https://community.cisco.com/t5/network-security/asa-8-4-network-object-nat-ordering/m-p/2021647#M400661 <HTML><HEAD></HEAD><BODY><P>Ok,</P><P></P><P>Attempt Number 2.</P><P></P><P>Heres my test configurations.</P><P></P><UL><LI>First 2 "object network" configurations define port forwards for connections coming from Internet to the local servers. (HTTPS there just to simulate your other port forwards)</LI><LI>The following 2 "object network/service" configurations are configured to be used in the actual NAT configuration that would in your case NAT the outbound TCP/25/SMTP traffic to the desired public IP address</LI><LI>The last NAT configuration can be considered a default PAT configuration for all the outbound connections that dont have a specific NAT configuration</LI></UL><P></P><P></P><P><STRONG>object network SMTP-SERVER</STRONG></P><P><STRONG> host 10.10.10.123</STRONG></P><P><STRONG> nat (inside,outside) static 1.2.3.4 service tcp smtp smtp</STRONG></P><P></P><P><STRONG>object network HTTPS-SERVER</STRONG></P><P><STRONG> host 10.10.10.124</STRONG></P><P><STRONG> nat (inside,outside) static 1.2.3.4 service tcp https https</STRONG></P><P></P><P></P><P><STRONG>object network SMTP-SERVER-PUBLIC</STRONG></P><P><STRONG> host 1.2.3.4</STRONG></P><P></P><P><STRONG>object service SMTP</STRONG></P><P><STRONG> service tcp destination eq smtp</STRONG></P><P></P><P><STRONG>nat (inside,outside) source static SMTP-SERVER SMTP-SERVER-PUBLIC service SMTP SMTP</STRONG></P><P></P><P><STRONG>nat (inside,outside) after-auto source dynamic any interface</STRONG></P><P></P><P></P><P>I guess you could try your own version of the above. To be honest the actual configuration that does the NAT for outbound SMTP traffic isnt that clear to me either. Should cheat and check the command reference myself. <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P><P></P><P>I'm not 100% sure if the above NAT configuration might conflict with some future configuration in its current form.</P><P></P><P>Hope this helps</P><P></P><P>- Jouni</P><P></P><P>EDIT: If you havent already used, you can use "packet-tracer" command to check whats happening with NAT before and after the configurations. And ofcourse "show xlate" etc.</P></BODY></HTML> Mon, 20 Aug 2012 10:16:13 GMT Jouni Forss 2012-08-20T10:16:13Z https://community.cisco.com/t5/network-security/asa-8-4-network-object-nat-ordering/m-p/2021641#M400655 <P>Hi!</P><P></P><P>There is something wrong with the ordering of our NAT-rules.</P><P>We are running ASA Version 8.4(2)8 and the nat config is pasted below.</P><P></P><P>I want outgoing smtp-traffic to be translated to xxx.yyy.zzz.18, but instead it's translated to xxx.yyy.zzz.20 (the outside-interface address).</P><P>The same goes for ftp-traffic, according to packettracer this is also translated to the xxx.yyy.zzz.20.</P><P></P><P>Ciscos manual states that static nat rules takes precedence over dynamic nat but that doesn't seem to work for us.</P><P></P><P>Can you guy's see anything wrong with the config below?</P><P></P><P></P><P></P><P>nat (Outside,Inside) source static Company-VPN Company-VPN</P><P>!</P><P>object network Company-LAN</P><P>nat (any,Outside) dynamic interface</P><P>object network Server21</P><P>nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp ftp ftp </P><P>object network Server55443</P><P>nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp 55443 55443 </P><P>object network Server443</P><P>nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp https https </P><P>object network Server993</P><P>nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp 993 993 </P><P>object network Server465</P><P>nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp 465 465 </P><P>object network Server80</P><P>nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp www www </P><P>object network Company-LAN-Inside</P><P>nat (Inside,Inside) dynamic interface</P><P>object network Server25</P><P>nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp smtp smtp </P><P>route Outside 0.0.0.0 0.0.0.0 xxx.yyy.zzz.17 1</P> Mon, 11 Mar 2019 23:43:50 GMT https://community.cisco.com/t5/network-security/asa-8-4-network-object-nat-ordering/m-p/2021641#M400655 fredrik.lundqvist 2019-03-11T23:43:50Z https://community.cisco.com/t5/network-security/asa-8-4-network-object-nat-ordering/m-p/2021642#M400656 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Think your NAT configuration regarding SMTP only applies to the connections taken from outside with destination port TCP/25 and not to connections taken by the SMTP server with destination port TCP/25</P><P></P><P>Haven't had to do much of these configurations. I guess with the old OS NAT commands it would be easier (Policy NAT)</P><P></P><P>I can try to lab this later and provide the correct configuration. Unless someone else can already copy/paste some example for you.