Re: Nat to outside based on destination port

capnkirk2112 · ‎02-15-2011

I've got a Network object rule to NAT my mail filter address based on SMTP. It is not set up IP because I have a mail server and filter sharing the same outside address and need SMTP to mail filter and HTTP/HTTPS to mail server. My problem is the outbound natting of the mail filter is not working because it wants to match it against SMTP and source port is random hence reverse lookup is getting the wrong IP (global nat instead of static). Not sure if I'm setting this up right but Network object was the only way I could see to NAT based on port. Any help is greatly appreciated and thanks in advance.

manish arora · ‎02-15-2011

Hi,

Can you please post your NAT config ? ( replace public with random no. )

Manish

capnkirk2112 · ‎02-16-2011

I used the following link as an example: http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html#wp1140516

So my Network Object NAT statements look like the examples with the exception of HTTP in place of FTP. Incoming works fine..port gets identified and translated accordingly...it's the outgoing that is the problem. I'm wondering if I need to use Twice NAT.

object network Mail_Filter
nat (inside,outside) static x.x.x.x service tcp smtp smtp
object network Mail_Server_HTTPS
nat (inside,outside) static x.x.x.x service tcp https https

object network Mail_Server_HTTP
nat (inside,outside) static x.x.x.x service tcp www www

manish arora · ‎02-16-2011

I don't think that is possible( unless someone has better work around ) , I think you are better off using a Static Nat for your SMTP server to different IP address so that it picks you that Nat ip either way.

Manish