ASA 5505 publishing mail server on vpn network.

Posted on 2011-04-21
Last Modified: 2012-05-11

I'm trying to publish a mail server on my vpn network trough one of my own public ip. Is that possible? With this config I get a Routing failed to locate next hop. And I cannot ping anything on the using the asa console. Using a client on the network everything is ok, I can ping the network, and telnet the mail server.

: Saved
ASA Version 7.2(4)
hostname sis-asa
enable password 2ODpSdIp.eAP3ZQS encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
name x.x.237.236 Mail-Server-Outside description SMTP adresse
name Mail-Server-intern description sis-exchange
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.237.234
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
object-group service DM_INLINE_TCP_1 tcp
 port-object eq imap4
 port-object eq pop3
 port-object eq smtp
access-list outside_1_cryptomap extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip any
access-list inside_nat0_outbound extended permit ip any
access-list Ciscovpn_splitTunnelAcl standard permit any
access-list Ciscovpn_splitTunnelAcl standard permit
access-list outside_access_in extended permit tcp any host Mail-Server-Outside object-group DM_INLINE_TCP_1
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnpool mask
ip local pool vpnpool1 mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
static (inside,outside) tcp Mail-Server-Outside smtp Mail-Server-intern smtp netmask  dns
static (inside,outside) tcp Mail-Server-Outside pop3 Mail-Server-intern pop3 netmask
static (inside,outside) tcp Mail-Server-Outside imap4 Mail-Server-intern imap4 netmask
access-group outside_access_in in interface outside
route outside x.x.237.233 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http outside
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer x.x.45.39
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside

group-policy Ciscovpn internal
group-policy Ciscovpn attributes
 wins-server value
 dns-server value
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Ciscovpn_splitTunnelAcl
 default-domain value mhstaal
group-policy sisvpn internal
group-policy sisvpn attributes
 wins-server value
 dns-server value
 vpn-tunnel-protocol IPSec
username xxxxx password ANCZiCN68aFz2EKz encrypted privilege 0
username xxxxx attributes
 vpn-group-policy xxxvpn
username xxxxx password wtBuTBS2.ecgULKw encrypted
username xxxxxx attributes
 vpn-group-policy xxxvpn
tunnel-group x.x.45.39 type ipsec-l2l
tunnel-group x.x.45.39 ipsec-attributes
 pre-shared-key *
tunnel-group Ciscovpn type ipsec-ra
tunnel-group Ciscovpn general-attributes
 address-pool vpnpool1
 default-group-policy Ciscovpn
tunnel-group Ciscovpn ipsec-attributes
 pre-shared-key *
tunnel-group sisvpn type ipsec-ra
tunnel-group sisvpn general-attributes
 address-pool vpnpool1
 default-group-policy xxxvpn
tunnel-group sisvpn ipsec-attributes
 pre-shared-key *
class-map inspection_default
 match default-inspection-traffic
policy-map asa_global_fw_policy
 class inspection_default
  inspect ftp
service-policy asa_global_fw_policy global
prompt hostname context
: end
asdm image disk0:/asdm-524.bin
asdm location Mail-Server-Outside inside
asdm location Mail-Server-intern inside
no asdm history enable

Question by:melfarit
    LVL 18

    Expert Comment

    Maybe I'm not understanding your terminology.  First, I'm assuming the server is in the DMZ, although you have no address on the DMZ interface.  If you want VPN users to reach the server via its public address, I don't believe that's possible.  If reaching it on its private address is OK, then this will work.  

    If the config you're posting is what you're using, my guess as to why you cannot ping anything in the subnet from the ASA console is there's no address on the interface.

    As for the VPN, I suspect what you're missing is no-nat of traffic sourced from going to the VPN pool.  Looks like you have two address pools, one that's separate and one that overlaps with the internal subnet.  What addresses are VPN users receiving? I prefer to use a separate address block for VPNs but I've seen it work both ways.  If you continue to use the block for VPN, I would make sure the interface address doesn't conflict with the range of addresses for VPN users.
    LVL 4

    Accepted Solution

    to ping from the asa console you need
    management-access inside
    in the config.

    LVL 4

    Expert Comment

    This puzzles me :
    access-list Ciscovpn_splitTunnelAcl standard permit any
    access-list Ciscovpn_splitTunnelAcl standard permit

    Why have split tunneling enabled then ?

    From where to where have you got the routing failed next hop message ?

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
    As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now