Example of Manual NAT to implement NAT exemption

Similar Messages

• Manual Nat (twice Nat) Answers

  There seems to be a large number of the subject queries in one form or another.  Having acquired an asa 5505 and using 8.43 firmware and the ADSM gui for router configuration it has not been an easy transition from other products.   I have come to understand embedded NAT objects for basic port forwarding but am at a loss on configuring twice nat or manual nat, not really ever dealing with it before, or in this manner.  
  What I would like to suggest to the experts and to those with the ability to give advice to document editers is to include far more ADSM web gui examples and discussion for manual nat.   The tools are all there - in the nat rules editing page,  the display of the rules pictorially and the packet flow at the bottom of the page (and finally thru packet tracing).   What is needed is more on the actual entries on the nat editing pages and the logic and explanation of those entries.   In this forum what I would like to see is when there are responses that they include both the CLI recommended entries b AND the associated adsm web gui pics.  With good documents for reading and examples in the forum, I think there should be much less confusion allowing more attention to some very complex scenarios.   I personally feel a bit embarrassed to be asking basic questions and appreciate the responses but with improvements in docs and forum answers the number of such questions should drop.  At the very least I and others like me will get better edumecated.    To be clear am not looking for the easy cookie cutter right answers, I am looking to understand CIsco packet routing through explanations of the web gui entries. In fact, I am learning far more by trying to understand the web gui vice simply copying and entering CLI commands.  In terms of documents, for example, there should be a very thorough explanation of the relationship between "Translated Addr:" in the first NAT editing page with "Destination Inteface" in the second Advanced page .
  Thanks.
  Examples below of what I am talking about (note examples are simple embedded NAT object (port forwarding rules).  I can finally handle external users requiring access to internal servers. :-)  But that is just the surface.
  I have added the packet tracing jpegs for further context.  There is an UNNAT lookup entry (first trace block, out of view on the pic) a concept which is missing in the documentation I've read that needs to be added but it is illuminating in how the router handles traffic.   What is also interesting is the fourth jpeg which also shows the flow designation of a packet and its handling internally (new packet or one that is associated with an existing packet (previously identified and put in an appropriate table xlate etc)).

  Hi,
  I've personally always preferred using CLI over GUI. Probably comes due to the fact I started with old Cisco switches and routers.
  When I first used a Cisco PIX the switch from switches/routers was a bit hard. The configuration format in 6.x was totally different from the IOS. After I upgraded the first PIX to software 7.0 it was abit more familiar already. Interfaces were now configured like in the switches and routers. Also the permitting traffic through the device used access-lists.
  I was just beginning to handle all the different NAT setups (atleast the ones we run into) and then came 8.3 (and 8.4) which totally changed the NAT configuration format
  I still find myself configuring the NAT through CLI. I use the CLI because I like beeing able to see the whole device configuration without jumping from tab to tab and clicking drop down menus. I mostly use ASDM to edit existing configurations or something that might not be as familiar with. Though my goal usually is to learn to configure the same from the CLI after I've done it a couple of times from GUI interface.
  If you're only using ASDM GUI to configure the ASA, I suggest you go "Tools -> Preferences" and from there enable the option "Preview commands before sending them to the device" This will basicly show you all configurations that you are going to apply in the CLI format. I think this preview setting is off by default.
  EDIT2: One really helpfull thing is also the fact that you can get help for almost every configuration page on the ASDM GUI. I think theres almost always a direct "Help" button that opens information about the configuration page in question and clarifies all the options you have on the page. Again, as I haven't used much ASDM, I dont know if they clarify the things you are asking for.
  The first 2 pictures to my understanding illustrate the configuration of a port forwarding using the "outside" interfaces address.
  The first pictures Translated Address just refers that you are going to use the "outside" interfaces IP address (whatever it might be) to configure a NAT. The ASDM has a habit of giving names to IP addresses which can confuse you. The same line might as well contain an IP address in numeric format if you for example had a small public subnet at your disposal for NAT translations.
  The second pictures source/destination interface just basically tells you the interfaces between which the NAT is beeing performed. Either of these can also be specified as "any".
  I'll give you a couple of examples
  EXAMPLE 1
  The below configuration basicly tells the ASA that it will PAT all outbound (outside) traffic from the source networks defined in the object-group to the outside interface address. It also tells that the source interface can be any interface on the ASA.
  So basically if you keep adding interfaces to an ASA that need (Or networks behind them) default PAT translations when they use the Internet, you can just keep adding "network-object x.x.x.x y.y.y.y" statements with the new networks under the object-group and the ASA will do PAT for them. You wont have to configure any additional NAT statements.
  object-group network DEFAULT-PAT-SOURCE-NETWORKS
  description Source Networks for PAT
  network-object 10.10.10.0 255.255.255.0
  network-object 192.168.0.0 255.255.255.0
  network-object 172.16.8.0 255.255.255.0
  nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE-NETWORKS interface
  EXAMPLE 2
  The below configuration basically tells the ASA that the DMZ server will be visible to other hosts behind other ASA interface with the same NAT ip of "1.2.3.4". This could apply to situations where you want to access the DMZ server with the same public IP address from both the Internet and the LAN.
  This could help with situations where your LAN uses public DNS and that DNS points to the servers public IP address. With this NAT configuration even though you LAN hosts are connecting to a public IP address the device will still be accessible from the LAN since you're NATing the DMZ server towards all interfaces.
  object-network DMZ-PUBLIC-STATIC
  description Static Public IP for DMZ server
  host 192.168.10.10
  nat (dmz,any) static 1.2.3.4 dns
  The UN-NAT section to my understanding just tells you  that a connection coming from outside to a NAT IP is basically forwarded to the actual lan host IP address and not the public IP the user was originally connecting to.
  To be honest I don't really know how to configure well with the ASDM as I usually just use the CLI. Because of that I'm sometimes at a loss on how to configure the most simple things because I've only done them on the CLI.
  Hope some of this was helpfull to you
  EDIT: Didn't realize I wrote so much
  - Jouni

