Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA V8.6 - Dynamic PAT users working but not static IPs

I'm trying to configure an ASA to replace my last PIX.  Since the last ASA I did the language has changed.  What we have are about two hundred normal users that need to surf and share one public IP from the ISP to get it done.  I have about a few boxes inside the network that must have static public IPs.  Some just need the IP whereas one is the SMTP server and two are web servers.

I am trying to get this in place by testing in this order: 1.normal surfing 2.SMTP 3.Web Servers.  To test, at lunch I have been altering the last resort address on our internal router to point to the new firewall rather than the old.  The config below works for the normal users to surf and their outside address shows as it should to external websites.  The smtp server however doesn't flow mail or hit the outside web to go to google.  I think if I figure this out, I can just mimic the proper settings to get my Web Servers working.  Any Ideas?  Thanks for your help.

(All addresses have been changed to protect the innocent.)

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address
ftp mode passive
object network obj_172.16.25.70
object network OUT_PAT
object-group network FRU_PAT
object-group network obj_Post
access-list out_to_in extended permit tcp object-group obj_Post host eq smtp
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
object network obj_172.16.25.70
 nat (inside,outside) static
nat (inside,outside) after-auto source dynamic FRU_PAT OUT_PAT
access-group out_to_in in interface outside
route outside 1
route inside 1

route inside 1

class-map inspection_default
 match default-inspection-traffic

Policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global


So you are not able to browse

So you are not able to browse the internet from the SMTP server either?

Your configuration looks fine at first glance.  could you run a packet tracer and post the output here.

packet-tracer input inside tcp 12345 80

You might also want to issue a clear xlate to purge all the existing NAT translations.  I have seen old translations mess with new configurations.  Just remember to do this outside of normal working hours or in a service window as users will lose their connection to the internet and will need to reconnect.


Please remember to select a correct answer and rate helpful posts


Please remember to rate and select a correct answer
CreatePlease to create content