Hi,

I have two DMZ on an ASA running 9.9 which use separate public IP to the LAN, and this all works fine, traffic from DMZ2 (10.3.3.0/24) is NAT'd to 1.1.1.4 etc - see attached diagram. What I'm having problems with is I now need to forward inbound traffic to 1.1.1.4 on tcp ports 80 & 443 to the server in DMZ2 (10.3.3.2), and the nat syntax for this is not accepting the commands I have used (I think!?!) in the past on ASA 8.4, which is the last two line in red.

Config snippet below:

object network obj-dmz1-wan
 host 1.1.1.3
object network obj-dmz1-lan
 subnet 10.2.2.0 255.255.255.0
 nat (dmz1,outside) dynamic obj-dmz1-wan

object network obj-dmz2-wan
 host 1.1.1.4
object network obj-dmz2-lan
 subnet 10.3.3.0 255.255.255.0
 nat (dmz2,outside) dynamic obj-dmz2-wan

object network obj-dmz2-server
 host 10.3.3.2
 nat (dmz2,outside) static 1.1.1.4 service tcp 80 80
 nat (dmz2,outside) static 1.1.1.4 service tcp 443 443

I have tried adding in a service object-group, but again the NAT syntax isn't as clear as I though:

object-group service obj-dmz2-ports
 service-object tcp destination eq 80
 service-object tcp destination eq 443

nat (dmz2,outside) source static obj-dmz2-wan interface service obj-dmz2-ports

Can someone help untangle this NAT syntax or link to guide, as I have been googling Cisco docs and searching forums for ages, and I just cannot see though what I'm doing wrong or find a config example!

Thanks.