i assume the above would cause an IP conflict as 10.100.1.2 would be both a host on the internal network and a NAT IP address present on the firewall.
this brings me to my question.... how can you NAT your outbound email out on one address; ie mail server internal address is 10.101.1.1 and should be NAT'ed out to 188.8.131.52, but have any inbound email to 184.108.40.206 forwarding to a different email server on 10.101.1.2?
i am not sure how to do this using static NAT commands on Cisco as it seems the static(inside,outside) command creates a one 2 one mapping only?
static (outside,inside) is not a simply reverse of the static (inside,outside). One of the most popular usage is to hide a internal private IP with a public IP from Internet, which is like your first command "static(inside,outside) 220.127.116.11 10.100.1.2 mask 255.255.255.255"
Your second command is used in such a rare scenario:
You want to hide an destination IP 18.104.22.168 from inside users by giving them the IP 10.100.1.2.When traffic leaving outside interface, destination IP will be translated from 10.100.1.2 to 22.214.171.124.
To answer your second question, it can be achieved by policy nat/pat. There could be multiple combinations, I give you 2 examples.The codes not been verified, please test it if you plan to put it in production.
1. static PAT + policy PAT
access-list smtp_outbound permit tcp host 10.101.1.1 any eq smtp
Hi , I believe it was wrong for the second "static", because it doesn't make sense when it come together with the first "static".
Followed is a summary of my understanding for natting behavior of "static":
static (real_ifc,mapped_ifc) mapped_ip real_ip
Static NAT is a "bi-directional" NAT, which means traffic can be initiated from both sides of firewall with different security levels when NAT occurs.
1. Traffic ingress interface is "real_ifc", egress interface is "mapped_ifc"
Traffic entering "real_ifc" and leaving "mapped_ifc", source IP with "real_ip" will be translated to "mapped_ip"(nat-src); the returned traffic entering "mapped_ifc" and leaving "real_ifc",destination Ip with "mapped_ip" will be translated to "real_ip" (nat-dst).
2. Traffic ingress interface is "mapped_ifc",egress interface is "real_ifc"
Traffic entering "mapped_ifc" and leaving "real_ifc",destination IP with "mapped_ip" will be translated to "real_ip" (nat-dst); the returned traffic entering "real_ifc" and leaving "mapped_ifc",source IP with "real_ip" will be translated to "mapped_ip" (nat-src).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...