How do I: VPN all traffic except SMTP?

[captaintuba]

I have a site-to-site VPN working from our HQ to an ISP.
All traffic goes down the VPN tunnel and is not natted.

Now I need to stop SMTP traffic destined for the ISP going down the VPN tunnel.

Here's why:
The ISP needs to send reports back using SMTP from a machine in the VPN network. They send all their mail over their Internet link and not down the VPN tunnel.

This is what I think happens:
I end up with asymetric comms.
Incoming mail from the ISP comes from the Internet and our PIX recognises the source as an IP address down the VPN tunnel and sends the reply down the VPN. FOOBAR

My first attempt at a fix was:
I tried to add an ACL with a DENY the SMTP e.g.

access-list VPN deny tcp host X host ISP eq smtp

I think it did not work because there is a permit statement higher up:

access-list VPN permit ip ins.ide.net.0 host ISP

So what can I do?
Do I need to DENY SMTP traffic in my NO-NAT acl too?
Do I need to do some split-tunnel stuff?

Thanks C.T.
P.S. How do you sort out the order of an ACL?
Use notepad - cut & paste? e.g.
Copy the access-list twice into notepad
Add NO to the beginning of each line of the first set of acls
Re-arrange the second set of ACLs into the right order
Conf T cut and paste the ACL back

 

[routerman]

CT, you need to allow the SMTP traffic in via ACL and static as normal, then deny the smtp traffic in your NAT 0 ACL. I think you are correct in saying that the return traffic is going down the VPN.

When building the NAT 0 ACL, deny the smtp traffic first, then permit the rest of the traffic. Dont forget to `clear xlate' when you apply this.

Would be a lot easier if the ISP could talk via your VPN, that is the point of site to site VPN's surely

 

[swj38]

You can do this with split-tunneling I think.

Set up a split tunnel that denies smtp to the ISP system and allow everything else:

access-list splitTunnelAclname deny smtp (internal Network) (ISP system)
access-list splitTunnelAclname permit ip any any
vpngroup (pool name) split-tunnel (splitTunnelAclname)

Hope this helps

 

[captaintuba]

I finally got back to site to try to fix this problem.

This is what happens when the ISP sends email to the exchange server:
- I see the outside_access_in ACL trigger PERMIT SMTP in
- SMTP Packet received by Exchange server
- Exchange server responds on high number port to ISP-mail server
- VPN access-list denys tcp host Exchange host ISP-mail and stops traffic from being encrypted
- NO-NAT access-list does NOT deny tcp host Exchange host ISP-mail
- Outgoing packet is NOT-NATTED (as if it were going down the VPN) so the returning SMTP packet goes back with an Internal IP address and the sending mail server gets confused.

What I don't have working is:
access-list NO-NAT deny tcp host Exchange host ISP-mail
access-list NO-NAT permit ip CORP-LAN ISP-LAN

The first line of the ACL does not trigger, but the second line does trigger.
The syntax is the same as the ACL used to decide if it should be encrypted (which works) e.g.
access-list VPN deny tcp host Exchange host ISP-mail

I used cut and paste into notepad to remove, edit and replace the ACLs. Each time making sure the ACL was reapplied. (I noticed that if you remove an ACL - it automatically removed itself from the interface).

I used show access-list to monitor the hitcnt of the relevant acls.

Any ideas?
C.T.
P.S. I'll clean up the actual config and post it if it helps.

 

[routerman]

When you change the ACL entries associated with the NO-NAT did you issue the CLEAR XLAT command as well?

This needs to be done each time you change any ACL's associated with NAT.

If your still having problems then post the config.

 

[captaintuba]

I've just had the customer do another

clear xlate

and test again. It didn't work so I'll sanitise the config and post it ASAP.

 

[captaintuba]

Here's the config.
The internal email server is LAN.LAN.LAN.12

Note that the email server is defined with this static:

static (inside,outside) tcp interface smtp LAN.LAN.LAN.12 smtp netmask 255.255.255.255 0 0

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 10baset
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security20
enable password SECRET encrypted
passwd SECRET encrypted
hostname PIX1
domain-name company.co.uk
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
no names

INSIDE
access-list inside_access_in permit ip any any

OUTSIDE IN
access-list outside_access_in permit tcp any host XXX.YYY.ZZZ.120 eq www
access-list outside_access_in permit tcp any host XXX.YYY.ZZZ.123 eq ftp
access-list outside_access_in permit tcp any host XXX.YYY.ZZZ.123 eq ftp-data
access-list outside_access_in permit tcp any host XXX.YYY.ZZZ.124 eq www
access-list outside_access_in permit tcp any host XXX.YYY.ZZZ.125 eq www
access-list outside_access_in permit tcp any host XXX.YYY.ZZZ.124 eq https
access-list outside_access_in permit tcp any host XXX.YYY.ZZZ.125 eq https
access-list outside_access_in permit tcp any host XXX.YYY.ZZZ.120 eq smtp
access-list outside_access_in permit tcp any any eq smtp

VPN to ISP
access-list 80 permit ip LAN.LAN.LAN.0 255.255.255.0 10.44.52.0 255.255.255.0

VPN to ISP
access-list 90 permit ip LAN.LAN.LAN.0 255.255.255.0 host ISP.ISP.ISP.170
access-list 90 permit ip host DMZ.DMZ.DMZ.54 host ISP.ISP.ISP.170

