even I changed to

static (DMZ,WAN) tcp PCCW_Pri_SMTP smtp DMZ_IronPort_1

smtp netmask 255.255.255.255

I overlapped another rule static (LAN,WAN) PCCW_Sec_SMTP LAN_MS02 netmask 255.255.255.255

How to fix then?

And you please share the ip address of those names.

Need to understand/know what the ip address is exactly for all those names. Thanks.

"sh run name" output would do. Thanks.

Here is part of sh run output

asdm image disk0:/asdm521.bin
no asdm history enable
: Saved
:
ASA Version 7.2(1)
!
hostname ciscoasa
domain-name default.domain.invalid
name xx.xx.xx.102 PCCW_Pri_Webmail

name xx.xx.xx.103 PCCW_Sec_Webmail

name xx.xx.xx.104 PCCW_Pri_SMTP

name xx.xx.yy.150 PCCW_Sec_SMTP

name 172.16.0.16 DMZ_FTP

name 172.16.0.253 DMZ_IronPort
name 172.16.0.25 DMZ_MS01

name 192.168.10.25 LAN_MS02

name 172.16.0.252 DMZ_IronPort_2

name xx.xx.yy.151 PCCW_FTP

!
interface Ethernet0/0
nameif LAN
security-level 100
ip address 192.168.10.254 255.255.255.0
!
interface Ethernet0/1
nameif WAN
security-level 0
ip address xx.xx.xx.101 255.255.255.248
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 172.16.0.254 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!

ftp mode passive
dns domain-lookup LAN
dns domain-lookup WAN
dns domain-lookup DMZ
dns server-group DNS
name-server 192.168.10.21
name-server 210.87.253.48
dns server-group DefaultDNS
domain-name default.domain.invalid

ip local pool VPNpool 192.168.20.1-192.168.20.10 mask 255.255.255.0
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (WAN) 1 interface
nat (LAN) 0 access-list LAN_nat0_outbound
nat (LAN) 1 192.168.10.0 255.255.255.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
nat (DMZ) 1 172.16.0.0 255.255.255.0
nat (management) 0 0.0.0.0 0.0.0.0
static (LAN,WAN) tcp PCCW_Pri_SMTP ftp LAN_MS02 ftp netmask 255.255.255.255
static (LAN,WAN) tcp PCCW_Pri_SMTP ssh LAN_MS02 ssh netmask 255.255.255.255
static (LAN,WAN) tcp PCCW_Pri_SMTP 27 LAN_MS02 27 netmask 255.255.255.255
static (LAN,WAN) tcp PCCW_Pri_SMTP domain LAN_MS02 domain netmask 255.255.255.255
static (LAN,WAN) udp PCCW_Pri_SMTP domain LAN_MS02 domain netmask 255.255.255.255
static (LAN,WAN) tcp PCCW_Pri_SMTP www LAN_MS02 www netmask 255.255.255.255
static (LAN,WAN) tcp PCCW_Sec_SMTP 2525 LAN_MS02 smtp netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Sec_Webmail https DMZ_MS01 https netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Sec_SMTP ftp DMZ_MS01 ftp netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Sec_SMTP ssh DMZ_MS01 ssh netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Sec_SMTP 27 DMZ_MS01 27 netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Sec_SMTP domain DMZ_MS01 domain netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Sec_SMTP www DMZ_MS01 www netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Pri_SMTP smtp DMZ_IronPort_2 smtp netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_FTP ftp DMZ_FTP ftp netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_MS01 smtp netmask 255.255.255.255
static (LAN,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (DMZ,LAN) 172.16.0.0 172.16.0.0 netmask 255.255.255.0
static (LAN,WAN) PCCW_Sec_SMTP LAN_MS02 netmask 255.255.255.255
access-group LAN_access_in in interface LAN
access-group WAN_access_in in interface WAN
access-group WAN_access_out out interface WAN
access-group DMZ_access_in in interface DMZ

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute

!
!

Thanks.

Thanks for that, but I couldn't find DMZ_IronPort_1 name under the posted configuration.

You were saying that:

static (DMZ,WAN) tcp PCCW_Pri_SMTP smtp DMZ_IronPort_1 smtp netmask 255.255.255.255

overlapped another rule static (LAN,WAN) PCCW_Sec_SMTP LAN_MS02 netmask 255.255.255.255

If I convert those 2 static NAT lines to use ip address instead of name, here is what I got:

also assuming that "DMZ_IronPort_1" is "DMZ_IronPort" based on your posted configuration because i can't find "DMZ_IronPort_1"

static (DMZ,WAN) tcp xx.xx.xx.104 smtp 172.16.0.253 smtp netmask 255.255.255.255

static (LAN,WAN) xx.xx.yy.150 192.168.10.25 netmask 255.255.255.255

Those 2 static NAT shouldn't overlap as they are referring to different ip address. I would suggest that you configure the static NAT with ip address instead of name as it would be confusing sometimes with names.

Sorry for missing the info. Actually, the ip of DMZ_IronPort_1 is 172.16.0.252.

I changed the NAT rule from ADSM instead of Command Line. I still get the same problem. Thanks.

Yes, that is the issue.

Currently 172.16.0.252 has been assigned to DMZ_IronPort_2 base on your naming configuration:

name 172.16.0.252 DMZ_IronPort_2

I am sorry that. May be there is the typo. Pls replace the DMZ_IronPort_2 with DMZ_Iron_Port_1 Thanks.

DMZ_IronPort_1

Ok, it is confusing now.

You already have the following configured:

static (DMZ,WAN) tcp PCCW_Pri_SMTP smtp DMZ_IronPort_2 smtp netmask 255.255.255.255

and I believe this is what you are trying to configure.

It is already in your configuration.

Since there is the typo

Let me claify it

The original rule is

static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_MS01 smtp netmask 255.255.255.255
static (LAN,WAN) PCCW_Sec_SMTP LAN_MS02 netmask 255.255.255.255

and I would like to change it to

static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_IronPort smtp netmask 255.255.255.255

And I got the overlapping error. Sorry for the confusing. Thanks.

Pls ignore the previous 2 msg

The actual comman should be this

static (DMZ,WAN) tcp PCCW_Pri_SMTP smtp DMZ_IronPort smtp netmask 255.255.255.255

overlapped another rule static (LAN,WAN) PCCW_Sec_SMTP LAN_MS02 netmask 255.255.255.255

After I entered it, I got the overlapping error. Thanks and sorry for making you confused.