• Auto nat vs manual nat

  Some how I have ended up with multiple network objects for the same network example
  obj-192.168.1.0
  obj-192.168.1.0-1
  obj-192.168.1.0-2
  All are for the same network but have different nat statements. When I look at my NAT statements I have a bunch of manual NAT and Network object NAT rules. I'm pretty confussed on the two. Should I just have one auto nat statement for each object? Then if I need another NAT statement for the same network make it a manual nat?

  Would I be correct to presume you have updated/upgraded the ASA software from pre 8.3 to post 8.3 by letting the ASA convert the configuration by itself and not actual write the configurations yourself?
  If that is true then it would seem to me that these configurations might be the 8.3 (and later) softwares way of doing Identity NAT between your local ASA interfaces. (Which can also be done with Twice NAT / Manual NAT)
  I would for example guess that the following configuration
  object network obj-172.16.0.0-05
  subnet 172.16.0.0 255.254.0.0
  nat (inside,TM) static 172.16.0.0
  Before was this
  static (inside,TM) 172.16.0.0 172.16.0.0 netmask 255.254.0.0
  In the new software 8.3+ if you have local LAN and DMZ interfaces on the ASA which dont require NAT between them, you can simply leave out the NAT configurations. So if your purpose is to enable communication between local interfaces wihtout modifying the source or destination address then I would leave out all those NAT configurations.
  In the very basic setups you only really need to perform NAT between the local and public interfaces. The new ASA software doesnt have any "nat-control" anymore. If there is no NAT rule for the traffic incoming to the ASA then the ASA will simply pass it along without NAT.
  - Jouni

• Static NAT or NAT exemption?

  So my situation is kind of unique. I'm currently configuring an ASA5510 (ver. 8.4) to replace an OpenBSD router box. My company was originally given a /24 of public IP's.....yes it's weird. We are currenly working on eliminating the public vlan in our office. Currently half the company is using these public IPs for their computers and half are on a private vlan. We also have several servers on the public vlan. Everything is connected to a layer 3 switch that routes between these computers. When we first implement the ASA we want to leave the servers on the public vlan and have them still accessible from the outside by the same IP address. Currently the OpenBSD box just doesn't NAT the public vlan.
  We were looking at 2 solutions.
  1. NAT the server IPs to itself. ie. if the server has an IP of 80.80.80.2 then the nat statement would looke something like:
  nat (inside,outside) 80.80.80.2 80.80.80.2
  This is what we think would work best.
  2. We create a nat exemption rule for that entire public vlan.
  Is our theory correct that option 1 works best? Any other suggestions? We do not want to implement a DMZ because we have such sensitive data and only our web server could exist in our DMZ. My company is small....the simpler the solution, the better.

  only difference in these options are that static identity nat would create a xlate entry on the firewall however if you use nat exempt that would not create the xlate on the firewall.

