Hi,

I am trying to use Nat exemption for our publicly routeable IP space (for a web server in this case) so that people from the outside can connect to it using its actual IP and it seen as coming from its actual IP.  Running sh xlate shows that the public IP is in fact being "nat'd" to itself.  The problem is that the server with the public IP cannot get out to the internet.  It works fine connecting to other boxes on the internal networks on the FWSM just not when trying to go out.  It works fine if I nat it like all of our other non-routeable networks using the global (outside) 1 x.x.x.x netmask 255.255.255.240 but that defeats the purpose.

Thanks for the help.  Relevant config below.

interface Vlan248
 nameif public
 security-level 100
 ip address x.x.x.65 255.255.255.192

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

access-list INTERNET extended permit ip any any
access-list OUTSIDE-IN extended permit ip any host x.x.x.66 (web server) 
access-list OUTSIDE-IN extended permit icmp any host x.x.x.66 (web server)
access-list PUBLIC-OUT extended permit ip any host x.x.x.66 (web server) access-list PUBLIC-OUT extended permit icmp any host x.x.x.66 (web server) 

access-list public_nat0_outbound remark Exempt Public IP's from NAT
access-list public_nat0_outbound extended permit ip x.x.x.64 255.255.255.192 any

nat-control
global (outside) 1 129.92.247.4 netmask 255.255.255.240 nat (inside) 1 10.9.0.0 255.255.255.0

nat (public) 0 access-list public_nat0_outbound

access-group INTERNET in interface public
access-group PUBLIC-OUT out interface public

access-group OUTSIDE-IN in interface outside

I currently have the ACLs configured to allow all traffic from the outside (or inside networks for that matter) to the web server.  I will lock that down tighter once I figure out this problem.

Thanks for any help or suggestions.