ASA 8.4 - Static NAT - Problem with outbound SMTP

Answered Question
Mar 31st, 2011
User Badges:


Below is the interesting part of my config.  I have static NAT configured and working inbound for the Exchange Server and the Barracuda, however outbound traffic from those hosts comes out as the interface IP.  Thoughts?  I've tried a number of things (outside, inside), etc...  No luck.  Any help would be appreciated.


object network obj_any

subnet 0.0.0.0 0.0.0.0

object network DSN-EXCH01

host 10.250.231.51

object network MAIL-IN

host 10.250.231.50

!

access-list outside_inside extended permit tcp any host 10.250.231.51 eq https

access-list outside_inside extended permit tcp any host 10.250.231.51 eq www

access-list outside_inside extended permit tcp any host 10.250.231.50 eq smtp

!

nat (inside,outside) source dynamic any interface

!

object network obj_any

nat (inside,outside) dynamic interface

object network DSN-EXCH01

nat (inside,outside) static xxx.xxx.xxx.25

object network MAIL-IN

nat (inside,outside) static xxx.xxx.xxx.26

!

access-group outside_inside in interface outside

Correct Answer by Shrikant Sundaresh about 6 years 2 months ago

Hi,


The issue here is with the order of NAT rules in the 8.4 version.


A Manual NAT rule takes precedence over Auto NAT (within object group).


So, nat (inside,outside) source dynamic any interface; is taking precedence when going from inside to outside.


I hope this helps.


-Shrikant


PS: Please mark the question resolved, if it has been answered. Do rate helpful posts. Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Shrikant Sundaresh Thu, 03/31/2011 - 11:09
User Badges:
  • Cisco Employee,

Hi,


The issue here is with the order of NAT rules in the 8.4 version.


A Manual NAT rule takes precedence over Auto NAT (within object group).


So, nat (inside,outside) source dynamic any interface; is taking precedence when going from inside to outside.


I hope this helps.


-Shrikant


PS: Please mark the question resolved, if it has been answered. Do rate helpful posts. Thanks

clamasters Thu, 03/31/2011 - 11:52
User Badges:

That makes sense, thank you. Is there a better way to acomplish this then?  I see there are some options to insert rules before and after other parts of NAT but not sure what to use just yet.


Thank you,


Curtis

clamasters Thu, 03/31/2011 - 11:56
User Badges:

Actually, I just removed that part of the config since I already had an object NAT configured for 0.0.0.0.


Thank you very much.

Actions

This Discussion