NO-NAT
access-list 100 deny tcp host LAN.LAN.LAN.12 host ISP.ISP.ISP.45
access-list 100 deny tcp host LAN.LAN.LAN.12 host ISP.ISP.ISP.170
access-list 100 deny tcp host LAN.LAN.LAN.52 host ISP.ISP.ISP.45
access-list 100 deny tcp host LAN.LAN.LAN.52 host ISP.ISP.ISP.170
access-list 100 permit ip LAN.LAN.LAN.0 255.255.255.0 10.44.52.0 255.255.255.0
access-list 100 permit ip LAN.LAN.LAN.0 255.255.255.0 host ISP.ISP.ISP.170
access-list 100 permit ip LAN.LAN.LAN.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 100 permit ip LAN.LAN.LAN.0 255.255.255.0 host ISP.ISP.ISP.45
access-list 100 permit ip LAN.LAN.LAN.0 255.255.255.0 host ISP.ISP.ISP.46
access-list 100 permit ip host DMZ.DMZ.DMZ.54 host ISP.ISP.ISP.45
access-list 100 permit ip host DMZ.DMZ.DMZ.54 host ISP.ISP.ISP.170

VPN to ISP
access-list 50 deny tcp host LAN.LAN.LAN.12 host ISP.ISP.ISP.45
access-list 50 deny tcp host LAN.LAN.LAN.52 host ISP.ISP.ISP.45
access-list 50 permit ip LAN.LAN.LAN.0 255.255.255.0 host ISP.ISP.ISP.46
access-list 50 permit ip LAN.LAN.LAN.0 255.255.255.0 host ISP.ISP.ISP.45
access-list 50 permit ip host DMZ.DMZ.DMZ.54 host ISP.ISP.ISP.45

DMZ access in
access-list dmz1_access_in permit icmp any any
access-list dmz1_access_in permit tcp host DMZ.DMZ.DMZ.42 host LAN.LAN.LAN.12 eq smtp

pager lines 24
logging on
logging timestamp
logging buffered debugging
logging history informational
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
ip address outside XXX.YYY.ZZZ.115 255.255.255.240
ip address inside LAN.LAN.LAN.1 255.255.255.0
ip address dmz1 DMZ.DMZ.DMZ.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool DIALINCLIENTS 192.168.1.1-192.168.1.254
pdm location LAN.LAN.LAN.10 255.255.255.255 inside
pdm logging errors 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz1) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz1) 1 DMZ.DMZ.DMZ.0 255.255.255.0 0 0
static (inside,outside) tcp interface smtp LAN.LAN.LAN.12 smtp netmask 255.255.255.255 0 0
static (inside,outside) XXX.YYY.ZZZ.121 LAN.LAN.LAN.11 netmask 255.255.255.255 0 0
static (inside,outside) XXX.YYY.ZZZ.120 LAN.LAN.LAN.52 netmask 255.255.255.255 0 0
static (dmz1,outside) XXX.YYY.ZZZ.124 DMZ.DMZ.DMZ.53 netmask 255.255.255.255 0 0
static (dmz1,outside) XXX.YYY.ZZZ.125 DMZ.DMZ.DMZ.55 netmask 255.255.255.255 0 0
static (dmz1,outside) XXX.YYY.ZZZ.123 DMZ.DMZ.DMZ.49 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz1_access_in in interface dmz1
route outside 0.0.0.0 0.0.0.0 XXX.YYY.ZZZ.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ISP_VPNvpn esp-des esp-sha-hmac
crypto ipsec transform-set DIALINCLIENTS esp-des esp-md5-hmac
crypto dynamic-map dynomap 90 set transform-set DIALINCLIENTS
crypto map ISP_VPN 10 ipsec-isakmp
crypto map ISP_VPN 10 match address 80
crypto map ISP_VPN 10 set peer AAA.BBB.CCC.49
crypto map ISP_VPN 10 set transform-set ISP_VPNvpn
crypto map ISP_VPN 20 ipsec-isakmp
crypto map ISP_VPN 20 match address 90
crypto map ISP_VPN 20 set peer ISP.ISP.ISP.163
crypto map ISP_VPN 20 set transform-set ISP_VPNvpn
crypto map ISP_VPN 30 ipsec-isakmp
crypto map ISP_VPN 30 match address 50
crypto map ISP_VPN 30 set peer ISP.ISP.ISP.35
crypto map ISP_VPN 30 set transform-set ISP_VPNvpn
crypto map ISP_VPN 90 ipsec-isakmp dynamic dynomap
crypto map ISP_VPN client configuration address initiate
crypto map ISP_VPN interface outside
isakmp enable outside
isakmp key ******** address ISP.ISP.ISP.35 netmask 255.255.255.255
isakmp key ******** address AAA.BBB.CCC.49 netmask 255.255.255.255
isakmp key ******** address ISP.ISP.ISP.163 netmask 255.255.255.255
isakmp identity address
isakmp policy 6 authentication pre-share
isakmp policy 6 encryption des
isakmp policy 6 hash sha
isakmp policy 6 group 1
isakmp policy 6 lifetime 86400
isakmp policy 100 authentication pre-share
isakmp policy 100 encryption des
isakmp policy 100 hash md5
isakmp policy 100 group 2
isakmp policy 100 lifetime 1200
vpngroup DIALINVPN address-pool DIALINCLIENTS
vpngroup DIALINVPN dns-server LAN.LAN.LAN.11 LAN.LAN.LAN.16
vpngroup DIALINVPN split-tunnel 100
vpngroup DIALINVPN idle-time 1800
vpngroup DIALINVPN password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:4f3be887c8b95bf35230f1c6408cb6c7
: end
[OK]

 

[captaintuba]

routerman, swj38 I just found out that my approach is fundamentally flawed:

access-list 100 deny tcp host LAN.LAN.LAN.12 host ISP.ISP.ISP.45
nat (inside) 0 access-list 100

deny is not a supported command in nat 0 (identity NAT) commands.

Time to read up on split tunnels.
More later
Cheers C.T.