Hi Experts,

I believe this everyone is doing OK and getting along with your are doing? I have this funny scenario that happened on ASA 8.4 I configured recently for DMZ static nat. See the topology attached.

I did configure the inside with a PAT

object network INSIDE

   subnet 192.168.200.0 255.255.255.0

   nat (inside,outside) dynamic interface

That is working perfectly for inside to outside, So i have this server on the dmz, some edge mail server for the client that is meant for the outside world to reach. Sure enough I was happy that with the ASA 8.4 software that doing DMZ static nat I don't have to do with ACL to allow access anymore I mean I thought that has been depricated on the 8.3 and higher release.

I went on configuring the DMZ static nat like this

object network DMZ_MAILEDGE_SERVER

host 172.16.1.2

object network DMZ_GLOBAL

host 1.1.1.2

object network DMZ_MAILEDGE_SERVER

nat (dmz,any) static DMZ_GLOBAL

I was happy that finally i get to feel what the new dmz config on 8.4 should feel like.....I tried pinging my dmz server from outside, no joys at all. Did all i could to do even had to cross check the internet for config samples, everything looked good. Still no joys.

Then i though of creating an access list to permit ip from the OUTSIDE interface to the DMZ, like so,

access-list outside_access_in extended permit ip any object DMZ_MAILEDGE_SERVER

Then did my pings started going through for me to reach the server.

I don't know it feels all weird to me, since i was expecting configs 1 and 2 to get things going for me on software 8.4 not until i had to add config 3.

Please someone should tell me I am getting it all wrong and let me know what i did wrongly!

Thanks

Teddy

*********************************************************************************************************************************************************************************

OK i know the first part of the situation is solved and I'm grateful to Jouni who elaborated me on it. But I have yet another pending situation that I could use a help here and really wouldn't mind been told this is where i got it all wrong.

So finally I could reach the Server on the DMZ from outside via the static nat. Yay!!! But I have some services that needs to be reached on the mailserver on the DMZ side of the network.

Services like:

  dns 53, 193

  smtp 25

My question is, do i place the access list to permit these service from outside to dmz like this below ?

access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq dnsix

access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq domain

access-list outside_access_in extended permit tcp any object DMZ_MAILEDGE_SERVER eq smtp

                                                                  OR THIS

access-list outside_access_dmz extended permit udp any eq dnsix object DMZ_MAILEDGE_SERVER eq dnsix

access-list outside_access_dmz extended permit udp any eq domain object DMZ_MAILEDGE_SERVER eq domain

access-list outside_access_dmz extended permit tcp any eq smtp object DMZ_MAILEDGE_SERVER eq smtp

Which direction would be more appropriate to go via?

Also from the front end mail server, If i try to ping the internet say a domain name like www.yahoo.com, it would only resolve the name but the ping are not going thru.

Thanks for your advice in advance.

I say this not to undermine anybody's help, Jouni please if you see this I would also appreciate your contribution too!

Cheers!

Teddy