Static/Dynamic NAT at the same time

Unanswered Question
Apr 17th, 2009


I was just wondering if this setup would work:

global (External) 1

nat (Internal) 1

static (Internal,External) tcp smtp smtp netmask

In that setup we are doing static NAT/port forwarding for to in the inbound direction but on the outbound direction gets NAT'd to Is that possible?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
roshan.maskey Sat, 04/18/2009 - 18:39


Yes, It will work.

ASA check NAT in following Priority

1. NAT Exemption

2. Static NAT/PAT (Regular and Policy)

3. Policy Dynamic NAT

4. Regular Dynamic NAT

Since your are doing Static PAT, and is bidirectional (<->

And all application initiated by will match Regular Dynamic NAT rule 1 and uses as translated IP.

Note: if is your email server and sends outbound smtp then it is recommended to do static NAT. Since your outbound smtp will be> and will match IP

Some antispam engine using reverse dnslookup fails matching IP(dns record of and email received from with sender ip, this mismatch might lead to as spam.



AxiomConsulting Mon, 04/20/2009 - 04:57

As I understand it (from your above config) you internal machine ( will use the address for all SMTP communications, all other communications will use the address.




This Discussion