For allowing access to the inside from a DMZ IP I'd usually configure a VIP using an IP in the DMZ network that would map/nat to an IP on the inside interface and apply the appropriate acl/policies to that mapping. This would keep, somewhat, our internal IP schema from DMZ assets...less info is better, right?
I can't for the life of me figure out how to do this on the ASA. All the examples I find just do a typical NAT to where the DMZ server communicates directly with your internal IP.
It looks like to create any virtual IP you have to create a subinterface and then configure the NAT and ACLs to that. Is that how to do this on an ASA? It just didn't seem right to me.
What if the Inside IP is not on an Interface directly? I need to do something similar where I need to have a Public IP mapped to an IP Internally that is a Hop away from the ASA so the ASA does not have an interface in the Subnet. It can get to the Subnet and the AnyConnect Clients can. Just not sure how to NAT to an IP that is not Local to the ASA.
As long as the ASA has a route to the internal subnet (and vice versa), there's no issue NATting that way. In fact, that's more often than not the case with any ASA deployment that services more than a single internal subnet.