object service HTTP
service tcp destination eq 80

object service HTTPS
service tcp destination eq 443

object service SMTP
service tcp destination eq 25

object service IMAP4
service tcp destination eq 143

object network Server1                                   
host 10.6.1.10

object network Server2
host 10.6.1.20

object network PAT
host 66.66.66.66

nat (inside,outside) source static Server1 PAT service SMTP SMTP
nat (inside,outside) source static Server2 PAT service HTTP HTTP
nat (inside,outside) source static Server2 PAT service HTTPS HTTPS
nat (inside,outside) source static Server2 PAT service IMAP4 IMAP4

open all the private IP's in the ACL's accordingly on outside interface.

Oh

you answered yourself correctly while I was busy creating config for you

Thank you for verification .

Hi,

Wouldnt the above also be achieved by the following similiar configuration. Think this is the way I have personally done them (Havent had to do it that many times to be honest)

object network PAT

host 66.66.66.66

object network Server1-SMTP                                  

host 10.6.1.10

nat (inside,outside) static PAT service tcp smtp smtp

object network Server2-WWW

host 10.6.1.20

nat (inside,outside) static PAT service tcp www www

object network Server2-HTTPS

host 10.6.1.20

nat (inside,outside) static PAT service tcp https https

object network Server2-IMAP4

host 10.6.1.20

nat (inside,outside) static PAT service tcp imap4 imap4

- Jouni

JouniForss, I tried it on mine and go the same results.....

object network portforwarding1smpt

  host 10.1.6.1

object network portforwarding1smpt

nat (main-lan,outside) static PublicIP service tcp smtp smtp

Note I avoided the use of the word PAT to delineate (title)  the external public IP object people would be using.  I find it confusing to read about dynamic and static and Pat rules without having the word PAT in there. :-)

object network PublicIP

  host 66.66.66.66

What I am curious about is in all my rules I use the outside interface (as I only have one public WANI).  It appears for these rules one simply identifies the public IP as a host for these nat rules and can use that..............

Help please: for some reason, the traffic is being denied on the ASA, even thought I opened the ACL on outside int. Not sure why...so I can't access HTTP, HTTPS, IMAP4 to the NATted servers.

Okay I downloaded my access rules list for an example.

I created one, the last one, *** to mimic your concept of anybody as all mine narrow down external users.........

You need a particular service object identified, and the pc hosting the service identified (solely as an object no tied-nat rule for this definition)

object service imap24

service tcp destination eq 2424 

object network VS-pcIP

host 192.168.24.34

access-list outside_access_in extended permit object RDP object-group TFS-usergroup object VS-pcIP

access-list outside_access_in extended permit object TFS object-group TFS-usergroup object VS-pcIP

access-list outside_access_in extended permit object TFS object Corporate-user object VS-pcIP

***access-list outside_access_in extended permit object imap24 any object VS-pcIP

At the end of my object NAT rules are the following two items (ACL to outside general rule and routing rule)

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xx.xx.xxx.225 1

If you have any other ACL rules not sure what they are doing for you.   Hopefully you dont have any deny rules. they are not needed.

Hey Alex,

Unfortunately, I'm not going to be able to test this until next config migration. Thank you for explaining the ACL part! Mine was wrong...

I ended up using this config:

object network PAT

host 66.66.66.66

object network Server1-SMTP                                  

host 10.6.1.10

nat (inside,outside) static PAT service tcp smtp smtp

access-list outside line 5 extended permit tcp any object Server1-SMTP eq smtp

Can you guys explain ASA NAT mechanism...regarding that static NAT above:

My system admin states that traffic going out of the server 10.6.1.10 on port 25 in NOT being translated to 66.66.66.66:25 on the outside inteface, but translates to 66.66.66.70:25, which is my global PAT IP address for Internet traffic. Is that normal? I don't use much of ASDM, but I found and used packet tracer, which shows that my config should translate to 66.66.66.66:25, not 66.66.66.70:25. Is there something wrong with my config?

Hi,

The Port Forward configuration that you did by using one public IP address only applies when you are connecting from outside to the public IP 66.66.66.66 but when the local host is initiating the connection to outside network, other NAT rules will be applied.

Think there just was a similiar post here on the forums where they had configured this kind of port forwarding for SMTP and also wanted the outgoing connections use the same public IP.

