Static/Dynamic NAT at the same time

getahobby · ‎04-17-2009

Hello,

I was just wondering if this setup would work:

global (External) 1 1.1.1.1

nat (Internal) 1 192.168.0.0 255.255.0.0

static (Internal,External) tcp 1.1.1.2 smtp 192.168.1.28 smtp netmask 255.255.255.255

In that setup we are doing static NAT/port forwarding for 1.1.1.2 to 192.168.1.28 in the inbound direction but on the outbound direction 192.168.1.28 gets NAT'd to 1.1.1.1. Is that possible?

andrew.prince · ‎04-17-2009

No - the static nat command works in both directions, so host 192.168.1.28 will be natt'd on the outbound to 1.1.1.2

HTH>

roshan.maskey · ‎04-18-2009

Hi,

Yes, It will work.

ASA check NAT in following Priority

1. NAT Exemption

2. Static NAT/PAT (Regular and Policy)

3. Policy Dynamic NAT

4. Regular Dynamic NAT

Since your are doing Static PAT, and is bidirectional (1.1.1.2:25<->192.168.1.28:25).

And all application initiated by 192.168.1.2 will match Regular Dynamic NAT rule 1 and uses 1.1.1.1 as translated IP.

Note: if 192.168.1.28 is your email server and sends outbound smtp then it is recommended to do static NAT. Since your outbound smtp will be 192.168.1.28:35570->smtp.xyz.com:25 and will match IP 1.1.1.1

Some antispam engine using reverse dnslookup fails matching IP(dns record of smtp.yourdomain.com=1.1.1.2) and email received from yourdomain.com with sender ip 1.1.1.1, this mismatch might lead to as spam.

H2H

Roshan

AxiomConsulting · ‎04-20-2009

As I understand it (from your above config) you internal machine (192.168.1.28) will use the address 1.1.1.2 for all SMTP communications, all other communications will use the 1.1.1.1 address.

HTH

Steve