I've got a problem - a LONG one... Policy (Static) NAT. Pix 515e running 7.2(1)24. Can't really get my head round the ASDM GUI, I use it but find it un-illuminating so I'll decribe this situation using CLI output.
I've got a Svr (unfortunately MS, as I know this problem could be easily fixed on a Linux box) that sits in a DMZ and intended functions are Mail Relay and DNS (SOA). Originally tried a real (for mail) and a sub-interface (for DNS), we could use a secondary NIC but I don't see that fixing this problem.
Real: 10.0.0.25 to xlate to 184.108.40.206 (mx1.xxx.com)
Sub: 10.0.0.53 to xlate to 220.127.116.11 (ns1.xxx.com)
Obviously need to be accessable from outside so Statics are the way to go. Easily done you say, one-to-one, no probs. But remember I'm dealing with a Windoze Svr and even though you can set up DNS to use a particular address (10.0.0.53) when lookups come in they are replied using the primary address.
So someone outside does an nslookup to ns1.xxx.com (18.104.22.168), it gets xlated to 10.0.0.53, so far so good. But the reply from the server has src 10.0.0.25, which gets xlated to 22.214.171.124 on the way back (sets up it's own connection slot) and the original host doing the lookup says "no thank-you" to the reply.
As I have said this is a Windoze fault but I have to make it work on the FW.
So I use Static Policy NAT because it is said that the same internal host can be xlated to different external addresses based on ACL policy. My thought process being that I just accept that the Windoze box is going to reply from the same real address anyway.
Attached are some relevant snips from my config (IP's changed to protect the innocent), the "sh xlate" output, and the sylog messages for good measure
Thanks for you time and any help much appreciated