I have an ASA 5505 v7.2(2)
Can someone please clarify this for me.
Setting: static (inside,outside) XXX.XXX.XXX.XXX 192.168.16.3 netmask 255.255.255.255
Result: Cisco VPN Client can connect and smtp traffic does not pass
Setting: static (inside,outside) interface 192.168.16.3 netmask 255.255.255.255
Result: smtp traffic passes but VPN Clients can't connect.
I have way more time into this than I would like to admit.
If the interface IP is used in a 1-to-1 NAT with an inside host then the IPSEC session will be forwared to that inside address; I'm assuming your email server. If you only have one public IP you can try a PAT (Port address Translation) intsead. If you are using version 8.2 or older try something like this:
static (inside,outside) tcp XXX.XXX.XXX.XXX 25 192.168.16.3 25 netmask 255.255.255.255
Thank you for your post. What Static Routes would I have to add to get the Cisco VPN client IPSEC/UDP working?
That should fix both problems. Keep in mind these are not static routes; they are static translations on the ASA. Static routes are in reference to seting a next hop at the IP (network) layer versus translating a public address to a private address.
The translation above will forward TCP port 25 to your mail server. The ASA interface won't need a translation and will be listening for IKE (UDP port 500) and IPSEC (UDP port 4500 and ESP protocol number 50).
If you could spare a dedicated public IP for you mail server it would work out better; especially since reverse DNS is so critical in regard to the helo message your mail server sends at connection establishment. If these don't match your traffic will often be deemed spam.
You are correct dropping my old static route and using static translation for smtp and other services did get everything flowing. I just finished testing. We have a block of 5 ip's so I should be able to dedicate 1 to mail traffic.
Thank you again for your fast and accurate response.
I thought I had this beat last night. Sadly not! Can you please have a peek at my config file. I'm signing up for classes as soon as I can, this is driving me nuts.
ASA Version 7.2(2)
enable password ************* encrypted
ip address 192.168.16.1 255.255.255.0
ip address XXX.XXX.28.13 255.255.255.248
switchport access vlan 2
passwd ****************** encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
dns server-group DefaultDNS
access-list fw extended permit tcp any any eq pop3
access-list fw extended permit tcp any any eq imap4
access-list fw extended permit tcp any any eq https
access-list fw extended permit tcp any any eq smtp
access-list fw extended permit tcp any any eq 4125
access-list inside_nat0_outbound extended permit ip any 172.16.116.96 255.255.255.240
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ippool 172.16.116.100-172.16.116.109 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp XXX.XXX.28.13 smtp 192.168.16.3 smtp netmask 255.255.255.255
access-group fw in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.28.14 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server DefaultRAGroup protocol radius
aaa-server DefaultRAGroup host 192.168.16.3
group-policy NutmegVPNgrp internal
group-policy NutmegVPNgrp attributes
wins-server value 192.168.16.3
dns-server value 192.168.16.3
username nutmegadmin password *********** encrypted privilege 15
http server enable
http 192.168.16.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
tunnel-group NutmegVPNgrp type ipsec-ra
tunnel-group NutmegVPNgrp general-attributes
tunnel-group NutmegVPNgrp ipsec-attributes
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
policy-map type inspect dns preset_dns_map
message-length maximum 512
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
service-policy global_policy global
prompt hostname context
asdm image disk0:/asdm-522.bin
no asdm history enable
Is it mail, IPSEC or something else that's not working? If it's a mail problem is it sending mail or receiving mail that is troublesome?
Another thing to attempt with the static command is to use the keyword 'interface' if it will let you with PAT; I can't recall.
static (inside,outside) tcp interface 25 192.168.16.3 25 netmask 255.255.255.255
The keyword interface was usable, but SMTP inbound traffic was blocked as soon as I applied the PAT.
What is the FQDN address for your mail server? If it is not pointing to the
interface IP, then it will not work. Also, you need to make sure that
outside devices are contacting your mail server on port 25 alone. Do you
have any mail relay on the outside through which you are getting the mails?
Can you check the port settings and make sure that we are configuring the
correct port here?
It was my access-list. I used the "interface outside" instead of "any" and it worked.
Wrong entry - access-list fw extended permit tcp any any eq smtp
Working Entry - access-list fw extended permit tcp any interface outside eq smtp
Thank you for your quick replies and knowledge, without it I would probably be bashing my head against an old monster crt.