I don't remember the post now. Could try this out on my own ASA and let you know soon if I get the mentioned situation working as described above. (Good thing I have a /29 public network at my disposa for these tests)

- Jouni

Hi,

I did the following test configuration on my ASA

Please notice that the output also contains some other configurations. I added these to illustrate a situation where you have rules that might in certain situation overlap the configuration you are doing. I will explain more after the configurations.

x.x.x.x = additional public IP (so NOT the outside interface IP)

object network LAN-NETWORK

subnet 10.0.0.0 255.255.255.0

object network SMTP-PORTFORWARD

host 10.0.0.50

object network SMTP-SERVER-OUTGOING-PAT-SOURCE

host 10.0.0.50

object network SMTP-PAT

host x.x.x.x

object network SMTP-PORTFORWARD

nat (LAN,WAN) static x.x.x.x service tcp smtp smtp

nat (LAN,WAN) after-auto source dynamic SMTP-SERVER-OUTGOING-PAT-SOURCE SMTP-PAT

nat (LAN,WAN) after-auto source dynamic LAN-NETWORK interface

As you can see the above configurations contain the following NATs.

• Port Forward for SMTP traffic from WAN -> LAN for the extra public IP x.x.x.x
• PAT configuration for the SMTP host. The public PAT address that is used is = x.x.x.x
• PAT configuration for the whole LAN network (which also contains the host 10.0.0.50 ofcourse)

If you for example had the last default PAT configuration "nat (LAN,WAN) after-auto source dynamic LAN-NETWORK interface" and added the configuration "nat (LAN,WAN) after-auto source dynamic SMTP-SERVER-OUTGOING-PAT-SOURCE SMTP-PAT" it would be inserted AFTER the default rule already created. This would mean that the SMTP host would still be showing with the WAN interface public IP and not the public IP x.x.x.x used in both port forward configurations and the new PAT configuration.

What you will have to do is add the NAT command with an additional "line number" which isnt visible in the CLI configuration.

The command would be

• nat (LAN,WAN) after-auto 1 source dynamic SMTP-SERVER-OUTGOING-PAT-SOURCE SMTP-PAT
• So the "1" will insert the new NAT rule as the first "after-auto" NAT rule.

But you will still have to take into account that the top most NAT rules (when issuing "show run nat" or looking from ASDM) might still override this configuration.

With the above configuration the "packet-tracer" test went through the way you would want them. Meaning SMTP host would be connected to with SMTP with the IP address x.x.x.x and it would also be visible to WAN with the public IP x.x.x.x when its initiating the connection.

Hope this helps Please rate if helpfull

Please ask if you need clarification.

- Jouni

Jouni,

I'm working on some static PAT config and found your post, here which is very helpful. I do have a question about something you wrote: I noticed that you said the following about the outside interface IP in your PAT configuration running on your 8.4 test ASA:

I did the following test configuration on my ASA
Please notice that the output also contains some other configurations. I added these to illustrate a situation where you have rules that might in certain situation overlap the configuration you are doing. I will explain more after the configurations.
x.x.x.x = additional public IP (so NOT the outside interface IP)
object network LAN-NETWORK
 subnet 10.0.0.0 255.255.255.0
object network SMTP-PORTFORWARD
 host 10.0.0.50
object network SMTP-SERVER-OUTGOING-PAT-SOURCE
 host 10.0.0.50
object network SMTP-PAT
 host x.x.x.x
object network SMTP-PORTFORWARD
 nat (LAN,WAN) static x.x.x.x service tcp smtp smtp
nat (LAN,WAN) after-auto source dynamic SMTP-SERVER-OUTGOING-PAT-SOURCE SMTP-PAT
nat (LAN,WAN) after-auto source dynamic LAN-NETWORK interface

My question for you is that when you say that x.x.x.x is NOT the outside interface IP, is this because using the outside interface IP to do static PATs is unsupported? I am trying to do static PAT with the outside interface IP on ASA 9.0 and am having some difficulty with it. After reading your post I am wondering if this may be one of my problems.

Justin

Hi Justin,

There is nothing preventing you from using the ASA "interface" IP address for Static PAT. Its quite common actually.

If it isnt working for you some reason I would suspect there might be some NAT rule that is causing the Static PAT rule to be overriden.

Easiest way to determine this would be to see the NAT configuration and/or take some "packet-tracer" command output on the ASA to determine which NAT rules is matched against certain connections.

- Jouni

Jouni,

Thanks for your help. I've got it working now with your examples for object NAT and I'm successfully using the outside interface IP. As a side note, it turns out the issue I was having was unrelated to the NAT setup. Rebuilding the ACLs ended up fixing the problem. I still saved a lot of configuration time with your original correct answer to this thread, so thank you.

Justin