RE: Problem with ASA site to site VPN and Exchange

From: Joseph Brunner (joe@affirmedsystems.com)
Date: Sun Jul 20 2008 - 15:54:22 ART

• Next message: Jason W. Miller: "Re: is it true about ASA?"
• Previous message: Scott Morris: "RE: about ospf mtu-ignore"
• Next in thread: Peter Grewal: "RE: Problem with ASA site to site VPN and Exchange"
• Maybe reply: Peter Grewal: "RE: Problem with ASA site to site VPN and Exchange"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

1. I would check the subnet mask of every interface, or NIC card just to
make sure they are correct. This also should include a check of the crypto
ACL's to make sure they are indeed symmetric.

2. telnet between a host under .28 to the behind checkpoint server and see
if that works.

3. Then, check the exchange server's virtual smtp server configurations.
Are you using Bridgeheads or routing group connectors? Tell me more about
your exchange setup.

3. Then, Check the exchange server's smtp log (You can turn this on in
the virtual smtp server and set what will be logged...)

4. What type of Checkpoint firewalls are these, UTM? SPLAT? NOKIA?

5. Checkpoint firewalls are famous with me for natting when they should not
nat (including heartbeat traffic between two checkpoints). Do you have the
smartview monitor up when this doesn't work? You can log between the servers
quite nicely in there.

Thank you,

Joe

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Peter Grewal
Sent: Sunday, July 20, 2008 10:34 AM
To: ccielab@groupstudy.com
Subject: OT: Problem with ASA site to site VPN and Exchange

Guys,

I need some advice, this thing has my brain wrapped, I have a site to site
VPN tunnel using a ASA 5520 firewall (clustered) with an opposing Checkpoint
firewall. We are running two exchange servers, one at either site, with user
mail boxes spread sporadically between the two. The problem that I have is
that mail is not flowing when my local IP address exchange servers IP is
below 192.168.100.28, when its set higher it works. If I run SMTP commands,
such as EHLO it works, but I only get a limited set of verabage. I've
checked both firewalls and exchange servers, there are no subnet
restrictions, the exchange servers have been checked by Microsoft and they
look good. I can't figure out the restriction on addresses below .28, any
one got any suggestions, I figured it my be the inspection rules on ASA for
SMTP they have been disabled, and the same thing has been done the
Checkpoint firewall.

Thank you.

Peter.

• Next message: Jason W. Miller: "Re: is it true about ASA?"
• Previous message: Scott Morris: "RE: about ospf mtu-ignore"
• Next in thread: Peter Grewal: "RE: Problem with ASA site to site VPN and Exchange"
• Maybe reply: Peter Grewal: "RE: Problem with ASA site to site VPN and Exchange"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:56 ART