melfarit
asked on
ASA 5505 publishing mail server on vpn network.
Hi,
I'm trying to publish a mail server on my vpn network trough one of my own public ip. Is that possible? With this config I get a Routing failed to locate next hop. And I cannot ping anything on the 172.16.100.0 using the asa console. Using a client on the 10.10.25.0 network everything is ok, I can ping the 172.16.100.0 network, and telnet the mail server.
: Saved
:
ASA Version 7.2(4)
!
hostname sis-asa
domain-name sis-as.dk
enable password 2ODpSdIp.eAP3ZQS encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name x.x.237.236 Mail-Server-Outside description SMTP adresse
name 172.16.100.105 Mail-Server-intern description sis-exchange
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.25.3 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.237.234 255.255.255.248
!
interface Vlan3
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name sis-as.dk
object-group service DM_INLINE_TCP_1 tcp
port-object eq imap4
port-object eq pop3
port-object eq smtp
access-list outside_1_cryptomap extended permit ip 10.10.25.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.25.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.16.100.0 255.255.255.0
access-list Ciscovpn_splitTunnelAcl standard permit any
access-list Ciscovpn_splitTunnelAcl standard permit 10.10.25.0 255.255.255.0
access-list outside_access_in extended permit tcp any host Mail-Server-Outside object-group DM_INLINE_TCP_1
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnpool 10.15.25.1-10.15.25.100 mask 255.255.255.128
ip local pool vpnpool1 192.168.200.1-192.168.200. 254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp Mail-Server-Outside smtp Mail-Server-intern smtp netmask 255.255.255.255 dns
static (inside,outside) tcp Mail-Server-Outside pop3 Mail-Server-intern pop3 netmask 255.255.255.255
static (inside,outside) tcp Mail-Server-Outside imap4 Mail-Server-intern imap4 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.237.233 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
http 10.10.25.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer x.x.45.39
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
group-policy Ciscovpn internal
group-policy Ciscovpn attributes
wins-server value 10.10.25.50
dns-server value 10.10.25.50 8.8.8.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Ciscovpn_splitTunnelAcl
default-domain value mhstaal
group-policy sisvpn internal
group-policy sisvpn attributes
wins-server value 10.10.25.50
dns-server value 10.10.25.50 8.8.8.8
vpn-tunnel-protocol IPSec
username xxxxx password ANCZiCN68aFz2EKz encrypted privilege 0
username xxxxx attributes
vpn-group-policy xxxvpn
username xxxxx password wtBuTBS2.ecgULKw encrypted
username xxxxxx attributes
vpn-group-policy xxxvpn
tunnel-group x.x.45.39 type ipsec-l2l
tunnel-group x.x.45.39 ipsec-attributes
pre-shared-key *
tunnel-group Ciscovpn type ipsec-ra
tunnel-group Ciscovpn general-attributes
address-pool vpnpool1
default-group-policy Ciscovpn
tunnel-group Ciscovpn ipsec-attributes
pre-shared-key *
tunnel-group sisvpn type ipsec-ra
tunnel-group sisvpn general-attributes
address-pool vpnpool1
default-group-policy xxxvpn
tunnel-group sisvpn ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map asa_global_fw_policy
class inspection_default
inspect ftp
!
service-policy asa_global_fw_policy global
prompt hostname context
Cryptochecksum:edb48029d88 3845b68f47 1e658377d8 2
: end
asdm image disk0:/asdm-524.bin
asdm location Mail-Server-Outside 255.255.255.255 inside
asdm location Mail-Server-intern 255.255.255.255 inside
no asdm history enable
I'm trying to publish a mail server on my vpn network trough one of my own public ip. Is that possible? With this config I get a Routing failed to locate next hop. And I cannot ping anything on the 172.16.100.0 using the asa console. Using a client on the 10.10.25.0 network everything is ok, I can ping the 172.16.100.0 network, and telnet the mail server.
