Very strange problem, my guess is a configuration error. Clients connecting to an 1841 with a VPN tunnel endpoint on its Dialer0 interface (ADSL WIC on an ISDN line) have no trouble accessing LAN resources (file shares, Exchange mailboxes via a MAPI client, ping, etc.). However, when configuring an IMAP connection on a remote VPN client, outgoing email would not send. The strange thing is that the port 143 traffic between the client and IMAP server flows properly.
It turns out that port 25 traffic correctly flows from the client to the SMTP server, but that return traffic from the server to the client does not flow back through the VPN tunnel. Instead it routes back out through the public IP address. Can anyone offer a suggestion? (And please feel free to comment on the config in general, i.e. unnecessary ACL entries, etc.)
The VPN address pool is 10.10.10.0/24. The LAN subnet is 10.0.0.0/24. Host 10.0.0.209 is the SMTP server. xxx.xxx.xxx.xxx is the public IP address on Dialer0. The packet trace and startup-config follow:
12/16-07:14:47.757578 10.10.10.17:3753 -> 10.0.0.209:25 TCP TTL:128 TOS:0x0 ID:10758 IpLen:20 DgmLen:48 DF ******S* Seq: 0x65389798 Ack: 0x0 Win: 0x8000 TcpLen: 28 TCP Options (4) => MSS: 1260 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+12/16-07:14:47.845437 xxx.xxx.xxx.xxx:25 -> 10.10.10.17:3753 TCP TTL:127 TOS:0x0 ID:23397 IpLen:20 DgmLen:48 DF
***A**S* Seq: 0x4AE8EFC0 Ack: 0x65389799 Win: 0x44E8 TcpLen: 28 TCP Options (4) => MSS: 1452 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+version 12.3 no service pad service timestamps debug datetime service timestamps log datetime service password-encryption sntp server yyy.yyy.yyy.yyy clock timezone WET +1 ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 51200 debugging logging console critical enable secret ***** username admin privilege 15 password ***** ! ! ! ! ip nat inside source list 110 interface dialer0 overload ! ! incoming session-initiating packets ip nat inside source static tcp 10.0.0.209 25 interface dialer0
25 ! exchange smtp virtual server ip nat inside source static tcp 10.0.0.209 80 interface dialer0 80 ! exchange owa access ip nat inside source static tcp 10.0.0.209 443 interface dialer0 443 ! exchange owa access - ssl ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload ! crypto ! ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ip subnet-zero ip local pool myvpnippool 10.10.10.1 10.10.10.255 ip name-server zzz.zzz.zzz.10 zzz.zzz.zzz.253 ip domain-lookup ip domain-name corp.*******.org ip tftp source-interface Dialer0 no ip finger ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 no ip source-route ip cef ip tcp synwait-time 10 ip ips po max-events 100 no ip bootp server ip ssh time-out 60 ip ssh authentication-retries 2 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 no ftp-server write-enable logging trap debugging no cdp run route-map SDM_RMAP_1 permit 1 match ip address 110 ! aaa new-model aaa authentication login aaa-authenticated local aaa authorization network aaa-authorized local ! ! ! crypto isakmp policy 1 encryption aes 256 hash md5 authentication pre-share group 2 lifetime 14400 crypto isakmp policy 2 encryption 3des hash md5 authentication pre-share group 2 lifetime 14400 ! crypto isakmp nat keepalive 18 ! ! crypto isakmp client configuration group vpn-client-group key ***** dns 10.0.0.208 10.0.0.209 domain corp.*******.org pool myvpnippool acl 100 ! ! crypto ipsec transform-set myset esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set myset reverse-route ! ! crypto map SDM_CMAP_1 client authentication list aaa-authenticated crypto map SDM_CMAP_1 isakmp authorization list aaa-authorized crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! ! access-list 100 permit ip 10.0.0.0 0.0.0.255 10.10.10.0 0.0.0.255 ! ! access-list 110 deny ip 10.0.0.0 0.0.0.255 10.10.10.0 0.0.0.255 ! no nat for vpn access-list 110 permit ip 10.0.0.0 0.0.0.255 any access-list 110 permit ip 10.10.10.0 0.0.0.255 any ! ! ! access-list 120 permit udp any any eq isakmp log ! port 500 access-list 120 permit udp any any eq non500-isakmp log ! port 4500 nat-t access-list 120 permit esp any any ! protocol 50 access-list 120 permit ahp any any ! protocol 51 access-list 120 permit ip 10.10.10.0 0.0.0.255 any ! vpn address pool ! ! access-list 120 deny ip host 0.0.0.0 any log ! access-list 120 deny ip 172.16.0.0 0.15.255.255 any log access-list 120 deny ip 192.168.0.0 0.0.255.255 any log ! access-list 120 deny ip 224.0.0.0 15.255.255.255 any log ! access-list 120 deny ip 255.0.0.0 0.255.255.255 any log ! access-list 120 deny ip 127.0.0.0 0.255.255.255 any log ! ! access-list 120 permit udp host zzz.zzz.zzz.10 eq 53 any ! dns access-list 120 permit udp host zzz.zzz.zzz.253 eq 53 any ! dns2 ! access-list 120 permit tcp any any eq 25 ! access-list 120 deny ip 10.0.0.0 0.255.255.255 any log ! access-list 120 permit tcp any any eq 443 ! access-list 120 permit icmp any any 3 0 log !net-unreachable access-list 120 permit icmp any any 3 1 log !host-unreachable access-list 120 permit icmp any any 3 3 log !port-unreachable access-list 120 permit icmp any any 3 4 log !packet-too-big access-list 120 permit icmp any any 3 13 log !administratively-prohibited access-list 120 permit icmp any any 4 !source-quench access-list 120 permit icmp any any 11 0 log !ttl-exceeded access-list 120 permit icmp any any echo-reply access-list 120 permit icmp any any echo access-list 120 deny icmp any any ! access-list 120 permit udp host yyy.yyy.yyy.yyy eq 123 any eq 123 ! access-list 120 deny tcp any any eq 23 access-list 120 deny udp any any eq 23 !