If you want to make sure that the above NAT rule is matched before any other NAT rule on the firewall then you could use this command instead of the above one

nat (inside,outside) 1 source dynamic SOURCE-ADDRESSES NAT-IP

Basicly what I did was only remove the "after-auto" parameter. With "after-auto" parameter the rule is moved to Section 3 (of 1 - 3) of the NAT rules. Without it its inserted in Section 1, which makes it one of the first NAT rules matches against connections/traffic.

In addition to have the number "1" there means that the NAT rule is inserted at the very top of the NAT rules of Section 1. It wont remove any existing rules there. It will just be on top of them.

If you have some NAT0 rules for VPN for these source addresses THEN I would suggest to insert it WITHOUT the line number or it might break the NAT0 rule previously configured for VPN. (Since it would be matched for traffic source from these hosts to any host on the "outside" and being line number 1 would override any other rule between "inside" and "outside")

- Jouni

Thank you, I will give it a try and post back .

Update, so I was able to configure it like that however next issue I ran into was that I was seeing a whole bunch of denies from the google postini servers trying to communicate with the NATed public IP, so seems like I might have to utilize additional public IP address.....?    

So I ended up doing something like this:

object network NAT1

host 192.168.0.3

nat (inside,outside) static 1.1.1.1

!

object network NAT2

HOST 192.168.0.6

nat (inside,outside) static 1.1.1.1

So now both email servers inbound and outbound are using the same non RFC1918 IP for the outside world.  Is this a best practice though?  I think it would be better to have two different public IP's instead and in case of two mail servers arrange the mapping accordingly like:

mail1.yourdomain.com --> 192.168.0.3 --> 1.1.1.1 (inbound mail)

mail2.yourdomain.com --> 192.168.0.6 --> 1.1.1.2 (outbound mail)

Thank you for the email, so here is what the servers are doing....

192.168.0.3 --> E Mail comes in to this server

192.168.0.6 --> Sends E Mail out this is Ciscos Iron Port device.

Thank you for the reply and my apologies for not elaborating more.  Yes that is what I was trying to do.  I did what you suggested but there is an issue with that configuration because we have a PAT setup so if I do after auto then the NAT rule comes after that PAT for all the outbound internet traffic and it does not work.

If I remove after auto and just use 1 then it puts it all the way on the top and then the incoming mail does not reach us.  So here is what I did:

object-group network Email_InOut

network-object host 192.168.0.3

network-object host 192.168.0.6

exit

object network obj-1.1.1.1

host 1.1.1.1

exit

nat (inside,outside) after-auto 1 source dynamic Email_InOut obj-1.1.1.1 (did not use this)

object network Inbound_Email

host 192.168.0.3

nat (inside,outside) static 1.1.1.1 service tcp 25 25

exit

object network IronPort

host 192.168.0.6

nat (inside,outside) static 1.1.1.1

Hi,

Yeah, since we dont see the full NAT configuration we wont know how the current existing configuration affects what we are trying to achieve.

The reason why I personally suggest configuring Network Object NAT for the Static PAT / Port Forward AND Twice NAT/Manual NAT type of configuration for the Dynamic PAT is how I personally order the NAT rules in my configurations

• Static PAT and Static NAT always as Network Object NAT (Section 2)
• Default Dynamic PAT/NAT always as Twice NAT / Manual NAT (Usually Section 3 in special cases Section 1)
• Special NAT setups like NAT0 and Policy NAT/PAT type configurations as Twice NAT / Manual NAT (Section 1)

Naturally Static PAT and Static NAT can be done in the Section 1 also but I prefer keeping strict roles for every Section and so far it has worked for me.

I wrote a NAT 8.3+ Document which pretty much states the way I configure and section the different type of configurations. Have a look if you want. Will probably add a lot more information to it later

https://supportforums.cisco.com/docs/DOC-31116

To me it seems the NAT configuration ordering/sectioning is causing the problems why the suggest configurations dont work. The existing configurations is set up so that it overrides the configurations suggested.

Glad to hear you got it working though

- Jouni

Yes you are right the existing NAT configuration was causing the issue so I had to modify it a bit but it seems to be working.  Thank you for the document link, good read.  I have saved it

Hello Mohammad,

Exactly, the configuration I sent will do it

Regards