Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Cisco ASA 5510 version 9.1 Nat to the Outside for Email Server

I have researched in the forums here and I cannot find the answer.  Probably my lack of being able to use the search function correctly.


I need to nat my email server to the outside so it will receive email and allow web interface.

Inside network:

Outside network:

Inside IP   

Outside IP:

Ports:  25,80,443 and 587


I cannot find a clear cut easy to ready simple example on CCO or using Google.

If you have the answer, thank you in advance for your help.



Hello John,Assuming that 192

Hello John,

Assuming that is the ip of your email server and is the ip of your ASA outside interface and your server is listening on actual ports for the traffic, You can use Static Port Translation using Auto NAT.

1. Create an object network for Real and translated address

object network SERVER_PAT_OUTSIDE


object network SERVER_PRIVATE_ADD


nat(inside,outside) static SERVER_PAT_OUTSIDE service tcp 25 25

nat(inside,outside) static SERVER_PAT_OUTSIDE service tcp 80 80

nat(inside,outside) static SERVER_PAT_OUTSIDE service tcp 443 443

nat(inside,outside) static SERVER_PAT_OUTSIDE service tcp 587 587


Ports are listed in the order real (actually configured on server) and then mapped (translated)




Super Bronze

Hi, Since you have a /29



Since you have a /29 subnet I presume that you can allocate one public IP address for this server. In that case the configurations is pretty simple. You can configure an Auto NAT / Network Object NAT


object network MAIL-SERVER
 nat (inside,outside) static


I am not sure if you have an ACL attached to your ASAs external interface yet but the below ACL should handle that


access-list OUTSIDE-IN remark Traffic allowed to the Mail Server
access-list OUTSIDE-IN permit tcp any object MAIL-SERVER eq 25
access-list OUTSIDE-IN permit tcp any object MAIL-SERVER eq 80
access-list OUTSIDE-IN permit tcp any object MAIL-SERVER eq 443
access-list OUTSIDE-IN permit tcp any object MAIL-SERVER eq 587


access-group OUTSIDE-IN in interface outside


Notice with the ACL example that if you already have an ACL in use on your external interface then use that ACLs name and create the same rules. If on the other hand you have no interface ACL in that interface then you can use the above ACL. The naming of the ACL is up to you and you might have different named interfaces.


If you can only afford to do Static PAT (Port Forward) then the other post suggestions idea is OK but notice that in that situation for each Port Forward / Static PAT you will need its own "object". You wont be able to configure all the "nat" statements under a single "object". You dont have to configure an "object" for the public IP address as you can use the public IP address directly in the "nat" statement that is configured under the "object".


If you want to read up on some info about the new NAT configuration format and see some examples you can take a look at a document I wrote in 2013. You can find it here:


Hope this helps :)


- Jouni

Community Member

Jouni, Thank you for your



Thank you for your help.  A couple things.

1.)  Thank you for the link.  This an excellent document and I will use it.

2.)   I do have an outside interface and the the email server is the only thing that I will be natting for now

       to the outside.  The outside interface is at .110 and the email server is at .108.

With my answers, does this change anything you wrote above?  Sorry I am new to this so I don't know enough to ask the right question let alone know the right answer.


Again, many thanks for your help.

Super Bronze

Hi, The Static NAT



The Static NAT configuration I mentioned above should do the trick for the server. It will bind the local/real IP address to the mentioned public IP address for all traffic between the internal and external network.


The ACL configuration is also fine if you dont have any ACLs configured yet for your external interface. Naturally you would use the interface names you have configured on your ASA in the NAT configurations you insert and you can choose the "object" and "access-list" names as you wish.


Naturally if the connections still dont work after doing the configurations we can always have a look at the ASA configurations to find the cause of the problem.


- Jouni

CreatePlease to create content