• Quick question re: migration of nat exemption from asa pre-8.2 to post-8.2

  I am going through http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.pdf and I have a question about nat exemption.  According to the guide above, the migration of nat exemption will look like this:
  access-list inside_nat0_outbound extended permit ip vLan201 255.255.255.0 172.19.252.0 255.255.255.0
  nat (inside) 0 access-list inside_nat0_outbound
  object network obj-vLan201
  subnet vLan201 255.255.255.0
  object network obj-172.19.252.0
  subnet 172.19.252.0 255.255.255.0
  nat (inside,any) source static obj-vLan201 obj-vLan201 dest static obj-172.19.252.0 obj-172.19.252.0
  My question is this: if acl inside_nat0_outbound has multiple ACEs, does the migrated configuration contain a separate "nat (inside,any)" statement for each ACE in the original pre-8.3 config, like this?
  access-list inside_nat0_outbound extended permit ip vLan201 255.255.255.0 172.19.252.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip vLan201 255.255.255.0 172.19.253.0 255.255.255.0
  nat (inside) 0 access-list inside_nat0_outbound
  object network obj-vLan201
  subnet vLan201 255.255.255.0
  object network obj-172.19.252.0
  subnet 172.19.252.0 255.255.255.0
  object network obj-172.19.253.0
  subnet 172.19.253.0 255.255.255.0
  nat (inside,any) source static obj-vLan201 obj-vLan201 dest static obj-172.19.252.0 obj-172.19.252.0
  nat (inside,any) source static obj-vLan201 obj-vLan201 dest static obj-172.19.253.0 obj-172.19.253.0
  Our current acl has about twenty entries, which would make for twenty nat statements, if this is right.
  Thanks,
  -Mathew

  Hi,
  Default behaviour for NAT past 8.2 software level is to let traffic flow through the ASA without NAT. Before that "nat-control" setting on the ASA defined if the traffic needed a NAT configuration or not.
  If your NAT0 / NAT Exempt configurations contain statements meant for VPN connections then you have to make new ones for those.
  Are the entries in your old NAT0 configurations meant for traffic between different networks in your own LAN or are they meant for different VPN connections? Or perhaps both.
  But as you said, moving to the new software does mean that even some simple NAT configuration will now contain more configurations than in the old software.
  - Jouni

• Does adding tcp udp ports on the nat exempt accesslist which is binded to nat 0 statement remove the entire nat 0 statement itself?

  Hi Experts,
  Is the above statement true?. I learnt later that adding tcp and udp ports on the nat 0 statements are supported . But does it take away the entire nat statement? Please answer my question at the earliest.
  Regards
  Krishna

  Krishna,
  "NAT exemption (nat 0 access-list command)—NAT exemption allows both translated and remote hosts to initiate connections. Like identity NAT, you do not limit translation for a host on specific interfaces; you must use NAT exemption for connections through all interfaces. However, NAT exemption does enable you to specify the real and destination addresses when determining the real addresses to translate (similar to policy NAT), so you have greater control using NAT exemption. However unlike policy NAT, NAT exemption does not consider the ports in the access list. NAT exemption also does not support connection settings, such as maximum TCP connections."
  Reference
  So, since the documentation clearly says that this rule does not consider any ports in the ACL, then one should not be testing unsupported configurations.
  If one adds an ACL with specific ports, then unexpected results may be expected.
  My suggestion, dont add any ACL entry with specific ports to your NAT exempt statement.
  Thanks.
  Portu.
  Please rate any helpful posts

• Identifying Manual NAT in ASDM

  Hi Everyone,
  Below is the screenshot from Cisco LEarning Website for ASA  Practice test.
  Correct answer is Manual NAT polices .
  Need to  know what should i look for in ASDM  that will tell me it is Manual NAT?
  Regards
  MAhesh
  Message was edited by: mahesh parmar

  It is manual because the screenshot shows that there are no Network Object NAT rules. So the displayed NAT rule is of type #3 in the list below.
  In ASA 8.3 or later there are 3 types of NAT rules you can add:
  1. Manual NAT before Network-object NAT
  2. Network-Object NAT (network-object NAT is also known as AutoNAT)
  3. Manual NAT after Network-object NAT.
  If you looked at the cli, it would have the keyword "after-auto" in the NAT rule.

