Hello everyone,

Inside is on gigabitEthernet0/1 ip 192.9.200.254

I have a dmz on gigabitEthernet2 ip 192.168.100.254

I need to pass port 443 from outside to dmz ip 192.168.100.80 and open port 1433 from 192.168.100.80 to the inside network. 

I believe this will work for port 443:

object network dmz
subnet 192.168.100.0 255.255.255.0

object network webserver
host 192.168.100.80

object network webserver
nat (dmz,outside) static interface service tcp 443 443

access-list Outside_access_in extended permit tcp any object webserver eq 443
access-group Outside_access_in in interface Outside

However...How would I open only port 1433 from dmz to inside?

At the bottom of this message is my config if it helps.

Thanks,

John Clausen

Config:

: Saved
:
ASA Version 9.1(2) 
!
hostname ciscoasa-gcs
domain-name router.local
enable password f4yhsdf.4sadf977 encrypted
passwd f4yhsdf.4sadf977 encrypted
names
ip local pool vpnpool 192.168.201.10-192.168.201.50
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 123.222.222.212 255.255.255.224 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.9.200.254 255.255.255.0 
!
interface GigabitEthernet0/2
 nameif dmz
 security-level 100
 ip address 192.168.100.254 255.255.255.0 

!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
ftp mode passive
dns server-group DefaultDNS
 domain-name router.local
object network inside-subnet
 subnet 192.9.200.0 255.255.255.0
object network netmotion
 host 192.9.200.6
object network inside-network
 subnet 192.9.200.0 255.255.255.0
object network vpnpool
 subnet 192.168.201.0 255.255.255.192
object network NETWORK_OBJ_192.168.201.0_26
 subnet 192.168.201.0 255.255.255.192
object network NETWORK_OBJ_192.9.200.0_24
 subnet 192.9.200.0 255.255.255.0
access-list outside_access_in extended permit icmp any4 any4 log disable 
access-list Outside_access_in extended permit udp any object netmotion eq 5020 
access-list split standard permit 192.9.200.0 255.255.255.0 
access-list VPNT_splitTunnelAcl standard permit 192.9.200.0 255.255.255.0 
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500

mtu management 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static inside-network inside-network destination static vpnpool vpnpool
nat (inside,outside) source static NETWORK_OBJ_192.9.200.0_24 NETWORK_OBJ_192.9.200.0_24 destination static NETWORK_OBJ_192.168.201.0_26 NETWORK_OBJ_192.168.201.0_26 no-proxy-arp route-lookup
!
object network netmotion
 nat (inside,outside) static interface service udp 5020 5020 
!
nat (inside,outside) after-auto source dynamic any interface
access-group Outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 123.222.222.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.9.200.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400

crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400

crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet 192.9.200.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes128-sha1 3des-sha1
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 2 regex "Windows NT"
 anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3 regex "Intel Mac OS X"
 anyconnect enable
 tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
 dns-server value 192.9.200.13
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
 default-domain value router.local
group-policy VPNT internal
group-policy VPNT attributes
 dns-server value 192.9.200.13
 vpn-tunnel-protocol ikev1 l2tp-ipsec 
 split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNT_splitTunnelAcl
 default-domain value router.local
username grimesvpn password 7.wersfhyt encrypted
username grimesvpn attributes
 service-type remote-access
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
 address-pool vpnpool
 default-group-policy SSLVPN
tunnel-group SSLVPN webvpn-attributes
 group-alias SSLVPN enable
tunnel-group VPNT type remote-access
tunnel-group VPNT general-attributes
 address-pool vpnpool
 default-group-policy VPNT
tunnel-group VPNT ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:36271b5a1b9382621e14c3aa635e2fbb
: end