I have lab with the same config but on ASA 8.4(2) and in this lab everything is ok, but in production when i changed

nat(dmz,outside) to nat(dmz,any) i cant access the dmz host by public ip from inside interface, at the same time in lab it works.

I have no problem with access the dmz host from outside interface  in the both cases.

nat (inside,outside) source dynamic LANSUBNET outside_wlan

nat (dmz,any) source static dmz_srv pub_srv

Hi,

Can you test the problematic connection with the "packet-tracer" command and copy/paste output here.

I guess the command would be something like this

packet-tracer intput inside tcp

Where

• user source ip = Is the IP address of the user behind the "inside" that cant access the DMZ server with the public IP address
• dmz nat ip = Is the IP address that the DMZ server is NATed to towards "outside" and "inside"

If the above NAT configurations are all your current configurations truly then I would suggest the following changes

Remove them and configure them again as follows

Default PAT

object-group network DEFAULT-PAT-SOURCE

network-object

object network PAT

host

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE PAT

OR IF YOU USE THE "outside" INTERFACE AS THE PAT IP THEN USE

object-group network DEFAULT-PAT-SOURCE

network-object

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

Static NAT

object network DMZ-STATIC

host

nat (dmz,any) static

I guess you could first try the "packet-tracer" command though. Though I suspect you might be running in to problem with the order of the NAT configuration

Maybe this

nat (inside,outside) source dynamic LANSUBNET outside_wlan

nat (dmz,any) source static dmz_srv pub_srv

Should be this

nat (dmz,any) source static dmz_srv pub_srv

nat (inside,outside) source dynamic LANSUBNET outside_wlan

Not really sure

- Jouni

The problem was in routing on the host(dmz_srv).  The ASA config was ok.

Thanks Jouni for your help.