Hello, I am attempting to configure an ASA 5505 which is connected to 3 networks for access to an inside email server.  Don't pay attention to the names on this config as they are not intuitive.

The 3 vlans are:

vlan 1 which has an IP of 192.168.x.1 - Connected to inside (which is really the dmz)

nameif inside

e0/1 is assigned to this

vlan 2 which has an IP of 184.x.x.194 - Connected to outside (which is the public internet)

nameif outside

e0/0 is assigned to this

vlan 3 which has an IP of 10.x.7.2 - Connected to mpls (which is the mpls and a trusted network)

nameif mpls

e0/3 is assigned to this.

The desired flow is:

1.from the outside from any host on the public internet to type in an https url (which I already have forwarded by my hosting company) and get back a page from the dmz server at 192.168.x.26. 

2. The dmz email server connects to the data center email cluster via 1352

I can ping all resources and have had some luck with packet-tracer but I can't get this completed.  Please help, I think it's an easy nat or acl fix.  I just can't find it.  Here is the config:

User Access Verification

Password:

Type help or '?' for a list of available commands.

asa5505-DMZ> en

Password: ********

asa5505-DMZ# sho run nat

!

object network Traveler

nat (inside,outside) static interface service tcp https https

object network DMZ

nat (inside,mpls) dynamic interface

asa5505-DMZ# show nat detail

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static Traveler interface service tcp https https

    translate_hits = 0, untranslate_hits = 1

    Source - Origin: 192.168.x.26/32, Translated: 184.x.x.194/29     ****************** One thing to note is that these subnets are not correct!

    Service - Protocol: tcp Real: https Mapped: https

2 (inside) to (mpls) source dynamic DMZ interface

    translate_hits = 3, untranslate_hits = 0

    Source - Origin: 192.168.x.0/24, Translated: 10.x.7.2/28

asa5505-DMZ# sho run

: Saved

:

ASA Version 8.4(1)

!

hostname asa5505-DMZ

enable password wrblOSAyPeeKhvhL encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 50

ip address 192.168.x.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 184.x.x.194 255.255.x.x

!

interface Vlan20

nameif mpls

security-level 100

ip address 10.x.7.2 255.255.255.240

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

switchport access vlan 20

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa841-k8.bin

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network Traveler

host 192.168.x.26

object network DMZ

subnet 192.168.x.0 255.255.255.0

object network mpls

subnet 10.0.0.0 255.0.0.0

object network outside

subnet 184.x.x.192 255.255.x.x

access-list https_in extended permit tcp any interface outside eq https

access-list https_in extended permit tcp any host 192.168.x.26 eq https

access-list inside_mpls extended permit tcp host 192.168.x.26 host 10.x.x.131 eq lotusnotes

access-list inside_mpls extended permit tcp host 192.168.x.26 host 10.x.x.45 eq lotusnotes

access-list inside_mpls extended permit tcp host 192.168.x.26 host 10.x.x.220 eq lotusnotes

access-list ping_test extended permit icmp any any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu mpls 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

!

object network Traveler

nat (inside,outside) static interface service tcp https https

object network DMZ

nat (inside,mpls) dynamic interface

access-group inside_mpls in interface inside

access-group https_in in interface outside

route outside 0.0.0.0 0.0.0.0 184.x.x.193 1

route mpls 10.0.0.0 255.0.0.0 10.x.7.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 1440

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:ae1d0f0b2ec7f71633b132c4f261280d

: end

asa5505-DMZ#

Any Idea what I'm missing? The email server is not pingable via public internet and is not reachable via the https url.

Help!?!?

Thank you!