Hello Rahul/Balaji

Please see config below. My worries are two;

1. I added specific ports so as not to open all ports. However, I had tried to allow ICMP both on NAT statement and ACL bit my ASA does not give me that options. Seems to me like I'd have to change the whole config to allow all ports by NOT specifying any ports. What do you think please?

2. Because 192.168.0.7 (exchange LAN IP) is already part of a dynamic NAT, mails are going out with the IP address of my ASA's Outside interface instead of the NAT'ed public IP. To explain further, for example, my Outside interface has IP address 1.1.1.1/29, I had NAT'ed my Exchange Server (192.168.0.7) to 1.1.1.2/29. Because 192.168.0.7/24 is already part of a dynamic NAT, mails are going out via 1.1.1.1/29 and are coming in via 1.1.1.2/29. I want mails to go out through the NAT'ed IP and also come in through the NAT'ed IP

interface GigabitEthernet0/0
description ###Internet Link###
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.248

access-list ExchangeServerOutsideIn extended permit tcp any object Exchange_Server25 eq smtp
access-list ExchangeServerOutsideIn extended permit tcp any object Exchange_Server443 eq https
access-list ExchangeServerOutsideIn extended permit tcp any object Exchange_Server587 eq 587
access-list ExchangeServerOutsideIn extended permit tcp any object Exchange_Server993 eq 993
access-list ExchangeServerOutsideIn extended permit tcp any object Exchange_Server995 eq 995
access-list ExchangeServerOutsideIn extended permit tcp any object Exchange_Server995 eq pop3

object network Outside_Exchange_Server
host xx.xx.xx.xx
object network Office_5
object network Exchange_Server25
host 192.168.0.7
object network Exchange_Server443
host 192.168.0.7
object network Exchange_Server587
host 192.168.0.7
object network Exchange_Server993
host 192.168.0.7
object network Exchange_Server995
host 192.168.0.7
object network Exchange_Server110
host 192.168.0.7

object network Exchange_Server25
nat (INSIDE,outside) static Outside_Exchange_Server service tcp smtp smtp
object network Exchange_Server443
nat (INSIDE,outside) static Outside_Exchange_Server service tcp https https
object network Exchange_Server587
nat (INSIDE,outside) static Outside_Exchange_Server service tcp 587 587
object network Exchange_Server993
nat (INSIDE,outside) static Outside_Exchange_Server service tcp 993 993
object network Exchange_Server995
nat (INSIDE,outside) static Outside_Exchange_Server service tcp 995 995
object network Exchange_Server110
nat (INSIDE,outside) static Outside_Exchange_Server service tcp pop3 pop3

access-group ExchangeServerOutsideIn in interface outside

That is exactly what I would recommend.

Hello Rahul, 

Thank you so much. The two issues have been resolved by your proffered solution. One or two questions and observations

1. My static NAT is AFTER the dynamic NAT and yet the Exchange Server NAT'ed address is working. NOT the outside address of the ASA (this is what I wanted though). I am just referring to your statement (The above should also fix this. If your dynamic NAT rules are located below your static one in order of configuration).

2. After I removed the NAT statements that specified the ports and just did a single static NAT, I was able to send mails out with the NAT'ed IPas against the IP of the dynamic NAT the Exchange Server is part of.

3. It is safe to conclude that my ICMP did not work because I was trying to allow ICMP in my NAT statement instead of my Acces-list.

Thanks once again.

cheers