ipsec tunnel and acl help!!

[TT2]

Folks Im really hoping someone can help me with this config. I'm new to this stuff and would really appreciate any help with this config. I have two interfaces both ether - one with internet access with an associated vpn tunnel the other on the inside to a host 192.168.1.10. Everything works fine with the exception of my smtp traffic. I need all smtp traffic to bypass the tunnel directly to the net and have a statement that when my host 192.168.1.10 makes a connection the mail server can respond directly back to 1.10. I know I need a statement to allow the traffic back to 1.10 but not sure how it should look and to be secure without effecting everything else. Here are my acls. Thanks in advance for all replies.

TT

access-list 106 permit udp host 192.168.1.10 any eq snmp
access-list 106 permit icmp host 192.168.1.10 any
access-list 106 permit tcp host 192.168.1.10 any eq www
access-list 106 permit tcp host 192.168.1.10 any eq 443
access-list 106 permit tcp host 192.168.1.10 any eq smtp
access-list 106 permit tcp host 192.168.1.10 any eq ftp
access-list 106 permit tcp host 192.168.1.10 eq 1010 host xx.xxx.xxx.93
access-list 106 permit tcp host 192.168.1.10 eq 10000 host xx.xxx.xxx.93
access-list 106 permit tcp host 192.168.1.10 eq 8080 xxx.xxx.z.z 0.0.255.255
access-list 106 permit tcp host 192.168.1.10 eq 10000 xxx.xxx.z.z 0.0.255.255
access-list 106 permit tcp host 192.168.1.10 eq 8080 host xx.xxx.xxx.93

access-list 108 permit tcp host 192.168.1.10 any eq smtp
access-list 108 permit esp host xxx.x.x.13 host xx.xxx.xx.183
access-list 108 permit udp host xxx.x.x.13 host xx.xxx.xx.183 eq isakmp
access-list 108 permit icmp host 192.168.1.1 host 192.168.1.10
access-list 108 permit icmp host xxx.xxx.xx.251 host 192.168.1.10
access-list 108 permit udp xxx.xxx.z.0 0.0.255.255 eq snmp host 192.168.1.10
access-list 108 permit icmp xxx.xxx.z.z 0.0.255.255 host 192.168.1.10
access-list 108 permit tcp host xx.xxx.xx.209 host xx.xxx.xx.183 eq telnet
access-list 108 permit tcp xxx.xxx.z.z 0.0.255.255 host 192.168.1.10 eq ee
access-list 108 permit tcp xxx.xxx.z.z 0.0.255.255 host 192.168.1.10 eq 100vv
access-list 108 permit tcp host xx.xxx.xxx.93 host xx.xxx.xx.183 eq telnet
access-list 108 permit tcp host xx.xxx.xxx.93 host 192.168.1.10 eq 80ee
access-list 108 permit tcp host xx.xxx.xxx.93 host xx.xxx.xx.188 eq 80ee
access-list 108 permit tcp host xx.xxx.xxx.93 host xx.xxx.xx.188 eq 100vv
access-list 108 permit tcp host xx.xxx.xxx.93 host xx.xxx.x.188 eq telnet

 

[Cluebird]

Are you including the smtp traffic in the VPN? If you are, the smtp will be dropped because of the encryption requirement. (It's either going through the IPSEC tunnel and showing up at the smtp server encrypted or it is tagged for encryption and not being encrypted so is then dropped, or a couple other things can be happening. Just looking at the ACLs doesn't give enough information.) Can you post the full config?

 

[TT2]

Thanks cluebird for your response and no I dont want the smtp traffic to go through the vpn tunnel. I want it to go directly out the same interface as the tunnel because the tunnel interface is the one connected to the internet. I need 1.10 which is connected to my other interface to be able to send and receive smtp traffic. thanks again for your response as this is driving me crazy. here is a copy of my config.