</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 20 Aug 2012 08:20:36 GMT https://community.cisco.com/t5/network-security/asa-8-4-network-object-nat-ordering/m-p/2021642#M400656 Jouni Forss 2012-08-20T08:20:36Z https://community.cisco.com/t5/network-security/asa-8-4-network-object-nat-ordering/m-p/2021643#M400657 <HTML><HEAD></HEAD><BODY><P>I thought (any,any) would handle connections from both outside and inside interface.</P><P>How would a network object NAT that handles traffic both ways look?</P><P></P><P>- Fredrik</P></BODY></HTML> Mon, 20 Aug 2012 08:59:24 GMT https://community.cisco.com/t5/network-security/asa-8-4-network-object-nat-ordering/m-p/2021643#M400657 fredrik.lundqvist 2012-08-20T08:59:24Z https://community.cisco.com/t5/network-security/asa-8-4-network-object-nat-ordering/m-p/2021644#M400658 <HTML><HEAD></HEAD><BODY><P>Gah, too tired. Will write the reply again</P><P></P><P>EDIT: removed the actual answer since there was errors there</P></BODY></HTML> Mon, 20 Aug 2012 09:09:54 GMT https://community.cisco.com/t5/network-security/asa-8-4-network-object-nat-ordering/m-p/2021644#M400658 Jouni Forss 2012-08-20T09:09:54Z https://community.cisco.com/t5/network-security/asa-8-4-network-object-nat-ordering/m-p/2021645#M400659 <HTML><HEAD></HEAD><BODY><P>Ok,</P><P></P><P>So lets look at this again. <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN> </P><P></P><P>I guess you have a .20 IP address on the firewall outside interface and the .18 IP address as an additional IP address and you have used port forwarding to forward ports to different LAN IP addresses? In other words the SMTP server doesnt have its own public IP address?</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 20 Aug 2012 09:22:20 GMT https://community.cisco.com/t5/network-security/asa-8-4-network-object-nat-ordering/m-p/2021645#M400659 Jouni Forss 2012-08-20T09:22:20Z https://community.cisco.com/t5/network-security/asa-8-4-network-object-nat-ordering/m-p/2021646#M400660 <HTML><HEAD></HEAD><BODY><P> That's correct, the SMTP-server does not have it's own public IP.</P><P></P><P>- Fredrik</P></BODY></HTML> Mon, 20 Aug 2012 09:45:21 GMT https://community.cisco.com/t5/network-security/asa-8-4-network-object-nat-ordering/m-p/2021646#M400660 fredrik.lundqvist 2012-08-20T09:45:21Z https://community.cisco.com/t5/network-security/asa-8-4-network-object-nat-ordering/m-p/2021647#M400661 <HTML><HEAD></HEAD><BODY><P>Ok,</P><P></P><P>Attempt Number 2.</P><P></P><P>Heres my test configurations.</P><P></P><UL><LI>First 2 "object network" configurations define port forwards for connections coming from Internet to the local servers. (HTTPS there just to simulate your other port forwards)</LI><LI>The following 2 "object network/service" configurations are configured to be used in the actual NAT configuration that would in your case NAT the outbound TCP/25/SMTP traffic to the desired public IP address</LI><LI>The last NAT configuration can be considered a default PAT configuration for all the outbound connections that dont have a specific NAT configuration</LI></UL><P></P><P></P><P><STRONG>object network SMTP-SERVER</STRONG></P><P><STRONG> host 10.10.10.123</STRONG></P><P><STRONG> nat (inside,outside) static 1.2.3.4 service tcp smtp smtp</STRONG></P><P></P><P><STRONG>object network HTTPS-SERVER</STRONG></P><P><STRONG> host 10.10.10.124</STRONG></P><P><STRONG> nat (inside,outside) static 1.2.3.4 service tcp https https</STRONG></P><P></P><P></P><P><STRONG>object network SMTP-SERVER-PUBLIC</STRONG></P><P><STRONG> host 1.2.3.4</STRONG></P><P></P><P><STRONG>object service SMTP</STRONG></P><P><STRONG> service tcp destination eq smtp</STRONG></P><P></P><P><STRONG>nat (inside,outside) source static SMTP-SERVER SMTP-SERVER-PUBLIC service SMTP SMTP</STRONG></P><P></P><P><STRONG>nat (inside,outside) after-auto source dynamic any interface</STRONG></P><P></P><P></P><P>I guess you could try your own version of the above. To be honest the actual configuration that does the NAT for outbound SMTP traffic isnt that clear to me either. Should cheat and check the command reference myself. <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P><P></P><P>I'm not 100% sure if the above NAT configuration might conflict with some future configuration in its current form.</P><P></P><P>Hope this helps</P><P></P><P>- Jouni</P><P></P><P>EDIT: If you havent already used, you can use "packet-tracer" command to check whats happening with NAT before and after the configurations. And ofcourse "show xlate" etc.</P></BODY></HTML> Mon, 20 Aug 2012 10:16:13 GMT https://community.cisco.com/t5/network-security/asa-8-4-network-object-nat-ordering/m-p/2021647#M400661 Jouni Forss 2012-08-20T10:16:13Z https://community.cisco.com/t5/network-security/asa-8-4-network-object-nat-ordering/m-p/2021648#M400662 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Were you able to test this?</P></BODY></HTML> Mon, 20 Aug 2012 12:03:52 GMT https://community.cisco.com/t5/network-security/asa-8-4-network-object-nat-ordering/m-p/2021648#M400662 Jouni Forss 2012-08-20T12:03:52Z