Hi,

I think it's still the same because when I scan my Public Ip using "Whatismyipaddress" I'm using the assign IP of our outside interface not the public address specific for email server

thanks

>I think it's still the same because when I scan my Public Ip using "Whatismyipaddress" I'm using the assign IP of our outside interface not the public address specific for email server

That's the result of the rest of your config. Still, the config for your mail-server needs to be correct. If you do that from the server, issue a "clear xlate local 10.34.1.10" to make sure the server uses a new translation.

nothings change. but i can ping the 201.1.1.5(SPECIFIC IP ASSIGN TO MAILSERVER)

but smtp and other is not working. thanks

It's not translating.

Please share your config to see if there is something else wrong.

some of the config

object network obj-10.34.31.12
 host 10.34.31.12
 description Domino Server

object-group service tcp_lotusnotesgrp tcp
 port-object eq www
 port-object eq lotusnotes
 port-object eq smtp
 port-object eq imap4
 port-object eq https
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object icmp
 protocol-object icmp6
object-group service DM_INLINE_SERVICE_1
 service-object object UDP_18001
 service-object tcp destination eq www
 service-object tcp destination eq https
object-group service DM_INLINE_SERVICE_4
 service-object icmp
 service-object tcp destination eq www
 service-object tcp destination eq https
 service-object tcp destination eq imap4
 service-object tcp destination eq lotusnotes
 service-object tcp destination eq pop3
 service-object tcp destination eq smtp

access-list nonat extended permit ip 10.34.63.0 255.255.255.0 10.34.17.0 255.255.255.0
access-list outside_access_in_2 extended permit object-group DM_INLINE_SERVICE_4 any object obj-10.34.31.221

nat (inside,outside) source dynamic any interface dns

 nat (inside,outside) static 111.11.22.123

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
 class class-default
  user-statistics accounting

The order of your NAT-statemens is incorrect. The dynamic NAT/PAT needs to be done after the static NATs:

no nat (inside,outside) source dynamic any interface dns
nat (inside,outside) after-auto source dynamic any interface

Thanks man now It's working and it has been translated.

Do we always need to use dynamic before nat to translate? thanks

As a rule of thumb, the dynamic NAT/PAT rules always have to come at last (that's the reason I always put them in NAT-section 3 "after-auto"). The Server-NAT (like your Lotus) are configured as object NAT which is NAT-section 2. In the first section, (thats the section where your dynamic rule was) all exemptions are are configured, for example for VPNs where traffic shouldn't be translated.

Thank You.  But is any other way if i want to translate it ?? 

Hi karsten,

I would like to ask how to translate/permit specific host on firewall.

on 8.2ver I used nat (inside) 1 ipofhost and subnet

on 9.2 ver it notworking?

do i need to create a net object network for the spefic address to be allow?

please see the attached file. thank you