In the example:

access−list smtp extended permit tcp any host 209.164.3.5 eq smtp

object network obj−192.168.2.0

subnet 192.168.2.0 255.255.255.0

nat (inside,outside) dynamic 209.164.3.129

Why doesn't use the real ip address in the acl?

Ok.

That traffic is originated from inside hosts. You should focus on -

object network obj-192.168.2.57
  host 192.168.2.57
  nat (inside,outside) static 209.164.3.5

For your SMTP question SMTP server is mapped one to one NAT so public identity would be 209.164.3.5 so ofcourse that is allowed in ACL.

Regarding configuration you have post has nothing to do with SMTP server that have mentioned the whole subnet /24 for outbound traffic.

NAT has order to process - nonat >static nat > dynamic nat> static pat >dynamic pat > like this.

Hope this help.

Thanks

Ajay

OK, sorry, of course, the smtp-server nat was:

object network obj−192.168.2.57

host 192.168.2.57

nat (inside,outside) static 209.164.3.5

But in the ACL is using public IP, not the real ip address as announces Release Notes or migration guide, which states:

"For example, formerly if you wanted to allow an outside host to access an inside host that used NAT, you

applied an inbound access list on the outside interface using the access-group command. In this

scenario, you needed to specify the mapped address of the inside host in the access list because that

address was the address that can be used on the outside network. Starting in 8.3, you need to specify the

real address in the access list."

In this Cisco Support Channel video (minute 3), the outside ACL uses the real ip address, not the public-natted one

http://www.youtube.com/watch?v=R6TMlH9U2pE&feature=plcp&context=C34bcf43UDOEgsToPDskINRv5_oXhrk7jRahbPD_Em

So my question is:

In the ACL, do I have to use the real ip (like the video) or the natted-ip (like the smtp example)?

Thanks

Hi

Use real IP address:

e.g.

access−list smtp extended permit tcp any host 192.168.2.57 eq smtp