnel which works fine.
Match cause for the tunnel only the Lan Network on both sides.
Additional we have a smtp Server on LAN Site B which is reachable over the offical IP on Site B from our mobile worker with Natting.
Both situation work fine !
Now we want to access From Site A (PAT to public IP ) over the Internet to the smtp server on Side B.
That doesn't work !
We have removed the SIte to Site tunnel between A & B than we can access the SMTP Server in LAN B over the internet.
ANy Idea ? Should that be possible ?
"Now we want to access From Site A (PAT to public IP ) over the Internet to the smtp server on Side B. That doesn't work !"
I believe it is DNS issue, your Site-A users are using private address of SMTP server located at SiteB to access and secondly you cannot PAT or NAT or static-nat a public ip address which is not routed to a circuit at the SiteA.
I assume, the SMTP server is located at SiteB and public to private static-nat in placed at SiteB as per your description.
We use the public IP of Side B for the smtp; which is transfered for port 25 request to the smtp Server;
If we clear the tunnel config from Side B ( ASA ) the request to the SMTP Server works .........
"We use the public IP of Side B for the smtp; which is transfered for port 25 request to the smtp Server"
Is your SMTP server’s private address part of interesting traffic located in the SiteB for the vpn tunnel?
When you do a nslookup at SiteA for the SMTP FQDN, what ip address is being return?
Look forward to hear from you.
Another option could be to remove that traffic from the nat 0 ACL and the crypto ACL, because the thing is that the traffic is going over the VPN tunnel.
Do rate all the helpful posts
Apply a acc-list on the tunnel. deny this SMTP traffic and then apply on the interface.
Last week i have met the same problem.
crypto isakmp policy 1
crypto isakmp key asindiaplus address x.x.x.x
crypto ipsec transform-set 3DES-SHA-HMAC esp-3des esp-sha-hmac
crypto map HQ-IND-MAP 1 ipsec-isakmp
set peer x.x.x.x
set transform-set 3DES-SHA-HMAC
match address 101
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
ip address x.x.x.x 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
--More-- ip nat outside
crypto map HQ-IND-MAP
ip address 10.126.168.1 255.255.255.0 secondary
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip tcp adjust-mss 1436
no ip address
clock rate 2000000
no ip address
--More-- clock rate 2000000
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.x.x
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map VPN_PAT interface FastEthernet0/0 overload
ip nat inside source static 10.126.168.60 x.x.x.x
no crypto ipsec nat-transparency udp-encapsulation
access-list 10 permit 192.168.0.0 0.0.0.255
access-list 10 permit 10.126.168.0 0.0.0.255
access-list 101 permit ip 10.126.168.0 0.0.0.255 host x.x.x.x
access-list 102 deny ip 10.126.168.0 0.0.0.255 host x.x.x.x
access-list 102 permit ip 10.126.168.0 0.0.0.255 any
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
route-map VPN_PAT permit 10
match ip address 102
(plz rate if it helpful)
Hello together !
Any additional hints ?
- I'm now sure that it has to do with the Update from 8.0 to 8.4.2;
Before the problem was not there
- The reason for that issue is somewhere in the nat
after some more investigation we delete the tunnel and configured it new;
a "show conf" displays no difference but now it works !!!
Thanks for your replies !!!!!!!!!