Cisco 5510 ASA Multiple static to single Private IP!

Unanswered Question
Aug 31st, 2010
User Badges:


I am using Cisco ASA 5510 Firewall, Software Version 7.0(2) and Licensed features for this platform:
Maximum Physical Interfaces : 4
Maximum VLANs               : 0
Inside Hosts                : Unlimited
Failover                    : Disabled
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
Security Contexts           : 0
GTP/GPRS                    : Disabled
VPN Peers                   : 50


I have a Barracuda Spam filter firewall having IP address and 25 port is enabled. This firewall support multiple domains for spam filtering, Currently i was using single domain and it works fine for me, now i need to add one more domain to same spam filter, everything done on barracuda side, now when i add one more entery of live ip with same local 25 it gives me error:

us-firewall(config)# static (inside,outside) tcp 216.XXX.XX.12 smtp smtp netmask
ERROR: duplicate of existing static
  TCP inside: to outside:216.XXX.XXX.23/25 netmask
Usage: [no] static [(real_ifc, mapped_ifc)]
                {<real_ip> [netmask <mask>]} | {access-list <acl_name>}
                [udp <max_conns>]
        [no] static [(real_ifc, mapped_ifc)] {tcp|udp}
                {<mapped_ip>|interface} <mapped_port>
                {<real_ip> <real_port> [netmask <mask>]} |
                {access-list <acl_name>}
                [udp <max_conns>]

What i want ?

216.XXX.XXX.23---> smtp          (Old entery working fine)


216.XXX.XX.12---> smtp               (new entry not working)

*** Please note i can't change/add ip address on barracuda spam filter and can't change port, so just need two live IPs to same ip address and port 25.

Solution: ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Nagaraja Thanthry Wed, 09/01/2010 - 05:20
User Badges:
  • Cisco Employee,


You cannot map multiple public IPs to a single internal IP with straight

forward static statement. You need to configure policy NAT. Please try the


access-list Mail1 permit tcp host eq 25 any

access-list Mail2 permit tcp host eq 25 any

static (inside,outside) tcp 216.XXX.XX.12 smtp access-list Mail1

static (inside,outside) tcp 216.XXX.XX.23 smtp access-list Mail2

Then make sure that you have allowed the traffic through the access-lists.

Hope this helps.




This Discussion