I have a Cisco 1811 Intergrated Services Router which has been in operation for over a year. It also provides VPN access for the Cisco dialer VPN and three small remote offices with PIX 501s connected back to the main office. All worked well, except I discovered the outbound e-mail came from an incorrect IP address. I want the SMTP to show from 24.227.206.180, but it shows from 24.227.206.178. 192.168.10.111 is the e-mail server. It is also a DNS/WINS server. I do not want to change the public DNS records. Below is a partial config showing the VPN, ACLs, etc. I have tried some changes, but each try created a different problem.
Thanks.
crypto keyring spokes
pre-shared-key address 0.0.0.0 0.0.0.0 key *********
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpn3000
key *********
dns 192.168.10.111 192.169.10.200
wins 192.168.10.111
domain monier.ajmonier.com
pool CLIENTPOOL
acl split
split-dns monier.ajmonier.com
netmask 255.255.255.0
crypto isakmp profile VPNclient
description VPN clients profile
match identity group vpn3000
isakmp authorization list groupauthor
client configuration address respond
crypto isakmp profile L2L
description LAN-to-LAN for spoke routers connections
keyring spokes
match identity address 0.0.0.0
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 5
set security-association idle-time 34200
set transform-set myset
set isakmp-profile VPNclient
reverse-route
crypto dynamic-map dynmap 10
set transform-set myset
set isakmp-profile L2L
!
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0
description $ES_WAN$$FW_OUTSIDE$
ip address 24.227.206.178 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map mymap
interface FastEthernet1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip local pool CLIENTPOOL 192.168.11.150 192.168.11.199
ip route 0.0.0.0 0.0.0.0 24.227.206.177
ip nat inside source list 100 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.10.111 21 24.227.206.180 21 extendable
ip nat inside source static tcp 192.168.10.111 25 24.227.206.180 25 extendable
ip nat inside source static tcp 192.168.10.111 80 24.227.206.180 80 extendable
ip nat inside source static tcp 192.168.10.111 3389 24.227.206.180 3389 extendable
!
ip access-list extended split
permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
Thanks.
crypto keyring spokes
pre-shared-key address 0.0.0.0 0.0.0.0 key *********
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpn3000
key *********
dns 192.168.10.111 192.169.10.200
wins 192.168.10.111
domain monier.ajmonier.com
pool CLIENTPOOL
acl split
split-dns monier.ajmonier.com
netmask 255.255.255.0
crypto isakmp profile VPNclient
description VPN clients profile
match identity group vpn3000
isakmp authorization list groupauthor
client configuration address respond
crypto isakmp profile L2L
description LAN-to-LAN for spoke routers connections
keyring spokes
match identity address 0.0.0.0
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 5
set security-association idle-time 34200
set transform-set myset
set isakmp-profile VPNclient
reverse-route
crypto dynamic-map dynmap 10
set transform-set myset
set isakmp-profile L2L
!
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0
description $ES_WAN$$FW_OUTSIDE$
ip address 24.227.206.178 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map mymap
interface FastEthernet1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip local pool CLIENTPOOL 192.168.11.150 192.168.11.199
ip route 0.0.0.0 0.0.0.0 24.227.206.177
ip nat inside source list 100 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.10.111 21 24.227.206.180 21 extendable
ip nat inside source static tcp 192.168.10.111 25 24.227.206.180 25 extendable
ip nat inside source static tcp 192.168.10.111 80 24.227.206.180 80 extendable
ip nat inside source static tcp 192.168.10.111 3389 24.227.206.180 3389 extendable
!
ip access-list extended split
permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any