Re: Pix 501 Tunnelling problem




SAto wrote:
Hi, Im not too familiar with pix and vpn tunnels and have run in to a
problem.

I've got the following setup


Site X Site Y

(ip 1.1.1.1)--------Internet----------(ip 2.2.2.2)
/ \---------VPN-------------/ \
(Mail server) (Mail server)
(ip 1.1.2.2) (private IP 10.0.0.2)



The tunnel allows traffic from the whole 1.1.2.0/24 net of site X
to the whole 10.0.0.0/24 net of site Y with NAT exemption.

This works correctly for all applications, exept mail.
When the mail server at site X looks up the mx record of site Y it
see's the NATed address of 2.2.2.2 and not the real address of
10.0.0.2. So the smtp session is set up over the internet from site X,
but when site Y mail server tries to respon the pix sends the traffic
through the tunnel to site X and it gets dropped because of asymetrical
routing. (wrong source IP).

I do not administer site X and cannot change mx record to the private
address and have therefore tried to force traffic from the mail server
at site Y to go over the internet as opposed to the tunnel when sending
to mail server at site X. But I just cant get it to work.

Hope some of this made any sense and all suggestions would be most
appreciated.

-SAto

Ok presumably you have some kind of no-nat access list like this at
site Y:-

access-list no-nat permit ip 10.0.0.0 255.255.255.0 1.1.2.0
255.255.255.0

If so, change to this:-

access-list no-nat deny ip host 10.0.0.2 host 1.1.2.2
access-list no-nat permit ip 10.0.0.0 255.255.255.0 1.1.2.0
255.255.255.0

Or maybe a Layer 4 rule so only SMTP from the server is not subjected
to NAT:-

access-list no-nat deny tcp host 10.0.0.2 host 1.1.2.2 eq smtp
access-list no-nat permit ip 10.0.0.0 255.255.255.0 1.1.2.0
255.255.255.0

You may also need to add the deny rule to your Crypto Access-List
otherwise the PIX will still try to send the packets over the VPN.

I haven't been able to test the above as I no longer work on PIX's but
I think it should work.

James

.



Relevant Pages

  • Re: Why cant this XP machine send email to a particular Yahoo account?
    ... That doesn't stipulate that you are using one IP address (for the WAN-side of a NAT router) or have separate IP addresses for each of your hosts. ... You might have paid to get two IP addresses from your ISP and are using just a router so each host is seen as having a different IP address. ... If and only if a good status is received from the mail server by the e-mail client then the e-mail client moves that message into the Sent Items folder. ...
    (microsoft.public.windowsxp.general)
  • Re: 2 mail servers, 1 domain
    ... You would do this by assigning each mail server at each ... envelope addreses and header addresses. ... actually used by sendmail for delivery. ... delivery of the message to the correct host. ...
    (comp.mail.sendmail)
  • Re: host availability
    ... >>>google.com, my default gateway, comcast's mail server etc. ... a host was "up or down". ... If you don't get an answer to a ping request, ... happened to reset the interface right then, remote system got trojaned ...
    (comp.security.firewalls)
  • Re: connecting via broadband?
    ... > Ping statistics for 193.252.22.137: ... >> mail server and that it is responsive so you get a mail session ... >> host that responds to 'ping' does NOT mean the server program is ... >> actually running or responsive on that host. ...
    (microsoft.public.outlook.general)
  • Re: NDR Outgoing mail to certain Domain (inexperienced exchange ad
    ... WARN -- Mail server host name in greeting WARNING: ... mailservers is claiming to be a host other than what it really is (the SMTP ... it's important just to have that PTR record. ...
    (microsoft.public.exchange.admin)