Re: Pix 501 Tunnelling problem




SAto wrote:
Hi, Im not too familiar with pix and vpn tunnels and have run in to a
problem.

I've got the following setup


Site X Site Y

(ip 1.1.1.1)--------Internet----------(ip 2.2.2.2)
/ \---------VPN-------------/ \
(Mail server) (Mail server)
(ip 1.1.2.2) (private IP 10.0.0.2)



The tunnel allows traffic from the whole 1.1.2.0/24 net of site X
to the whole 10.0.0.0/24 net of site Y with NAT exemption.

This works correctly for all applications, exept mail.
When the mail server at site X looks up the mx record of site Y it
see's the NATed address of 2.2.2.2 and not the real address of
10.0.0.2. So the smtp session is set up over the internet from site X,
but when site Y mail server tries to respon the pix sends the traffic
through the tunnel to site X and it gets dropped because of asymetrical
routing. (wrong source IP).

I do not administer site X and cannot change mx record to the private
address and have therefore tried to force traffic from the mail server
at site Y to go over the internet as opposed to the tunnel when sending
to mail server at site X. But I just cant get it to work.

Hope some of this made any sense and all suggestions would be most
appreciated.

-SAto

Ok presumably you have some kind of no-nat access list like this at
site Y:-

access-list no-nat permit ip 10.0.0.0 255.255.255.0 1.1.2.0
255.255.255.0

If so, change to this:-

access-list no-nat deny ip host 10.0.0.2 host 1.1.2.2
access-list no-nat permit ip 10.0.0.0 255.255.255.0 1.1.2.0
255.255.255.0

Or maybe a Layer 4 rule so only SMTP from the server is not subjected
to NAT:-

access-list no-nat deny tcp host 10.0.0.2 host 1.1.2.2 eq smtp
access-list no-nat permit ip 10.0.0.0 255.255.255.0 1.1.2.0
255.255.255.0

You may also need to add the deny rule to your Crypto Access-List
otherwise the PIX will still try to send the packets over the VPN.

I haven't been able to test the above as I no longer work on PIX's but
I think it should work.

James

.