Solved: ASA Policy Nat 8.3+

jj27 · ‎03-14-2013

Hi,

I'm having a brainfart here on how to make this work. Inbound NAT I split SMTP/HTTPS on the same public IP going to different internal hosts. Outbound, I want any traffic being sent from my inside host for SMTP outbound to anywhere destined for SMTP to NAT to a specific public IP.

In pre-8.3, I would do the following:

access-list policy-nat permit tcp host 10.1.1.10 any eq smtp

nat (inside) 2 access-list policy-nat

global (outside) 2 1.2.3.4

How do I accomplish the same in 8.3+ NAT?

Thanks.

julomban · ‎03-14-2013

Hello,

The NAT should be like this:

object network obj-10.1.1.10

host 10.1.1.10

object network obj-1.2.3.4

host 1.2.3.4

!

object service obj-tcp-eq-25

service tcp destination eq smtp

!

nat (inside,outside) source dynamic obj-10.1.1.10 obj-1.2.3.4 service obj-tcp-eq-25 obj-tcp-eq-25

Hope it helps,

Juan Lombana

Please rate helpful posts.

View solution in original post

julomban · ‎03-14-2013

Hello,

The NAT should be like this:

object network obj-10.1.1.10

host 10.1.1.10

object network obj-1.2.3.4

host 1.2.3.4

!

object service obj-tcp-eq-25

service tcp destination eq smtp

!

nat (inside,outside) source dynamic obj-10.1.1.10 obj-1.2.3.4 service obj-tcp-eq-25 obj-tcp-eq-25

Hope it helps,

Juan Lombana

Please rate helpful posts.

jj27 · ‎03-14-2013

That worked. Thanks. First time I've run into having to do this on the new code.

julomban · ‎03-14-2013

Hey no worries, I am also taking the oportunity to share with you a very good doc about NAT on 8.3:

https://supportforums.cisco.com/docs/DOC-9129

Regards,

Juan Lombana

Please rate helpful posts.