Re: Pix 501 Tunnelling problem

SAto wrote:
Hi, Im not too familiar with pix and vpn tunnels and have run in to a

I've got the following setup

Site X Site Y

/ \---------VPN-------------/ \
(Mail server) (Mail server)
(ip (private IP

The tunnel allows traffic from the whole net of site X
to the whole net of site Y with NAT exemption.

This works correctly for all applications, exept mail.
When the mail server at site X looks up the mx record of site Y it
see's the NATed address of and not the real address of So the smtp session is set up over the internet from site X,
but when site Y mail server tries to respon the pix sends the traffic
through the tunnel to site X and it gets dropped because of asymetrical
routing. (wrong source IP).

I do not administer site X and cannot change mx record to the private
address and have therefore tried to force traffic from the mail server
at site Y to go over the internet as opposed to the tunnel when sending
to mail server at site X. But I just cant get it to work.

Hope some of this made any sense and all suggestions would be most


Ok presumably you have some kind of no-nat access list like this at
site Y:-

access-list no-nat permit ip

If so, change to this:-

access-list no-nat deny ip host host
access-list no-nat permit ip

Or maybe a Layer 4 rule so only SMTP from the server is not subjected
to NAT:-

access-list no-nat deny tcp host host eq smtp
access-list no-nat permit ip

You may also need to add the deny rule to your Crypto Access-List
otherwise the PIX will still try to send the packets over the VPN.

I haven't been able to test the above as I no longer work on PIX's but
I think it should work.