Showing results for 
Search instead for 
Did you mean: 


ASA 8.4 Network Object NAT ordering


There is something wrong with the ordering of our NAT-rules.

We are running ASA Version 8.4(2)8 and the nat config is pasted below.

I want outgoing smtp-traffic to be translated to xxx.yyy.zzz.18, but instead it's translated to xxx.yyy.zzz.20 (the outside-interface address).

The same goes for ftp-traffic, according to packettracer this is also translated to the xxx.yyy.zzz.20.

Ciscos manual states that static nat rules takes precedence over dynamic nat but that doesn't seem to work for us.

Can you guy's see anything wrong with the config below?

nat (Outside,Inside) source static Company-VPN Company-VPN


object network Company-LAN

nat (any,Outside) dynamic interface

object network Server21

nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp ftp ftp

object network Server55443

nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp 55443 55443

object network Server443

nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp https https

object network Server993

nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp 993 993

object network Server465

nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp 465 465

object network Server80

nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp www www

object network Company-LAN-Inside

nat (Inside,Inside) dynamic interface

object network Server25

nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp smtp smtp

route Outside xxx.yyy.zzz.17 1

Jouni Forss


Think your NAT configuration regarding SMTP only applies to the connections taken from outside with destination port TCP/25 and not to connections taken by the SMTP server with destination port TCP/25

Haven't had to do much of these configurations. I guess with the old OS NAT commands it would be easier (Policy NAT)

I can try to lab this later and provide the correct configuration. Unless someone else can already copy/paste some example for you.

- Jouni

I thought (any,any) would handle connections from both outside and inside interface.

How would a network object NAT that handles traffic both ways look?

- Fredrik

Gah, too tired. Will write the reply again

EDIT: removed the actual answer since there was errors there


So lets look at this again.

I guess you have a .20 IP address on the firewall outside interface and the .18 IP address as an additional IP address and you have used port forwarding to forward ports to different LAN IP addresses? In other words the SMTP server doesnt have its own public IP address?

- Jouni

That's correct, the SMTP-server does not have it's own public IP.

- Fredrik


Attempt Number 2.

Heres my test configurations.

  • First 2 "object network" configurations define port forwards for connections coming from Internet to the local servers. (HTTPS there just to simulate your other port forwards)
  • The following 2 "object network/service" configurations are configured to be used in the actual NAT configuration that would in your case NAT the outbound TCP/25/SMTP traffic to the desired public IP address
  • The last NAT configuration can be considered a default PAT configuration for all the outbound connections that dont have a specific NAT configuration

object network SMTP-SERVER


nat (inside,outside) static service tcp smtp smtp

object network HTTPS-SERVER


nat (inside,outside) static service tcp https https

object network SMTP-SERVER-PUBLIC


object service SMTP

service tcp destination eq smtp

nat (inside,outside) source static SMTP-SERVER SMTP-SERVER-PUBLIC service SMTP SMTP

nat (inside,outside) after-auto source dynamic any interface

I guess you could try your own version of the above. To be honest the actual configuration that does the NAT for outbound SMTP traffic isnt that clear to me either. Should cheat and check the command reference myself.

I'm not 100% sure if the above NAT configuration might conflict with some future configuration in its current form.

Hope this helps

- Jouni

EDIT: If you havent already used, you can use "packet-tracer" command to check whats happening with NAT before and after the configurations. And ofcourse "show xlate" etc.


Were you able to test this?