We have a number of static PAT as well as policy NAT pointing services from servers and loadbalancers to the outside world on specific ports. In this case, our Postfix Mail server is accepting inbound connections fine, and sending out fine - however. We are experiencing a number bounces from certain providers due to a SMTP X-Source-Ip being the outside interface of the ASA, thus marked as SPAM. Outbound SMTP traffic needs to returning on SMTP as the originating mapped PAT. The current config is using mostly policy NAT w/ object groups, and is being trimmed as services and hosts get decommed (objects were imported from a diff FW). I have also tested straight static PAT for SMTP to avoid policy NAT all together. Have also tried w/o 2nd global & nat commands, and have had no luck with either configuration. Current running config: Running config: dc1nasa-01(config)# show run : Saved : ASA Version 8.0(2) ! hostname dc1nasa-01 domain-name x.x enable password 8b7UmqfXlX7.PBKC encrypted names dns-guard ! interface GigabitEthernet0/0 nameif Outside security-level 0 ip address x.x.x.50 255.255.255.128 ! interface GigabitEthernet0/1 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 duplex full no nameif no security-level no ip address ! interface GigabitEthernet0/3.100 vlan 100 nameif ProdMulti security-level 10 ip address 192.168.16.2 255.255.255.0 ! interface GigabitEthernet0/3.551 vlan 551 nameif MgmtProdMutli security-level 10 ip address 10.125.15.1 255.255.255.0 ! interface GigabitEthernet0/3.701 vlan 701 nameif InfraBack security-level 10 ip address 10.125.20.1 255.255.255.0 ! interface GigabitEthernet0/3.801 vlan 801 nameif LoadBal security-level 10 ip address 192.168.2.1 255.255.255.0 ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.25 255.255.255.0 management-only ! interface GigabitEthernet1/0 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/1 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/3 shutdown no nameif no security-level no ip address ! passwd 2KFQnbNIdI.2KYOU encrypted boot system disk0:/asa802-k8.bin ftp mode passive dns server-group DefaultDNS domain-name imprev.fibercloud same-security-traffic permit inter-interface object-group network Andromeda-int network-object host 192.168.16.22 object-group network Antares-int network-object host 192.168.16.24 object-group network App1-int network-object host 192.168.16.222 object-group network BAL-int network-object host 192.168.16.4 object-group network Backup-int network-object host 192.168.16.201 object-group network Capella-int network-object host 192.168.16.25 object-group network Hosting1-int network-object host 192.168.16.72 object-group network Hostingtmp-int network-object host 192.168.16.20 object-group network Nunki_int network-object host 192.168.16.73 object-group network Sandbox-int network-object host 192.168.16.202 object-group network Sirius-B-int network-object host 192.168.16.26 object-group network Sirius-int network-object host 192.168.16.23 object-group network ProdMHost description [ProdMulti Hosts] group-object Andromeda-int group-object Antares-int group-object App1-int group-object BAL-int group-object Backup-int group-object Capella-int group-object Hosting1-int group-object Hostingtmp-int group-object Nunki_int group-object Sandbox-int group-object Sirius-B-int group-object Sirius-int object-group network MgmtProdMHost description [MgmtProdMulti Hosts] group-object Backup-int group-object Andromeda-int group-object Antares-int group-object App1-int group-object BAL-int group-object Capella-int group-object Hosting1-int group-object Hostingtmp-int group-object Nunki_int group-object Sandbox-int group-object Sirius-B-int group-object Sirius-int object-group service GenHost-Svcs-tcp tcp description [Generic Host TCP Services] port-object eq www port-object eq ssh port-object eq domain port-object eq smtp port-object eq 8080 port-object eq https port-object eq ldap port-object eq telnet port-object eq 118 port-object eq 3306 object-group service GenHost-Svcs-udp udp description [Generic Host UDP Services] port-object eq domain port-object eq www port-object eq kerberos port-object eq ntp port-object eq radius port-object eq radius-acct port-object eq snmp port-object eq tftp port-object eq 118 port-object eq 3306 object-group icmp-type ICMP-Types description [Allowed ICMP types] icmp-object