version 12.2
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname
!
logging buffered 4096 debugging
enable secret
enable password
!
memory-size iomem 10
ip subnet-zero
!
!
no ip domain lookup
!
!
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxx address xxx.x.1.13
!
crypto ipsec transform-set auth3 esp-3des esp-sha-hmac
!
crypto map gcmvpn 10 ipsec-isakmp
set peer xxx.x.1.13
set transform-set auth3
match address 105
!
voice call carrier capacity active
!
!
mta receive maximum-recipients 0
!
!
interface Loopback0
description ****Mgmt Interface****
ip address 10.1.1.1 255.255.255.252
!
interface FastEthernet0/0
description ****Outside Interface****
ip address xx.xxx.32.183 255.255.255.0
ip access-group 108 in
ip accounting output-packets
ip accounting access-violations
ip nat outside
no ip mroute-cache
duplex auto
speed 10
no cdp enable
crypto map
!
interface Ethernet1/0
ip address 192.168.1.1 255.255.255.0
ip access-group 106 in
ip accounting output-packets
ip accounting access-violations
ip nat inside
no ip mroute-cache
half-duplex
no cdp enable
!
ip nat inside source static tcp 192.168.1.10 8080 xx.xxx.32.188 8080 extendable
ip nat inside source static tcp 192.168.1.10 10000 xx.xxx0.32.188 10000 extendabl
e
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xxx.32.177
ip route xxx.121.0.0 255.255.0.0 xxx.x.1.13
ip route xxx.121.180.239 255.255.255.255 xxx.x.1.13
ip route xxx.17.0.0 255.255.0.0 199.0.1.13
ip route xxx.x.1.13 255.255.255.255 xx.xxx.32.177
no ip http server
!
!
access-list 106 permit udp host 192.168.1.10 any eq snmp
access-list 106 permit icmp host 192.168.1.10 any
access-list 106 permit tcp host 192.168.1.10 any eq www
access-list 106 permit tcp host 192.168.1.10 any eq 443
access-list 106 permit tcp host 192.168.1.10 any eq smtp
access-list 106 permit tcp host 192.168.1.10 any eq ftp
access-list 106 permit tcp host 192.168.1.10 eq 1010 host xx.xxx.135.93
access-list 106 permit tcp host 192.168.1.10 eq 10000 host xx.xxx.135.93
access-list 106 permit tcp host 192.168.1.10 eq 8080 xxx.121.0.0 0.0.255.255
access-list 106 permit tcp host 192.168.1.10 eq 10000 xxx.121.0.0 0.0.255.255
access-list 106 permit tcp host 192.168.1.10 eq 8080 host xx.xxx.135.93
access-list 108 permit tcp any eq smtp host 192.168.1.10
access-list 108 permit esp host xxx.0.1.13 host xx.xxx.32.183
access-list 108 permit udp host xxx.0.1.13 host xx.xxx.32.183 eq isakmp
access-list 108 permit icmp host 192.168.1.1 host 192.168.1.10
access-list 108 permit icmp host xxx.121.95.xxx host 192.168.1.10
access-list 108 permit udp xxx.121.0.0 0.0.255.255 eq snmp host 192.168.1.10
access-list 108 permit icmp xxx.121.0.0 0.0.255.255 host 192.168.1.10
access-list 108 permit tcp xxx.121.0.0 0.0.255.255 host 192.168.1.10 eq 8080
access-list 108 permit tcp xxx.121.0.0 0.0.255.255 host 192.168.1.10 eq 10000
access-list 108 permit tcp host xx.xxx.135.93 host xx.xxx.32.183 eq telnet
access-list 108 permit tcp host xx.xxx.135.93 host 192.168.1.10 eq 8080
access-list 108 permit tcp host xx.xxx.135.93 host xx.xxx.32.188 eq 8080
access-list 108 permit tcp host xx.xxx.135.93 host xx.xxx.32.188 eq 10000
access-list 108 permit tcp host xx.xxx.135.93 host xx.xxx.32.188 eq telnet
no cdp run
!
route-map nonat2 permit 10
match ip address 122
!
route-map nonat permit 10
match ip address 123
set ip next-hop 10.1.1.2
!
snmp-server engineID local
snmp-server community
snmp-server enable traps tty
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
line con 0
line aux 0
line vty 0 4
login
!
end

 

[TT2]

thanks uys for all replies I got it working with an additional ststement in my acl