• Moving Manual NAT to section 3 (after auto nat)

  Hi All,
  We have 3 sections of NAT
  1>Manual NAT
  2>Auto NAT
  3>Manual NAt after Auto.
  Lets say on ASA  we config Manual and Auto Nat.
  Now Order of NAT  is
  1>Manual
  2>Auto
  If i move the Manual NAT  to section 3 of NAT  which is Manual NAT  after auto NAT.
  Now Order of NAT  is
  2>Auto
  3>Manual NAT  after Auto.
  Now when i try to do Process Manual NATafter auto  section number 3 it does not work as it hits Auto NAt and does not go down.
  Need to know the reason behind this?
  Regards
  MAhesh

  Also as a little side note,
  There is also difference in the ordering of the NAT configurations depending on the Section
  Section 1 and Section 3 Manual NAT rules are always gone through in the order you see them in the actual CLI configuration. So you might have 2 completely working rules BUT if they are in the wrong order it might be that other one of them is never used
  Section 2 Auto NAT rules are processed in an order that you dont usually decide yourself. The ASA puts them in order according to how they were configured.
  So in a nutshell. You can manually set the order of the Manual NAT rules but Auto NAT rules are ordered automatically by the ASA itself.
  You can see the current order of the Auto NAT rules with the command
  show nat
  - Jouni

• Is it possible to do NAT Exemption by port on ASA 8.3?

  Hello,
  Here is the scenario that I'm trying to solve. I have an IPSEC VPN that just strips off port 80 and 443 traffic from and internal network when the destination is the internet.
  This VPN works fine until NAT gets involved. After I configured a dynamic hide NAT for the internal network then the traffic to the VPN no longer matches crypto map. This I was expecting as I know that NAT processing takes place before IPSEC. What I was not expecting is how difficult it would be to exclude my IPSEC VPN traffic from getting NATed.
  The difficulty is in that the destination IP has to be ANY since it is the internet, and also that it should only be port 80 and 443 that are excluded from NAT. I do want any other traffic to still be processed by the dynamic hide.
  So the traffic that I want to exclude from NAT would look like this:
  internal-net --> ANY on TCP Port 80 or 443 Exclude from NAT.
  It seems so simple but I cannot find any examples of someone successfully doing this, and I also do not see that it is not possible. I’ve played around with many double NAT statements but any combination that I put in results in the firewall saying, “ERROR: NAT unable to reserve ports”.
  Any help on this would be greatly appreciated!
  Eric

  Hi,
  The general format to configure NAT0 would be
  object network LAN
  subnet
  object network REMOTE-LAN
  subnet
  nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN
  But if I understood you correctly, you want to configure NAT0 for traffic from your LAN that has destination address "any" and destination port/service of TCP/80 or TCP/443?
  This would mean that you are are trying to tunnel all of this Web traffic to a remote site where it will eventually get passed to the Internet through NAT?
  Have you tried the following NAT configuration yet
  object network LAN
  subnet
  object network REMOTE-LAN
  subnet
  object service WWW
  service tcp destination eq www
  object service HTTPS
  service tcp destination eq https
  nat (inside,outside) source static LAN LAN service WWW WWW
  nat (inside,outside) source static LAN LAN service HTTPS HTTPS
  This should match any traffic with a destination port TCP/80 and TCP/443 to "any" destination network. It would also at the same time keep the source address original (NAT0 / Identity NAT)
  What you have to notice with this setup that this applies to ALL this kind of traffic. If you have DMZs on the local ASA you will have to configure additional NAT configuration before these configurations so that the LAN -> DMZ WWW/HTTPS traffic is not involved or forwarded to the L2L VPN.  So there are some things to take consideration
  There is also another variation of the above configuration and depending on your actual software level (the different software levels after 8.3) the ASA might match the above NAT configuration differently.
  Hope this helps
  - Jouni

• Ipsec-manual, NAT-Traversal?