unreachable icmp-object time-exceeded icmp-object echo-reply icmp-object echo icmp-object source-quench icmp-object traceroute object-group network Backup-ext network-object host x.x.x.76 object-group network Outside-Net network-object x.x.x.0 255.255.255.128 object-group network Outside network-object host x.x.x.50 object-group protocol Common-Prot protocol-object esp protocol-object ah object-group network AppCluster1-DMZ network-object host 192.168.2.5 object-group network Appcluster-SMTP network-object host 192.168.2.15 object-group network VS_ADDR_192_168_2_2 network-object host 192.168.2.2 object-group network Billing-HTTPS network-object host 192.168.2.10 object-group network BAL-if0 network-object host 192.168.2.2 object-group network VS_ADDR_192_168_2_15 network-object host 192.168.2.15 object-group network AppCluster1-ext network-object host x.x.x.89 object-group network STAGING-ext network-object host x.x.x.83 object-group network Sandbox-ext network-object host x.x.x.86 object-group network RETAIL_SECURE-ext network-object host x.x.x.97 object-group network Appcluster_SMTP-ext network-object host x.x.x.115 object-group network App_Bypass network-object host x.x.x.108 object-group network BHG_HOSTING network-object host x.x.x.96 object-group network BMS_EXT network-object host x.x.x.75 object-group network ExtHost description [External Hosts] group-object AppCluster1-ext group-object App_Bypass group-object Appcluster_SMTP-ext group-object BHG_HOSTING group-object BMS_EXT group-object Backup-ext group-object Nunki_int group-object RETAIL_SECURE-ext group-object STAGING-ext group-object Sandbox-ext object-group network AppCluster1-DMZ-int network-object host 192.168.2.5 object-group network Billing-HTTPS-int network-object host 192.168.2.10 object-group network LoadBalHost description [LoadBalance/DMZ/WEB Hosts] group-object AppCluster1-DMZ group-object Appcluster-SMTP group-object BAL-if0 group-object Billing-HTTPS group-object VS_ADDR_192_168_2_15 group-object VS_ADDR_192_168_2_2 group-object AppCluster1-DMZ-int group-object Billing-HTTPS-int object-group network LB_Test-int network-object host 192.168.20.3 object-group network LB_Test-ext network-object host x.x.x.104 object-group network Prod_Test-ext network-object host x.x.x.103 object-group network Prod_Test-int network-object host 192.168.160.35 object-group network BMS-VIP-int network-object host 192.168.2.20 object-group network BMS-SMTP-int network-object host 192.168.2.15 object-group network Hosting-ext network-object host x.x.x.90 object-group network BMS-SMTP-EXT network-object host x.x.x.111 object-group network LoadBal-int-Hosts group-object AppCluster1-DMZ group-object Appcluster-SMTP group-object VS_ADDR_192_168_2_2 group-object Billing-HTTPS group-object BAL-if0 group-object VS_ADDR_192_168_2_15 group-object AppCluster1-DMZ-int group-object Billing-HTTPS-int object-group network ProdMutli-int-Hosts group-object Andromeda-int group-object Antares-int group-object App1-int group-object BAL-int group-object Capella-int group-object Hosting1-int group-object Hostingtmp-int group-object Nunki_int group-object Sandbox-int group-object Sirius-B-int group-object Sirius-int group-object BMS-VIP-int group-object BMS-SMTP-int object-group network MgmtMulti-int-Hosts network-object host 10.125.15.15 access-list Inbound-Outside remark [Gen Return ACL] access-list Inbound-Outside remark [ProdMulti Traffic allowed Inbound to Outside interface] access-list Inbound-Outside extended permit udp any object-group ProdMutli-int-Hosts object-group GenHost-Svcs-udp access-list Inbound-Outside extended permit tcp any object-group ProdMutli-int-Hosts object-group GenHost-Svcs-tcp access-list Inbound-Outside remark [LB Traffic allowed Inbound to Outside interface] access-list Inbound-Outside extended permit udp any object-group LoadBal-int-Hosts object-group GenHost-Svcs-udp access-list Inbound-Outside extended permit tcp any object-group LoadBal-int-Hosts object-group GenHost-Svcs-tcp access-list Inbound-Outside remark [MgmtMulti Traffic allowed Inbound to Outside interface] access-list Inbound-Outside extended permit udp any object-group MgmtMulti-int-Hosts object-group GenHost-Svcs-udp access-list Inbound-Outside extended permit tcp any object-group MgmtMulti-int-Hosts object-group GenHost-Svcs-tcp access-list Inbound-Outside remark [IP Proto Traffic allowed Inbound to Outside interface] access-list Inbound-Outside extended permit object-group Common-Prot any object-group Outside access-list Inbound-Outside remark [ICMP Proto Traffic allowed Inbound to Outside interface - ON] access-list Inbound-Outside extended permit icmp any any object-group ICMP-Types access-list Inbound-Outside remark [-Sandbox-Svcs- requiring NAT on Outside] access-list Inbound-Outside extended permit tcp any object-group Sandbox-ext eq ssh access-list Inbound-Outside extended permit tcp any object-group Sandbox-ext eq www access-list Inbound-Outside extended permit icmp any object-group Sandbox-ext object-group ICMP-Types access-list Inbound-Outside extended permit tcp object-group Outside-Net object-group Sandbox-int eq ssh access-list Inbound-Outside extended permit tcp object-group Outside-Net object-group Sandbox-int eq www access-list Inbound-Outside extended permit icmp object-group Outside-Net object-group Sandbox-int object-group ICMP-Types access-list Inbound-Outside remark [-BMS-LB-SMTP- requiring NAT on Outside] access-list Inbound-Outside extended permit tcp any object-group BMS-SMTP-EXT eq smtp access-list Inbound-Outside extended permit icmp any object-group BMS-SMTP-EXT object-group ICMP-Types access-list Inbound-Outside extended permit tcp object-group Outside-Net object-group BMS-SMTP-int eq smtp access-list Inbound-Outside extended permit icmp object-group Outside-Net object-group BMS-SMTP-int object-group ICMP-Types access-list Inbound-Outside remark [-Backup-Svcs- requiring NAT on Outside] access-list Inbound-Outside extended permit tcp any object-group Backup-ext eq ssh access-list Inbound-Outside extended permit tcp any object-group Backup-ext eq www access-list Inbound-Outside extended permit icmp any object-group Backup-ext object-group ICMP-Types access-list Inbound-Outside extended permit tcp object-group Outside-Net object-group Backup-int eq ssh access-list Inbound-Outside extended permit tcp object-group Outside-Net object-group Backup-int eq www access-list Inbound-Outside extended permit icmp object-group Outside-Net object-group Backup-int object-group ICMP-Types access-list Inbound-Outside remark [-Hosting-Svcs- requiring NAT on Outside] access-list Inbound-Outside extended permit tcp any object-group Hosting-ext eq www access-list Inbound-Outside extended permit icmp any object-group Hosting-ext object-group ICMP-Types access-list Inbound-Outside extended permit tcp object-group Outside-Net object-group Hosting1-int eq www access-list Inbound-Outside extended permit icmp object-group Outside-Net object-group Hosting1-int object-group ICMP-Types access-list Inbound-Outside remark [-Sirius-App-Bypass- requiring NAT on Outside] access-list Inbound-Outside extended permit tcp any object-group App_Bypass eq www access-list Inbound-Outside extended permit icmp any object-group App_Bypass object-group ICMP-Types access-list Inbound-Outside extended permit tcp object-group Outside-Net object-group Sirius-int eq www access-list Inbound-Outside extended permit icmp object-group Outside-Net object-group Sirius-int object-group ICMP-Types access-list Inbound-Outside remark [-AppCluster-Svcs- requiring NAT on Outside] access-list Inbound-Outside extended permit tcp any object-group AppCluster1-ext eq www access-list Inbound-Outside extended permit tcp any object-group AppCluster1-ext eq https access-list Inbound-Outside extended permit icmp any object-group AppCluster1-ext object-group ICMP-Types access-list Inbound-Outside extended permit tcp object-group Outside-Net object-group AppCluster1-DMZ-int eq www access-list Inbound-Outside extended permit tcp object-group Outside-Net object-group AppCluster1-DMZ-int eq https access-list Inbound-Outside extended permit icmp object-group Outside-Net object-group Billing-HTTPS-int object-group ICMP-Types access-list Inbound-Outside remark [-BMS-HTTP-LB- requiring NAT on Outside] access-list Inbound-Outside extended permit tcp any object-group BMS_EXT eq www access-list Inbound-Outside extended permit icmp any object-group BMS_EXT object-group ICMP-Types access-list Inbound-Outside extended permit tcp object-group Outside-Net object-group BMS-VIP-int eq www access-list Inbound-Outside extended permit icmp object-group Outside-Net object-group BMS-VIP-int object-group ICMP-Types