We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now


ASA 5505 publishing mail server on vpn network.

Medium Priority
Last Modified: 2012-05-11

I'm trying to publish a mail server on my vpn network trough one of my own public ip. Is that possible? With this config I get a Routing failed to locate next hop. And I cannot ping anything on the using the asa console. Using a client on the network everything is ok, I can ping the network, and telnet the mail server.

: Saved
ASA Version 7.2(4)
hostname sis-asa
domain-name sis-as.dk
enable password 2ODpSdIp.eAP3ZQS encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
name x.x.237.236 Mail-Server-Outside description SMTP adresse
name Mail-Server-intern description sis-exchange
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.237.234
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
 domain-name sis-as.dk
object-group service DM_INLINE_TCP_1 tcp
 port-object eq imap4
 port-object eq pop3
 port-object eq smtp
access-list outside_1_cryptomap extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip any
access-list inside_nat0_outbound extended permit ip any
access-list Ciscovpn_splitTunnelAcl standard permit any
access-list Ciscovpn_splitTunnelAcl standard permit
access-list outside_access_in extended permit tcp any host Mail-Server-Outside object-group DM_INLINE_TCP_1
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnpool mask
ip local pool vpnpool1 mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
static (inside,outside) tcp Mail-Server-Outside smtp Mail-Server-intern smtp netmask  dns
static (inside,outside) tcp Mail-Server-Outside pop3 Mail-Server-intern pop3 netmask
static (inside,outside) tcp Mail-Server-Outside imap4 Mail-Server-intern imap4 netmask
access-group outside_access_in in interface outside
route outside x.x.237.233 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http outside
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer x.x.45.39
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside

group-policy Ciscovpn internal
group-policy Ciscovpn attributes
 wins-server value
 dns-server value
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Ciscovpn_splitTunnelAcl
 default-domain value mhstaal
group-policy sisvpn internal
group-policy sisvpn attributes
 wins-server value
 dns-server value
 vpn-tunnel-protocol IPSec
username xxxxx password ANCZiCN68aFz2EKz encrypted privilege 0
username xxxxx attributes
 vpn-group-policy xxxvpn
username xxxxx password wtBuTBS2.ecgULKw encrypted
username xxxxxx attributes
 vpn-group-policy xxxvpn
tunnel-group x.x.45.39 type ipsec-l2l
tunnel-group x.x.45.39 ipsec-attributes
 pre-shared-key *
tunnel-group Ciscovpn type ipsec-ra
tunnel-group Ciscovpn general-attributes
 address-pool vpnpool1
 default-group-policy Ciscovpn
tunnel-group Ciscovpn ipsec-attributes
 pre-shared-key *
tunnel-group sisvpn type ipsec-ra
tunnel-group sisvpn general-attributes
 address-pool vpnpool1
 default-group-policy xxxvpn
tunnel-group sisvpn ipsec-attributes
 pre-shared-key *
class-map inspection_default
 match default-inspection-traffic
policy-map asa_global_fw_policy
 class inspection_default
  inspect ftp
service-policy asa_global_fw_policy global
prompt hostname context
: end
asdm image disk0:/asdm-524.bin
asdm location Mail-Server-Outside inside
asdm location Mail-Server-intern inside
no asdm history enable

Watch Question

John MeggersNetwork Architect

Maybe I'm not understanding your terminology.  First, I'm assuming the server is in the DMZ, although you have no address on the DMZ interface.  If you want VPN users to reach the server via its public address, I don't believe that's possible.  If reaching it on its private address is OK, then this will work.  

If the config you're posting is what you're using, my guess as to why you cannot ping anything in the subnet from the ASA console is there's no address on the interface.

As for the VPN, I suspect what you're missing is no-nat of traffic sourced from going to the VPN pool.  Looks like you have two address pools, one that's separate and one that overlaps with the internal subnet.  What addresses are VPN users receiving? I prefer to use a separate address block for VPNs but I've seen it work both ways.  If you continue to use the block for VPN, I would make sure the interface address doesn't conflict with the range of addresses for VPN users.
Network Engineer
Unlock this solution and get a sample of our free trial.
(No credit card required)
Joris VSNetwork Engineer

This puzzles me :
access-list Ciscovpn_splitTunnelAcl standard permit any
access-list Ciscovpn_splitTunnelAcl standard permit

Why have split tunneling enabled then ?

From where to where have you got the routing failed next hop message ?
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.