cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1297
Views
0
Helpful
16
Replies

L2L Tunnel not allowing SMTP communication

kltconsulting
Level 1
Level 1

I have a LAN to LAN VPN tunnel established between a Cisco ASA 5505 and a Cisco 2811, but for some reason, I am unable to get SMTP communication between the two LAN's over the tunnel. Do I need to create a specific access rule for SMTP? The 2811's internal IP scheme is 10.4.167.X, and the ASA 5505,'s internal IP scheme is 192.168.1.0. I've attached the running-configs for both the ASA and the 2811. The tunnel establishes successfully, I can maps drives and replicate DNS data without any problems, but canot send email (SMTP) thru the tunnel. Any help would be greatly appreciated.

1 Accepted Solution

Accepted Solutions

Hello,

Did you remove the existing NAT statement before entering the new one? Also,

I noticed that the name of the route-map seems to be different (not

SDM_RMAP_1)

CISCO2811(config)#route-map SDM_RMAP_

CISCO2811(config-route-map)#match ip address 104

CISCO2811(config-route-map)#exit

Regards,

NT

View solution in original post

16 Replies 16

Richard Burts
Hall of Fame
Hall of Fame

I have looked through the configs, focusing on the VPN configuration. I do not see obvious issues in the config. So we need to dig a bit deeper into the issue. Can you tell us who (what device/what address) is sending SMTP and to whom it is sending it?

Also to clarify, are we talking real SMTP (mail server to mail server) or are we talking mail client to mail server?

HTH

Rick

HTH

Rick

The mail server resides on the 10.4.167.x network. It's IP is 10.4.167.102. This is the side of the 2811 router. On the other end (with the ASA), I have clients connected to that mail server using Outlook. They can connect to the server successfully to create their Outlook profiles, but when they attempt to send email, an error is generated that there is no SMTP server available. If I go into the ASA network and type: telnet 10.4.167.102 25 (to establish a connection with the SMTP server for SMTP testing purposes), it will not connect, generating an error that reads: Could not open a connection to the host on port 25: Connect failed.

Hello,

The issue is due to the NAT rule you have configured.

ip nat inside source static tcp 10.4.167.102 25 <2811 Public IP> 25
extendable

It will force the router to use NAT for all outgoing packets. Please try the
following:

access-list 199 deny tcp host 10.4.167.102 eq 25 192.168.1.0 0.0.0.255
access-list 199 permit tcp host 10.4.167.102 eq 25 any

route-map Mail
match ip address 199
exit

ip nat inside source static tcp 10.4.167.102 25 <2811 Public IP> 25

route-map Mail extendable

Hope this helps.

Regards,

NT

That makes perfect sense. If I remove the NAT statement that forwards inbound email to my server, I can connect using the telnet command from the rmote network just fine. However, I added the statements which you recommended and it still does not work. Was there a reason for creating a separate route map that the one currently in use? Couldn't I just add the access-list statements to my current NAT rules that are used by the route map already deployed? Example. I have NAT rule 104 which is used by route map SDM_RMAP_1. Couldn't I create your rule entries there, instead of creating an entirely new route map called Mail?

Hello,

You can certainly use an existing route-map.

Regards,

NT

Alright, I made the modifications to the current NAT rule entry, but I'm still unable to access SMTP from the remote network. Any other ideas?

Hello,

Can you post the current configuration with the route-maps applied?

Regards,

NT

Here's the updated running-config for the 2811. Thanks so much for the assistance. I'm stuck on this one, and fairly new to the Cisco world.

Hi,

If you are able to connect with the SMTP server on port 25 , create outlook profiles etc over the vpn then it sound more like an MTU issue with DF bit set to me. try the following from a user machine to smtp server :-

c:\user> ping -l 1300 -f

Thanks

manish

I am not able to access the SMTP server without removing the current static NAT rule that routes all inbound SMTP packets to our internal email server (ip nat inside source static tcp 10.4.167.102 25 <2811 Public IP> 25 extendable). If I remove that NAT statement, then I'm able to connect successfully by using the: 'telnet 10.4.167.102 25' command from the remote peer network. The problem is that I need that statement in there, so that inbound Internet email gets routed successfully. I just need to figure out a way to not NAT SMTP traffic that is traveling thru the tunnel from the remote peer network. I entered the commands that were suggested by NTHANTHR (he was correct in his assessment of the problem), but still have the same issues.

Hello,

I just tested this setup in my lab and it works fine. Please try the

original configuration I had suggested:

Access-list 101 deny tcp host 10.4.167.102 eq 25 192.168.1.0 0.0.0.255

Access-list 101 permit tcp host 10.4.167.102 eq 25 any

Route-map Mail

Match ip address 101

Exit

ip nat source static tcp 10.4.167.102 25 "2811 public ip" 25 route-map Mail

This will ensure that the traffic from mail server is not natted when going

to remote vpn subnets.

Hope this helps.

Regards,

NT

Hello,

Also, do not forget to remove the old static for the mail server before

adding the new one.

Regards,

NT

I'm entering the statements as follows, but keep getting an error when I try to re-enter the static NAT rule:

CISCO2811#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
CISCO2811(config)#access-list 104 deny tcp host 10.4.167.102 eq 25 192.168.1.0$
CISCO2811(config)#access-list 104 permit tcp host 10.4.167.102 eq 25 any
CISCO2811(config)#route-map SDM_RMAP_
CISCO2811(config-route-map)#match ip address 104
CISCO2811(config-route-map)#exit

CISCO2811(config)#ip nat source static tcp 10.4.167.102 <2811 Public IP> 25 route-map SDM_RMAP_1
ip nat source static tcp 10.4.167.102 <2811 Public IP> 25 route-map SDM_RMAP_1
                                                                                    ^
% Invalid input detected at '^' marker.

CISCO2811(config)#ip nat source static TCP 10.4.167.102 25 <2811 Public IP> 25 route-map SDM_RMAP_1
ip nat source static TCP 10.4.167.102 25 <2811 Public IP> 25 route-map SDM_RMAP_1
                                                                                           ^
% Invalid input detected at '^' marker.

The marker was under the r at route-map SDM_RMAP_1. My post didn't show that very well.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco