?
Solved

ASA 5505 publishing mail server on vpn network.

Posted on 2011-04-21
3
Medium Priority
?
516 Views
Last Modified: 2012-05-11
Hi,

I'm trying to publish a mail server on my vpn network trough one of my own public ip. Is that possible? With this config I get a Routing failed to locate next hop. And I cannot ping anything on the 172.16.100.0 using the asa console. Using a client on the 10.10.25.0 network everything is ok, I can ping the 172.16.100.0 network, and telnet the mail server.

: Saved
:
ASA Version 7.2(4)
!
hostname sis-asa
domain-name sis-as.dk
enable password 2ODpSdIp.eAP3ZQS encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name x.x.237.236 Mail-Server-Outside description SMTP adresse
name 172.16.100.105 Mail-Server-intern description sis-exchange
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.25.3 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.237.234 255.255.255.248
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
 domain-name sis-as.dk
object-group service DM_INLINE_TCP_1 tcp
 port-object eq imap4
 port-object eq pop3
 port-object eq smtp
access-list outside_1_cryptomap extended permit ip 10.10.25.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.25.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.16.100.0 255.255.255.0
access-list Ciscovpn_splitTunnelAcl standard permit any
access-list Ciscovpn_splitTunnelAcl standard permit 10.10.25.0 255.255.255.0
access-list outside_access_in extended permit tcp any host Mail-Server-Outside object-group DM_INLINE_TCP_1
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnpool 10.15.25.1-10.15.25.100 mask 255.255.255.128
ip local pool vpnpool1 192.168.200.1-192.168.200.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp Mail-Server-Outside smtp Mail-Server-intern smtp netmask 255.255.255.255  dns
static (inside,outside) tcp Mail-Server-Outside pop3 Mail-Server-intern pop3 netmask 255.255.255.255
static (inside,outside) tcp Mail-Server-Outside imap4 Mail-Server-intern imap4 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.237.233 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
http 10.10.25.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer x.x.45.39
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

group-policy Ciscovpn internal
group-policy Ciscovpn attributes
 wins-server value 10.10.25.50
 dns-server value 10.10.25.50 8.8.8.8
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Ciscovpn_splitTunnelAcl
 default-domain value mhstaal
group-policy sisvpn internal
group-policy sisvpn attributes
 wins-server value 10.10.25.50
 dns-server value 10.10.25.50 8.8.8.8
 vpn-tunnel-protocol IPSec
username xxxxx password ANCZiCN68aFz2EKz encrypted privilege 0
username xxxxx attributes
 vpn-group-policy xxxvpn
username xxxxx password wtBuTBS2.ecgULKw encrypted
username xxxxxx attributes
 vpn-group-policy xxxvpn
tunnel-group x.x.45.39 type ipsec-l2l
tunnel-group x.x.45.39 ipsec-attributes
 pre-shared-key *
tunnel-group Ciscovpn type ipsec-ra
tunnel-group Ciscovpn general-attributes
 address-pool vpnpool1
 default-group-policy Ciscovpn
tunnel-group Ciscovpn ipsec-attributes
 pre-shared-key *
tunnel-group sisvpn type ipsec-ra
tunnel-group sisvpn general-attributes
 address-pool vpnpool1
 default-group-policy xxxvpn
tunnel-group sisvpn ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map asa_global_fw_policy
 class inspection_default
  inspect ftp
!
service-policy asa_global_fw_policy global
prompt hostname context
Cryptochecksum:edb48029d883845b68f471e658377d82
: end
asdm image disk0:/asdm-524.bin
asdm location Mail-Server-Outside 255.255.255.255 inside
asdm location Mail-Server-intern 255.255.255.255 inside
no asdm history enable

0
Comment
Question by:melfarit
  • 2
3 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 35441822
Maybe I'm not understanding your terminology.  First, I'm assuming the server is in the DMZ, although you have no address on the DMZ interface.  If you want VPN users to reach the server via its public address, I don't believe that's possible.  If reaching it on its private address is OK, then this will work.  

If the config you're posting is what you're using, my guess as to why you cannot ping anything in the 172.16.100.0 subnet from the ASA console is there's no address on the interface.

As for the VPN, I suspect what you're missing is no-nat of traffic sourced from 172.16.100.0 going to the VPN pool.  Looks like you have two address pools, one that's separate and one that overlaps with the internal subnet.  What addresses are VPN users receiving? I prefer to use a separate address block for VPNs but I've seen it work both ways.  If you continue to use the 10.10.25.0 block for VPN, I would make sure the interface address doesn't conflict with the range of addresses for VPN users.
0
 
LVL 4

Accepted Solution

by:
JorisFRST earned 1000 total points
ID: 35489921
to ping from the asa console you need
management-access inside
in the config.



0
 
LVL 4

Expert Comment

by:JorisFRST
ID: 35489947
This puzzles me :
access-list Ciscovpn_splitTunnelAcl standard permit any
access-list Ciscovpn_splitTunnelAcl standard permit 10.10.25.0 255.255.255.0

Why have split tunneling enabled then ?

From where to where have you got the routing failed next hop message ?
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Every year the snow affects people and businesses. According to the Federation of Small Businesses (FSB), in 2009, UK businesses lost an estimated £1.2bn (http://news.bbc.co.uk/1/hi/business/7864804.stm) because of bad weather. This article was c…
Hey there Heard about jingle, the add on for XMPP that enables point to point audio between two XMPP clients. No server config necessary. Actually quite a cool feature. However, how good is it if you can not use those voice capabilities to do a P…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month14 days, 21 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question