04-17-2009 06:45 PM - edited 03-09-2019 10:14 PM
Hello,
I was just wondering if this setup would work:
global (External) 1 1.1.1.1
nat (Internal) 1 192.168.0.0 255.255.0.0
static (Internal,External) tcp 1.1.1.2 smtp 192.168.1.28 smtp netmask 255.255.255.255
In that setup we are doing static NAT/port forwarding for 1.1.1.2 to 192.168.1.28 in the inbound direction but on the outbound direction 192.168.1.28 gets NAT'd to 1.1.1.1. Is that possible?
04-17-2009 11:32 PM
No - the static nat command works in both directions, so host 192.168.1.28 will be natt'd on the outbound to 1.1.1.2
HTH>
04-18-2009 06:39 PM
Hi,
Yes, It will work.
ASA check NAT in following Priority
1. NAT Exemption
2. Static NAT/PAT (Regular and Policy)
3. Policy Dynamic NAT
4. Regular Dynamic NAT
Since your are doing Static PAT, and is bidirectional (1.1.1.2:25<->192.168.1.28:25).
And all application initiated by 192.168.1.2 will match Regular Dynamic NAT rule 1 and uses 1.1.1.1 as translated IP.
Note: if 192.168.1.28 is your email server and sends outbound smtp then it is recommended to do static NAT. Since your outbound smtp will be 192.168.1.28:35570->smtp.xyz.com:25 and will match IP 1.1.1.1
Some antispam engine using reverse dnslookup fails matching IP(dns record of smtp.yourdomain.com=1.1.1.2) and email received from yourdomain.com with sender ip 1.1.1.1, this mismatch might lead to as spam.
H2H
Roshan
04-20-2009 04:57 AM
As I understand it (from your above config) you internal machine (192.168.1.28) will use the address 1.1.1.2 for all SMTP communications, all other communications will use the 1.1.1.1 address.
HTH
Steve
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide