If you happen to be deploying Exchange 2007/Exchange 2010 Server in a multiple sites environment and using a Cisco ASA Firewall as your VPN tunnel, you’ll likely encounter issues below:

1. Users are only able to send emails within the same  Active Directory site

2. When users attempt to send an email over to the next hop/Active Directory Site, under the Exchange Queue, you’ll see a Retry status: 451 4.4.0 Primary target IP address responded with “451 5.7.3 Cannot achieve Exchange Server authentication” SMTPRelay to remote AD Site

3. When you attempt to telnet from the Exchange Servers from both site, you’ll get such response from the telnet command: 220*************

The only way to fix this is to use the Commandline Interface (CLI) and type in this command:

telnet YourCiscoManagementIP

device password (default is usually cisco)

en

password (Management password)

no fixup protocol smtp 25

write mem

Remember to run these command all firewalls at each site. Once is done, telnet to the Exchange server with port 25 and you should get a normal response:

220 ExchangeServerHostName.Domain.com Microsoft ESMTP MAIL Service ready at Day, Date Month Year, Hour:Minute:Seconds +TimeZone