Can't seem to figure out how to build a DMZ for our webserver. All trafic gets denied by the default incoming rule.

I want all incoming http/80 requests to the external ip (192.168.10.35 for now) to be forwarded to the www-server in the dmz 176.16.3.15.

I think i have the address translation up and running but no matter what incoming firewall rule i create, trafic gets blocked. I must be missing something obvious here..... any ideas:

ASA Version 8.0(3)

!

hostname *

domain-name *

enable password *

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan3

nameif dmz-office

security-level 50

ip address 172.16.3.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list outside-acl extended permit tcp any host 192.168.10.35 eq www

access-list outside_access_in extended permit tcp any host 192.168.10.35 eq www

access-list l2l_list extended permit ip host 192.168.10.35 host 192.168.10.14

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz-office 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (outside,inside) tcp 192.168.1.2 www 192.168.10.35 www netmask 255.255.255.255

static (dmz-office,inside) 172.16.3.14 192.168.10.35 netmask 255.255.255.255

static (inside,dmz-office) 172.16.3.0 172.16.3.0 netmask 255.255.255.0

access-group outside_access_in in interface outside