access-list Inbound-Outside remark [-Staging-Svcs- requiring NAT on Outside] access-list Inbound-Outside extended permit tcp any object-group STAGING-ext eq www access-list Inbound-Outside extended permit tcp any object-group STAGING-ext eq https access-list Inbound-Outside extended permit tcp any object-group STAGING-ext eq ssh access-list Inbound-Outside extended permit icmp any object-group STAGING-ext object-group ICMP-Types access-list Inbound-Outside extended permit tcp object-group Outside-Net object-group App1-int eq www access-list Inbound-Outside extended permit tcp object-group Outside-Net object-group App1-int eq https access-list Inbound-Outside extended permit tcp object-group Outside-Net object-group App1-int eq ssh access-list Inbound-Outside extended permit icmp object-group Outside-Net object-group App1-int object-group ICMP-Types access-list P_Nat_StagingApp1 extended permit ip object-group App1-int any access-list P_Nat_Sandbox extended permit ip object-group Sandbox-int any access-list P_Nat_BMSVIP extended permit ip object-group BMS-VIP-int any access-list P_Nat_BMSSMTP extended permit ip object-group BMS-SMTP-int any access-list P_Nat_Backup extended permit ip object-group Backup-int any access-list P_Nat_Hosting extended permit ip object-group Hosting1-int any access-list P_Nat_SiriusBypass extended permit ip object-group Sirius-int any access-list P_Nat_AppCluster1 extended permit ip object-group AppCluster1-DMZ-int any access-list BMS-SMTP extended permit tcp host 192.168.2.15 any eq smtp access-list BMS-SMTP extended permit tcp host 192.168.2.15 eq smtp any pager lines 24 logging enable logging buffered informational logging asdm informational mtu Outside 1500 mtu ProdMulti 1500 mtu MgmtProdMutli 1500 mtu InfraBack 1500 mtu LoadBal 1500 mtu management 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-602.bin no asdm history enable arp timeout 14400 global (Outside) 1 interface global (Outside) 2 x.x.x.111 netmask 255.255.255.255 nat (ProdMulti) 1 192.168.16.0 255.255.255.0 nat (MgmtProdMutli) 1 10.125.15.0 255.255.255.0 nat (LoadBal) 2 access-list BMS-SMTP nat (LoadBal) 1 192.168.2.0 255.255.255.240 static (ProdMulti,Outside) x.x.x.83 access-list P_Nat_StagingApp1 static (ProdMulti,Outside) x.x.x.86 access-list P_Nat_Sandbox static (ProdMulti,Outside) x.x.x.76 access-list P_Nat_Backup static (ProdMulti,Outside) x.x.x.90 access-list P_Nat_Hosting static (ProdMulti,Outside) x.x.x.108 access-list P_Nat_SiriusBypass static (LoadBal,Outside) x.x.x.89 access-list P_Nat_AppCluster1 static (LoadBal,Outside) x.x.x.111 access-list P_Nat_BMSSMTP static (LoadBal,Outside) x.x.x.75 access-list P_Nat_BMSVIP access-group Inbound-Outside in interface Outside route Outside 0.0.0.0 0.0.0.0 x.x.x.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.1.0 255.255.255.0 management http x.x.x.0 255.255.255.0 Outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart no crypto isakmp nat-traversal telnet timeout 5 ssh scopy enable ssh 192.168.1.0 255.255.255.0 management ssh timeout 2 console timeout 0 threat-detection basic-threat threat-detection statistics ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:17ee7d1c28226f76ccdb0a45c2a63e66 : end Understand: access-list Inbound-Outside remark [Gen Return ACL] access-list Inbound-Outside remark [ProdMulti Traffic allowed Inbound to Outside interface] access-list Inbound-Outside extended permit udp any object-group ProdMutli-int-Hosts object-group GenHost-Svcs-udp access-list Inbound-Outside extended permit tcp any object-group ProdMutli-int-Hosts object-group GenHost-Svcs-tcp access-list Inbound-Outside remark [LB Traffic allowed Inbound to Outside interface] access-list Inbound-Outside extended permit udp any object-group LoadBal-int-Hosts object-group GenHost-Svcs-udp access-list Inbound-Outside extended permit tcp any object-group LoadBal-int-Hosts object-group GenHost-Svcs-tcp access-list Inbound-Outside remark [MgmtMulti Traffic allowed Inbound to Outside interface] access-list Inbound-Outside extended permit udp any object-group MgmtMulti-int-Hosts object-group GenHost-Svcs-udp access-list Inbound-Outside extended permit tcp any object-group MgmtMulti-int-Hosts object-group GenHost-Svcs-tcp Are on wrong access-group and planning to clean up (for these needs), not sure if causing issues now. Open to ANY help on this one. THANKS!