Thanks for your reply siddhartham. The wireless users are in the DMZ zone.

Thanks for your reply. I will try this later but I'm not sure that I can achieve this with an access-list only. I'll post details later.

Hello,

As you asked just for an ACL, I thought you already had the NAT.

Lets say the ip address of the Inside server is 10.10.10.2 and the DMZ subnet is 192.168.12.0

You want to nat the Inside server on the DMZ to 192.168.12.3

Here is what you need

object network Inside_server

host 10.10.10.2

object network DMZ_Server_global

host 192.168.12.3

nat (inside,dmz) source static  Inside_server  DMZ_Server_global

access-list dmz permit tcp x.x.x.x 255.255.255.0 (dmz subnet) host 10.10.10.2 (inside email server) eq 443

access-list dmz permit tcp x.x.x.x 255.255.255.0 (dmz subnet) host 10.10.10.2 (inside email server) eq 25

Do rate all the helpful posts!!

Many thanks jcarvaja for the update. I'll test this out tonight and post details.

Best regards,

Eric

Hello Eric,

My pleasure, I will be more than glad to help.

Regards,

Do rate all the helpful posts

Hi jcarvaja,

Thanks again but your suggested solution does not appear to work.

Just to clarify:

1. We do not have any servers on the dmz network. All we use that for is allow connections from smart phones through a wireless access point out to the internet.

2. The smartphones are able to access the internet but cannot access the public address of the Exchange server. We need to be able to allow ssl access only (from all mobile devices on the dmz) to the exchange public interface.

Found the following link which highlights a similar scenario but I'm not sure if the commands will work for ASA 8.4

https://supportforums.cisco.com/thread/2124287

.. appreciate any further help.

/Slipz

Hi Eric,

First thing u may need to have an acl created for dmz zone to permit https from dmz zone subnet to email server.

Also you need to check on the routing if any infra present in the inside zone.

access-list permit tcp host eq https

access-list deny ip any any

Check if there is any hits when you try to access web mail through mobiles. If hits present for that... then you may need to check on the routing and other stuffs related to dmz.

Please let me know if this helps...

Greetings All,

Did a search on Google for a problem that sounds much like this one and found this thread. Did the above fix the problem? I'm not quite clear where the ACL was applied if the public addresses are not on an interface. I have the same situation; public IPs are defined in the NAT rules, but not associated with an interface. Thanks.