Another day, another PIX (well, ASA this time) to configure. You can almost sleepwalk through it. This time since there's only one outside IP address, you figure you'll use global (outside) 1 interface instead of global (outside) 1 outside_address or global (outside) 1 outside_address1-outside_address2 netmask. Later on, you configure your static NAT or PAT entries with lines like static (inside,outside) tcp outside_address smtp inside_address smtp netmask 255.255.255.255. No problem, eh?

But then you test it out, and discover that the firewall happily tells you it's discarding packets you thought should be coming through. And they're not even hitting the access list you'd configured on the outbound interface. What's going on?

It turns out that if you used the interface keyword in that global line, you must also use it when you configure your static NAT and/or PAT entries (despite there only being one address on the interface in this situation, etc. etc. etc.). ie.

global (outside) 1 interface

[ ... ]

static (inside,outside) tcp interface smtp inside_address smtp netmask 255.255.255.255

Why is it so? I don't know. It's not like show xlate shows anything different between the two configurations.