In the past month we have suddenly become unable to receive inbound smtp traffic from a specific client.
After some packet capture footwork it appears that whenever the external mail server tries to access our internal mail server via smtp our PIX treats the connection as a VPN session as is noted by the ISAKMP transaction that is initiated.
It turns out that the external mail server is on the same network as a Lan-2-Lan that we have set up @ a colo. I'm under the impression that perhaps our Lan-2-Lan setup between our 515E and the ASA5510 on the colo end is misconfigured and instead of simply passing smtp traffic to the server, tries to initiate a VPN session.
I'd be happy to provide further details but wanted to put the basics out there to see if anyone had some suggestions I could follow up on.
I'm currently unable to disable the lan-2-lan due to service disruption at this time but think that this would quickly confirm whether the lan-2-lan is the actual culprit.
If you can see the incoming TCP SYN towards your local mail server - the remote side is correctly configured and NOT trying to encrypt that traffic. Otherwise, the remote side would try first to establish and IKE and then an IPSec SA with your side.
Looks like you have to tune your ACL - the one that defines traffic to be encrypted. Say the remote lan is 10.10.10.0/24, and the remote mail server is 10.10.10.1 - the ACL should then be something like
deny [local_net] host 10.10.10.1
permit [local_net] 10.10.10.0 255.255.255.0
check the ACLs on the other side too - remember that for this to work, ACLs have to be mirror images.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...