Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
865
Views
0
Helpful
1
Replies

NAT problem with 5505

jonbechtel
Level 1
Level 1

‎08-17-2010 10:24 AM - edited ‎03-11-2019 11:27 AM

I have a 5505 running 8.3 and am using ADSM 6.3 to configure it.   I have a dynamic PAT setup for the network I'm on and am trying to setup static bidirectional NAT for SMTP to a particular host.  (I do have two external connections in this configuration.)  Here are my current NAT commands:

!

object network Host-Dino

nat (inside,cox) static Ext-mail service tcp smtp smtp

!

nat (any,any) after-auto source static any any destination static Ext-Web Host-Henry service http http description Address xlate for web server

nat (any,any) after-auto source static any any destination static Ext-WebAcccess Host-Bambam service https https description Address Xlate from external WebAccess address to Bambam

nat (inside,cox) after-auto source dynamic any interface description Outbound for normal networks

nat (inside,disc) after-auto source dynamic any interface description Outbound to DISC hosts

nat (DMZ,cox) after-auto source dynamic any interface description Outbound from DMZ to Cox

nat (DMZ,disc) after-auto source dynamic any interface description Outbound from DMZ to DISC

Dino sits on the inside interface of the ASA.   However, when I send out mail, it goes out the interface IP and not the Ext-mail IP.   Confusingly, if I take out the nat (inside,cox) command, it will pick up on the object NAT and work correctly.   Also, the inbound SMTP connection works if the external host connects to the Ext-mail IP address.   I thought from the docs that object NAT should take priority.  What do I need to do to make this function correctly with the SMTP traffic going out a different IP address.  

I tried to debug this with the packet trace function.   When I use Dino's IP address, source port of 25 and destination port of 25, it translates the packet correctly. 

--

Jon

Labels:
0 Helpful
1 Reply 1

Kureli Sankar
Cisco Employee
Cisco Employee

‎08-21-2010 03:03 PM

When dino sends e-mail it will not source from port 25. It will be high port. That is why it looks like the interface when going out. I have discussed it here: http://www.youtube.com/watch?v=kRY8DuaRp5U

You need the following:

!

object network Host-Dino_outbound

host x.x.x.x

nat (inside,out) dynamic Ext-mail

-KS

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card