  Is there a way in IOS to enabled NAT-Traversal (ESP-UDP) for manually keyed IPsec tunnels?
  Thus far, it looks to me like IKE is required for the NAT detection.
  In Linux, I can manually create ESP-UDP SA's, I was hoping to be able to do the same in IOS.

  It allows ipsec to work through nat?
  How did your last post turn out?

• Manual NAT to override Auto NAT

  Hi, i've an ASA with this relevant config:
  ASA Version 9.1(1)
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address 1.1.1.1 255.255.255.248
  object network obj-192.168.2.20
  host 192.168.2.20
  object network obj-1.1.1.2
  host 1.1.1.2
  access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq smtp
  access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq pop3
  access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq imap4
  access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq https
  object network obj-192.168.2.20
  nat (inside,outside) static obj-1.1.1.2
  Now i have to allow access to a web server from a specific Internet Address  2.2.2.2.
  Both web server and all other inbound access are made via a different IP Address 1.1.1.2
  I'm having some problems configuring this second item, and I need help.
  Which is the best way  to overcame this problem.
  TIA
  FR

  Hello Fran,
  Not sure what you mean:
  I mean you already have the policies in place for this:
  object network obj-192.168.2.20
  nat (inside,outside) static obj-1.1.1.2
  access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq smtp
  access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq pop3
  access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq imap4
  access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq https
  Now i have to allow access to a web server from a specific Internet Address  2.2.2.2.
  Both web server and all other inbound access are made via a different IP Address 1.1.1.2
  So now a user on the outside 2.2.2.2 will be accessing your webserver,
  Is your server 192.168.2.20 and also what do you mean by
  Both web server and all other inbound access are made via a different IP Address 1.1.1.2
  For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
  Any question contact me at [email protected]
  Cheers,
  Julio Carvajal Segura

• Example of using JAVA to implement location transparency

  Dear all,
  Is any example or source code show me how to using JAVA to implement location transparency?
  Thanks
  Ronnie Poon

  <frameset> should not be the child of the <body> element. It should be the child of <html> element.
  This works:
  <?xml version="1.0" encoding="UTF-8"?>
  <jsp:root version="1.2" xmlns:f="http://java.sun.com/jsf/core"
  xmlns:h="http://java.sun.com/jsf/html" xmlns:jsp="http://java.sun.com/JSP/Page" xmlns:ui="http://www.sun.com/web/ui">
  <jsp:directive.page contentType="text/html;charset=UTF-8" pageEncoding="UTF-8"/>
  <f:view>
  <ui:page id="page1">
  <ui:html id="html1">
  <ui:head id="head1">
  <ui:link id="link1" url="/resources/stylesheet.css"/>
  </ui:head>
  <frameset cols="30%,70%">
  <frame name="left" src="faces/Page1.jsp"/>
  <frameset rows="80%,20%">
  <frame name="top" src="faces/rightPage.jsp"/>
  <frame name="bottom" src="faces/bottomPage.jsp"/>
  </frameset>
  </frameset>
  </ui:html>
  </ui:page>
  </f:view>
  <ui:form binding="#{bean.form1}" id="form1"/>
  </jsp:root>
  thanks,
  tsc

• Examples for JMS Error Queue implementation in BPEL

  Hi ,
  Please anyone provide me examples for JMS error queue implementaion in BPEL.
  Regards
  Narsi p

  Hi Narsi p,
  Please remember to mark answers accordingly... Helpful or correct, following the forum rules
  https://forums.oracle.com/forums/ann.jspa?annID=330
  Can you tell us more about what are you trying to achieve here?
  If you are just trying to configure an error queue to put the messages that couldn't be delivered, you can do this in weblogic directly.
  Configuring an Error Destination for Undelivered Messages
  http://docs.oracle.com/cd/E17904_01/web.1111/e13727/manage_apps.htm#JMSPG254
  Cheers,
  Vlad

