We have 2 email servers in a cluster on the network. I have the cluster IP address configured for Object static NAT. This works great for email coming into our organization. However, when either of these 2 email servers send mail, they send using their configured IP address which is different from the cluster IP address. Thus, the NAT'd address is different than for incoming. It hasn't been an issue to this point, but I would like to be able to send SMTP from either server and have it NAT to the same IP used for the cluster IP. This way, any reverse DNS lookups on the internet would show a consistent IP to name mapping for our mail servers. I've attached a diagram. If there is a way to force the cluster servers to use the cluster address on the Windows server side, that could be an option as well.
Since you have an Auto NAT / Network Object NAT configured for all users Dynamic PAT then my above example as such wont do the trick for you. And specifically for the reason I imagined that the existing Dynamic PAT would override my suggested Dynamic PAT for the Mail server. It would work only if the Dynamic PAT for all users was configured with the same format (NOT Auto NAT / Network Object NAT)
So it seems to me you will have to use the Dynamic Policy PAT that you have mentioned
object service SMTP
service tcp destination eq smtp
object network excastx01
object network excastx02
object-group network EXCASTX-CLUSTER
network-object object excastx01
network-object object excastx02
nat (inside,any) source dynamic EXCASTX-CLUSTER HOST-10.10.10.140 service SMTP SMTP
This is essentially a Section 1 Manual NAT / Twice NAT configuration and its a Dynamic Policy PAT. Its at the very top of the NAT rules/configurations to be matched so it should override your normal Dynamic PAT configuration with regards to SMTP traffic.
I am not sure if you will really need to specify the destination interface as "any". Also the Static NAT commands "any,any" seems a bit wierd.
I would have personally configured the situation in the way I suggested but there probably is no real reason to change your current setup as the above configuration will also achieve what you are looking for.
The actual NAT configuration used depends on how your Dynamic PAT rule for all the users of the network is configured at the moment. Mainly is it Auto NAT or Manual NAT.
Though naturally I can give you an example that includes both Dynamic PAT for all users and Dynamic PAT for the Mail servers and the Static NAT for incoming mail.
MAIL SERVER STATIC NAT
object network MAIL-SERVER
nat (inside,outside) static 10.10.10.140
The above configuration is the basic Static NAT configuration for a host using Auto NAT / Network Object NAT. It could be done with Manual NAT / Twice NAT also but I prefer Auto NAT / Network Object NAT
MAIL SERVER DYNAMIC PAT
object-group network MAIL-PAT-SOURCE
network-object host 10.0.0.1
network-object host 10.0.0.2
network-object host 10.0.0.3
object network MAIL-SERVER-PUBLIC
nat (inside,outside) after-auto source dynamic MAIL-PAT-SOURCE MAIL-SERVER-PUBLIC
The above is a normal Dynamic PAT configuration (no Policy elements involved).
The key thing to notice here is that we are entering this to the ASA before the next Dynamic PAT that catches all the rest of the source IP address. One thing to notice also is that its a Section 3 NAT rule (the lowest priority) so that it wont override any other NAT rules like the above Static NAT.
I you had your existing Dynamic PAT for all users already with a similiar configuration than last configuration example then you would have to add a line number to the NAT configuration like this
nat (inside,outside) after-auto 1 source dynamic MAIL-PAT-SOURCE MAIL-SERVER-PUBLIC
DEFAULT DYNAMIC PAT FOR USERS
nat (inside,outside) after-auto source dynamic any interface
The above is just an Dynamic PAT configuration that catches all source addresses from behind the "inside" interface and does Dynamic PAT for them when connecting to networks behind "outside". As this is inserted to the configuration after the above command it will be at a lower priority and wont apply for the 3 source hosts we specified above.
I wonder if I made this out to be more complicated than it needs to be
I guess the easiest way to determine the configuration you will need/want would be to see the current NAT configuration on the ASA
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed