Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Exernal SMTP from client initiates ISAKMP

In the past month we have suddenly become unable to receive inbound smtp traffic from a specific client.

After some packet capture footwork it appears that whenever the external mail server tries to access our internal mail server via smtp our PIX treats the connection as a VPN session as is noted by the ISAKMP transaction that is initiated.

It turns out that the external mail server is on the same network as a Lan-2-Lan that we have set up @ a colo. I'm under the impression that perhaps our Lan-2-Lan setup between our 515E and the ASA5510 on the colo end is misconfigured and instead of simply passing smtp traffic to the server, tries to initiate a VPN session.

I'd be happy to provide further details but wanted to put the basics out there to see if anyone had some suggestions I could follow up on.

I'm currently unable to disable the lan-2-lan due to service disruption at this time but think that this would quickly confirm whether the lan-2-lan is the actual culprit.

Thanks in advance for any input.


Cisco Employee

Re: Exernal SMTP from client initiates ISAKMP

If you can see the incoming TCP SYN towards your local mail server - the remote side is correctly configured and NOT trying to encrypt that traffic. Otherwise, the remote side would try first to establish and IKE and then an IPSec SA with your side.

Looks like you have to tune your ACL - the one that defines traffic to be encrypted. Say the remote lan is, and the remote mail server is - the ACL should then be something like

deny [local_net] host

permit [local_net]

check the ACLs on the other side too - remember that for this to work, ACLs have to be mirror images.