• Cisco ASA Site to Site IPSEC VPN and NAT question

  Hi Folks,
  I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
  ASA2  is at HQ and ASA1 is a remote site. I have no problem setting up a  static static Site to Site IPSEC VPN between sites. Hosts residing at  10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but  what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16  will communicate with hosts at 192.168.1.0/24 with translated addresses
  Just an example:
  Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with  destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet  should be the same in this case .5)
  The same  translation for the rest of the communication (Host N2 pings host N3  destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
  It sounds a bit confusing for me but i have seen this type of setup  before when I worked for managed service provider where we had  connection to our clients (Site to Site Ipsec VPN with NAT, not sure how  it was setup)
  Basically we were communicating  with client hosts over site to site VPN but their real addresses were  hidden and we were using translated address as mentioned above  10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the  same.
  Appreciate if someone can shed some light on it.

  Hi,
  Ok so were going with the older NAT configuration format
  To me it seems you could do the following:
  Configure the ASA1 with Static Policy NAT 
  access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
  Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
  If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
  On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network 
  access-list INSIDE-NONAT remark L2LVPN NONAT
  access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
  nat (inside) 0 access-list INSIDE-NONAT
  You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network 
  ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
  I could test this setup tomorrow at work but let me know if it works out.
  Please rate if it was helpful
  - Jouni

• Policy NAT 8.6(1)2 Windows Server Cluster

  We have 2 email servers in a cluster on the network.  I have the cluster IP address configured for Object static NAT.  This works great for email coming into our organization.  However, when either of these 2 email servers send mail, they send using their configured IP address which is different from the cluster IP address.  Thus, the NAT'd address is different than for incoming.  It hasn't been an issue to this point, but I would like to be able to send SMTP from either server and have it NAT to the same IP used for the cluster IP.  This way, any reverse DNS lookups on the internet would show a consistent IP to name mapping for our mail servers.  I've attached a diagram.  If there is a way to force the cluster servers to use the cluster address on the Windows server side, that could be an option as well.
  Thanks,
  Andrew

  Hi,
  The actual NAT configuration used depends on how your Dynamic PAT rule for all the users of the network is configured at the moment. Mainly is it Auto NAT or Manual NAT.
  Though naturally I can give you an example that includes both Dynamic PAT for all users and Dynamic PAT for the Mail servers and the Static NAT for incoming mail.
  MAIL SERVER STATIC NAT
  object network MAIL-SERVER
  host 10.0.0.1
  nat (inside,outside) static 10.10.10.140
  The above configuration is the basic Static NAT configuration for a host using Auto NAT / Network Object NAT. It could be done with Manual NAT / Twice NAT also but I prefer Auto NAT / Network Object NAT
  MAIL SERVER DYNAMIC PAT
  object-group network MAIL-PAT-SOURCE
  network-object host 10.0.0.1
  network-object host 10.0.0.2
  network-object host 10.0.0.3
  object network MAIL-SERVER-PUBLIC
  host 10.10.10.140
  nat (inside,outside) after-auto source dynamic MAIL-PAT-SOURCE MAIL-SERVER-PUBLIC
  The above is a normal Dynamic PAT configuration (no Policy elements involved).
  The key thing to notice here is that we are entering this to the ASA before the next Dynamic PAT that catches all the rest of the source IP address. One thing to notice also is that its a Section 3 NAT rule (the lowest priority) so that it wont override any other NAT rules like the above Static NAT.
  I you had your existing Dynamic PAT for all users already with a similiar configuration than last configuration example then you would have to add a line number to the NAT configuration like this
  nat (inside,outside) after-auto 1 source dynamic MAIL-PAT-SOURCE MAIL-SERVER-PUBLIC
  DEFAULT DYNAMIC PAT FOR USERS
  nat (inside,outside) after-auto source dynamic any interface
  The above is just an Dynamic PAT configuration that catches all source addresses from behind the "inside" interface and does Dynamic PAT for them when connecting to networks behind "outside". As this is inserted to the configuration after the above command it will be at a lower priority and wont apply for the 3 source hosts we specified above.
  I wonder if I made this out to be more complicated than it needs to be
  I guess the easiest way to determine the configuration you will need/want would be to see the current NAT configuration on the ASA
  Hope this helps
  Please do remember to mark a reply as the correct answer if it answered your question.
  Feel free to ask more if needed
  - Jouni