There is something wrong with the ordering of our NAT-rules.
We are running ASA Version 8.4(2)8 and the nat config is pasted below.
I want outgoing smtp-traffic to be translated to xxx.yyy.zzz.18, but instead it's translated to xxx.yyy.zzz.20 (the outside-interface address).
The same goes for ftp-traffic, according to packettracer this is also translated to the xxx.yyy.zzz.20.
Ciscos manual states that static nat rules takes precedence over dynamic nat but that doesn't seem to work for us.
Can you guy's see anything wrong with the config below?
nat (Outside,Inside) source static Company-VPN Company-VPN
object network Company-LAN
nat (any,Outside) dynamic interface
object network Server21
nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp ftp ftp
object network Server55443
nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp 55443 55443
object network Server443
nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp https https
object network Server993
nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp 993 993
object network Server465
nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp 465 465
object network Server80
nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp www www
object network Company-LAN-Inside
nat (Inside,Inside) dynamic interface
object network Server25
nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp smtp smtp
route Outside 0.0.0.0 0.0.0.0 xxx.yyy.zzz.17 1
Think your NAT configuration regarding SMTP only applies to the connections taken from outside with destination port TCP/25 and not to connections taken by the SMTP server with destination port TCP/25
Haven't had to do much of these configurations. I guess with the old OS NAT commands it would be easier (Policy NAT)
I can try to lab this later and provide the correct configuration. Unless someone else can already copy/paste some example for you.
I thought (any,any) would handle connections from both outside and inside interface.
How would a network object NAT that handles traffic both ways look?
So lets look at this again.
I guess you have a .20 IP address on the firewall outside interface and the .18 IP address as an additional IP address and you have used port forwarding to forward ports to different LAN IP addresses? In other words the SMTP server doesnt have its own public IP address?
Attempt Number 2.
Heres my test configurations.
object network SMTP-SERVER
nat (inside,outside) static 220.127.116.11 service tcp smtp smtp
object network HTTPS-SERVER
nat (inside,outside) static 18.104.22.168 service tcp https https
object network SMTP-SERVER-PUBLIC
object service SMTP
service tcp destination eq smtp
nat (inside,outside) source static SMTP-SERVER SMTP-SERVER-PUBLIC service SMTP SMTP
nat (inside,outside) after-auto source dynamic any interface
I guess you could try your own version of the above. To be honest the actual configuration that does the NAT for outbound SMTP traffic isnt that clear to me either. Should cheat and check the command reference myself.
I'm not 100% sure if the above NAT configuration might conflict with some future configuration in its current form.
Hope this helps
EDIT: If you havent already used, you can use "packet-tracer" command to check whats happening with NAT before and after the configurations. And ofcourse "show xlate" etc.