Hi--
First time poster so please go easy... I'm having what I think is an issue with my ASA config. I'm trying to add a DMZ and its not working.
My network is somewhat unique in that I have a requirement to use all public IPs for all interfaces. so no private internal addresses on the interface side. I have both static and nat 0 items and I'm afraid this may be my problem. I'm not sure if this is correct. To add to the mix of interesting things I am setting the new interface for the DMZ up using a sub interface for the first time. I don't have access into the 6500 that feeds the DMZ vlan but I am told the port is in trunk mode with the vlan in question not set to the native vlan. I am setting it up this way as I will need to add some additional networks in the near future which this will allow me to do.
here are the basics of my config. I'm leaving out ACLs at this time for simplicity. IPs are changed all interfaces use public IPs the RFC 1918 networks you see are for a few L2L tunnels I have. It is in routed mode. I can post the whole thing if needed.
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 1.1.1.130 255.255.255.224
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 2.2.2.1 255.255.254.0
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
interface GigabitEthernet0/2.22
description VLAN 22 DMZ network
vlan 22
nameif DMZ
security-level 50
ip address 3.3.3.161 255.255.255.224
access-list inside_nat0_outbound extended permit ip any 2.2.2.224 255.255.255.224
access-list inside_nat0_outbound extended permit ip 2.2.2.0 255.255.254.0 2.2.2.0 255.255.254.0
access-list inside_nat0_outbound extended permit ip 2.2.2.0 255.255.254.0 172.16.170.144 255.255.255.240
access-list inside_nat0_outbound extended permit ip host 2.2.2.63 65.44.68.208 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 10.10.24.0 255.255.255.128
access-list dmz_nat0_outbound extended permit ip 3.3.3.160 255.255.255.224 3.3.3.160 255.255.255.224
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 2.2.2.0 255.255.254.0
nat (DMZ) 0 access-list dmz_nat0_outbound
nat (DMZ) 0 3.3.3.160 255.255.255.224
static (inside,outside) 2.2.2.0 2.2.2.0 netmask 255.255.254.0
static (DMZ,outside) 3.3.3.160 3.3.3.160 netmask 255.255.255.224
static (inside,DMZ) 2.2.2.0 2.2.2.0 netmask 255.255.254.0
access-group 101 in interface outside
access-group internal in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.129 1
The inside interface works no problem. The DMZ interface however doesn't seem to have any traffic when I show int DMZ. I have a box in that network. I try to go out to the outside and nothing works. I try to go from inside to DMZ nothing. Part of me wonders if the 6500 is configured correctly, but everything I'm told says it is. I can't help but think my nat statements are messed up.
Please help.