Re: Pix 501 Tunnelling problem

SAto wrote:
Hi, Im not too familiar with pix and vpn tunnels and have run in to a

I've got the following setup

Site X Site Y

/ \---------VPN-------------/ \
(Mail server) (Mail server)
(ip (private IP

The tunnel allows traffic from the whole net of site X
to the whole net of site Y with NAT exemption.

This works correctly for all applications, exept mail.
When the mail server at site X looks up the mx record of site Y it
see's the NATed address of and not the real address of So the smtp session is set up over the internet from site X,
but when site Y mail server tries to respon the pix sends the traffic
through the tunnel to site X and it gets dropped because of asymetrical
routing. (wrong source IP).

I do not administer site X and cannot change mx record to the private
address and have therefore tried to force traffic from the mail server
at site Y to go over the internet as opposed to the tunnel when sending
to mail server at site X. But I just cant get it to work.

Hope some of this made any sense and all suggestions would be most


Ok presumably you have some kind of no-nat access list like this at
site Y:-

access-list no-nat permit ip

If so, change to this:-

access-list no-nat deny ip host host
access-list no-nat permit ip

Or maybe a Layer 4 rule so only SMTP from the server is not subjected
to NAT:-

access-list no-nat deny tcp host host eq smtp
access-list no-nat permit ip

You may also need to add the deny rule to your Crypto Access-List
otherwise the PIX will still try to send the packets over the VPN.

I haven't been able to test the above as I no longer work on PIX's but
I think it should work.



Relevant Pages

  • Re: Why cant this XP machine send email to a particular Yahoo account?
    ... That doesn't stipulate that you are using one IP address (for the WAN-side of a NAT router) or have separate IP addresses for each of your hosts. ... You might have paid to get two IP addresses from your ISP and are using just a router so each host is seen as having a different IP address. ... If and only if a good status is received from the mail server by the e-mail client then the e-mail client moves that message into the Sent Items folder. ...
  • Re: 2 mail servers, 1 domain
    ... You would do this by assigning each mail server at each ... envelope addreses and header addresses. ... actually used by sendmail for delivery. ... delivery of the message to the correct host. ...
  • Re: host availability
    ... >>>, my default gateway, comcast's mail server etc. ... a host was "up or down". ... If you don't get an answer to a ping request, ... happened to reset the interface right then, remote system got trojaned ...
  • Re: connecting via broadband?
    ... > Ping statistics for ... >> mail server and that it is responsive so you get a mail session ... >> host that responds to 'ping' does NOT mean the server program is ... >> actually running or responsive on that host. ...
  • Re: NDR Outgoing mail to certain Domain (inexperienced exchange ad
    ... WARN -- Mail server host name in greeting WARNING: ... mailservers is claiming to be a host other than what it really is (the SMTP ... it's important just to have that PTR record. ...