Hello, everyone, i am writing you for help me.

I Have this Topology:

R1 is as server and i want to public that server in INTERNET using public IP 7.7.7.7, but i can not do that. I tried to do a NAT but it just translate from DMZ to Outside, however i can not to ping to 7.7.7.7 from Outside (R2).

I have a route in R2

7.7.7.7 [1/0] via 200.200.200.1

On R2 i can´t ping to 7.7.7.7

On R2 i can´t ping to 172.16.0.2

On R1 i can ping to 200.200.200.2

On Inside i can ping to 172.16.0.2

when i try to ping from DMZ to Outside (200.200.200.2) the debug, and show nat details, show me:

ciscoasa(config)# nat: translation - dmz:172.16.0.2/26 to outside:7.7.7.7/26

nat: untranslation - outside:7.7.7.7/26 to dmz:172.16.0.2/26

nat: untranslation - outside:7.7.7.7/26 to dmz:172.16.0.2/26

nat: untranslation - outside:7.7.7.7/26 to dmz:172.16.0.2/26

ciscoasa(config)#

ciscoasa(config)# sh nat detail

Auto NAT Policies (Section 2)

1 (dmz) to (outside) source static obj-172.16.0.2 7.7.7.7

    translate_hits = 2, untranslate_hits = 2

    Source - Origin: 172.16.0.2/32, Translated: 7.7.7.7/32

When i try to ping from Outside to DMZ using public IP (7.7.7.7) the debug and show nat detail, show me:

ciscoasa(config)# nat: untranslation - outside:7.7.7.7/0 to dmz:172.16.0.2/0

nat: untranslation - outside:7.7.7.7/0 to dmz:172.16.0.2/0

nat: untranslation - outside:7.7.7.7/0 to dmz:172.16.0.2/0

nat: untranslation - outside:7.7.7.7/0 to dmz:172.16.0.2/0

nat: untranslation - outside:7.7.7.7/0 to dmz:172.16.0.2/0

nat: untranslation - outside:7.7.7.7/0 to dmz:172.16.0.2/0

nat: untranslation - outside:7.7.7.7/0 to dmz:172.16.0.2/0

nat: untranslation - outside:7.7.7.7/0 to dmz:172.16.0.2/0

nat: untranslation - outside:7.7.7.7/0 to dmz:172.16.0.2/0

nat: untranslation - outside:7.7.7.7/0 to dmz:172.16.0.2/0

ciscoasa(config)# sh nat det

Auto NAT Policies (Section 2)

1 (dmz) to (outside) source static obj-172.16.0.2 7.7.7.7

    translate_hits = 2, untranslate_hits = 7

    Source - Origin: 172.16.0.2/32, Translated: 7.7.7.7/32

In ASA my configuration is this:

ASA Version 8.4(2)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet1

nameif dmz

security-level 50

ip address 172.16.0.1 255.255.255.0

!

interface GigabitEthernet2

nameif outside

security-level 0

ip address 200.200.200.1 255.255.255.0

!

interface GigabitEthernet3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

object network obj-172.16.0.2

host 172.16.0.2

access-list pingc extended permit icmp any any echo-reply

access-list pingc extended permit icmp any any unreachable

access-list pingc extended permit tcp any host 200.200.200.2 eq www

access-list pingc extended permit icmp any host 200.200.200.2

access-list pingc extended deny ip any any

access-list webicmp extended permit tcp 192.168.1.0 255.255.255.0 host 172.16.0.2 eq www

access-list webicmp extended permit icmp 192.168.1.0 255.255.255.0 host 172.16.0.2

access-list webicmp extended deny ip any any

access-list public extended permit tcp any host 7.7.7.7 eq www

access-list public extended permit icmp any host 7.7.7.7

access-list public extended permit icmp any any echo-reply

access-list public extended permit icmp any any unreachable

access-list public extended deny ip any any

pager lines 24

mtu inside 1500

mtu dmz 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

object network obj-172.16.0.2

nat (dmz,outside) static 7.7.7.7

access-group webicmp in interface inside

access-group pingc in interface dmz

access-group public in interface outside

route dmz 7.7.7.7 255.255.255.255 172.16.0.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

crashinfo save disable

Cryptochecksum:5d5522548310b4842b3b21003cc3470a

: end

Thanks a lot, I hope that you help me.