: Saved
:
ASA Version 7.2(4)
!
hostname sis-asa
domain-name sis-as.dk
enable password 2ODpSdIp.eAP3ZQS encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name x.x.237.236 Mail-Server-Outside description SMTP adresse
name 172.16.100.105 Mail-Server-intern description sis-exchange
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.25.3 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.237.234 255.255.255.248
!
interface Vlan3
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name sis-as.dk
object-group service DM_INLINE_TCP_1 tcp
port-object eq imap4
port-object eq pop3
port-object eq smtp
access-list outside_1_cryptomap extended permit ip 10.10.25.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.25.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.16.100.0 255.255.255.0
access-list Ciscovpn_splitTunnelAcl standard permit any
access-list Ciscovpn_splitTunnelAcl standard permit 10.10.25.0 255.255.255.0
access-list outside_access_in extended permit tcp any host Mail-Server-Outside object-group DM_INLINE_TCP_1
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnpool 10.15.25.1-10.15.25.100 mask 255.255.255.128
ip local pool vpnpool1 192.168.200.1-192.168.200.
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp Mail-Server-Outside smtp Mail-Server-intern smtp netmask 255.255.255.255 dns
static (inside,outside) tcp Mail-Server-Outside pop3 Mail-Server-intern pop3 netmask 255.255.255.255
static (inside,outside) tcp Mail-Server-Outside imap4 Mail-Server-intern imap4 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.237.233 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
http 10.10.25.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer x.x.45.39
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
group-policy Ciscovpn internal
group-policy Ciscovpn attributes
wins-server value 10.10.25.50
dns-server value 10.10.25.50 8.8.8.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Ciscovpn_splitTunnelAcl
default-domain value mhstaal
group-policy sisvpn internal
group-policy sisvpn attributes
wins-server value 10.10.25.50
dns-server value 10.10.25.50 8.8.8.8
vpn-tunnel-protocol IPSec
username xxxxx password ANCZiCN68aFz2EKz encrypted privilege 0
username xxxxx attributes
vpn-group-policy xxxvpn
username xxxxx password wtBuTBS2.ecgULKw encrypted
username xxxxxx attributes
vpn-group-policy xxxvpn
tunnel-group x.x.45.39 type ipsec-l2l
tunnel-group x.x.45.39 ipsec-attributes
pre-shared-key *
tunnel-group Ciscovpn type ipsec-ra
tunnel-group Ciscovpn general-attributes
address-pool vpnpool1
default-group-policy Ciscovpn
tunnel-group Ciscovpn ipsec-attributes
pre-shared-key *
tunnel-group sisvpn type ipsec-ra
tunnel-group sisvpn general-attributes
address-pool vpnpool1
default-group-policy xxxvpn
tunnel-group sisvpn ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map asa_global_fw_policy
class inspection_default
inspect ftp
!
service-policy asa_global_fw_policy global
prompt hostname context
Cryptochecksum:edb48029d88
: end
asdm image disk0:/asdm-524.bin
asdm location Mail-Server-Outside 255.255.255.255 inside
asdm location Mail-Server-intern 255.255.255.255 inside
no asdm history enable
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This puzzles me :
access-list Ciscovpn_splitTunnelAcl standard permit any
access-list Ciscovpn_splitTunnelAcl standard permit 10.10.25.0 255.255.255.0
Why have split tunneling enabled then ?
From where to where have you got the routing failed next hop message ?
access-list Ciscovpn_splitTunnelAcl standard permit any
access-list Ciscovpn_splitTunnelAcl standard permit 10.10.25.0 255.255.255.0
Why have split tunneling enabled then ?
From where to where have you got the routing failed next hop message ?
If the config you're posting is what you're using, my guess as to why you cannot ping anything in the 172.16.100.0 subnet from the ASA console is there's no address on the interface.
As for the VPN, I suspect what you're missing is no-nat of traffic sourced from 172.16.100.0 going to the VPN pool. Looks like you have two address pools, one that's separate and one that overlaps with the internal subnet. What addresses are VPN users receiving? I prefer to use a separate address block for VPNs but I've seen it work both ways. If you continue to use the 10.10.25.0 block for VPN, I would make sure the interface address doesn't conflict with the range of addresses for VPN users.