Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

static nat issue

Hi guys,

Would you mind to help me figure out this nat issue please?

I want to forward smtp port of inside host to outside however it doesnt work. Also packet-tracer indicates that NAT drop it

Please help me guys!!!

Thank you so much!

This is config:

ASA Version 8.4(5)


interface Ethernet0/0

nameif inside

security-level 100

ip address


interface Ethernet0/1

nameif outside

security-level 0

ip address

object network obj_any


object service OBJ-TCP-smtp

service tcp source eq smtp

object service TCP_SMTP

service tcp source eq smtp

object network WAN_IP_OBJECT_103.134.166.238


object network SERVER_OBJECT_192.168.1.22


access-list outside_access_in extended permit tcp any any eq smtp

access-list inside_access_in extended permit ip any any

object network obj_any

nat (inside,outside) dynamic interface

object network SERVER_OBJECT_192.168.1.22

nat (inside,outside) static interface service tcp smtp smtp

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 1


Phase: 6

Type: NAT

Subtype: rpf-check

Result: DROP


object network SERVER_OBJECT_192.168.1.22

nat (inside,outside) static interface service tcp smtp smtp

Additional Information:

Forward Flow based lookup yields rule:

out id=0xac831e20, priority=6, domain=nat-reverse, deny=false

        hits=154, user_data=0xac7f5748, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

        src ip/id=, mask=, port=0

        dst ip/id=, mask=, port=25, dscp=0x0

        input_ifc=outside, output_ifc=inside

Show nat

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static SERVER_OBJECT_192.168.1.22 interface   service tcp smtp smtp

    translate_hits = 0, untranslate_hits = 152

2 (inside) to (outside) source dynamic obj_any interface

    translate_hits = 4351, untranslate_hits = 565

Super Bronze

static nat issue


Configuration seems fine to me.

I would guess that in the "packet-tracer" command you have used the real address as the destination rather than the public IP address on your ASA "outside" interface since that is the address to which the connections are destined.

Looking at the above configuration it seems you should issue this command

packet-tracer input outside tcp 12345 25

- Jouni

New Member

static nat issue

Oh I've found it

The culprit is not the firewall but the ISP Optus @@. It has filtered my SMTP packets, don't know why

Thank Jouni so much for the packet-tracer !

CreatePlease to create content