Hi, I am looking for help with my NAT configuration on Cisco ASA 5516-x with Firepower services connected to FMC.    Our local subnet LOCAL.NET.0.0/16 already has an Internet connection, with public IP XX.X.228.50. To obtain it I created typical Dynamic NAT:   object network lan_local_LOCAL.NET.0.0-16  nat (inside,outside) dynamic interface   Also, I created a NAT rule to reach the Exchange server from outside:   nat (outside,inside) source static any interface destination static IP_XX.X.228.54 MX2_LOCAL.NET.0.21 service SVC_30064789002 SVC_30064789002 nat (outside,inside) source static any interface destination static IP_XX.X.228.54 MX2_LOCAL.NET.0.21 service SVC_30064789003 SVC_30064789003 nat (outside,inside) source static any interface destination static IP_XX.X.228.54 MX2_LOCAL.NET.0.21 service SVC_30064789004 SVC_30064789004   It works as it should. As you admit we use different IP addresses for Internet access and for Exchange server. Outside IP for Internet Access is: XX.X.228.50 Outside IP for Exchange server: XX.X.228.54   Now we need to create NAT rule, to NAT all outside traffic of Exchange server to XX.X.228.54 instead of XX.X.228.50, and when I create one, for example    object network MX2_LOCAL.NET.0.21  nat (inside,outside) dynamic IP_XX.X.228.54   It works, but time to time, some packets NATed to this rule, some packets NATed to main local net NAT rule:   object network lan_local_LOCAL.NET.0.0-16  nat (inside,outside) dynamic interface   I checked it, by looking to the public IP address in web-browser and pressing F5 button, in 50% cases Public IP is XX.X.228.54 but in other XX.X.228.50. This is the issue, it prevents to work of our mail server correctly.   How to handle this issue? How to freeze public IP for the Exchange server? ... View more

Hi! We just bought Cisco 5516-x with FTD preinstalled on the device. We already have router/FW from another vendor and want to replace it by NGFW from Cisco.   I start configuration of Outside interfaces and noticed that ASA doesn't support multiple IPs from the same subnet on the one physical network interface in subinterfaces.    Our environment is subnet provided by our ISP provider: XXX.XX.37.48/29, GW is XXX.XX.37.49 and our IPs are XXX.XX.37.50-54   We want to use at least two IPs from this list to NAT traffic to two different Exchange MX servers, which both placed in our local network. In our DNS mail record, we have two MX records. We don't want to completely change our internal infrastructure, if possible of course. And I ask you to help me by providing a useful link to technology which can help us to deal with it.      ... View more