please provide also the packet-tracer-output.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

packet tracert from asa to mail server?

i puted the picture when traffic come on outside interface)public address of mail server). i tested ping from outside interface on 8.8.8.8 it works but from dmz interface it's not works.

asa# packet-tracer input DMZ icmp 172.16.20.200 8 0 1.2.3.4

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

result is:

[code]

asa5510# packet-tracer input DMZ icmp 172.16.20.200 8

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_defau

match default-inspection-

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_poli

Additional Information:

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

object network mail_server

nat (DMZ,outside) static x.x.x.179

Additional Information:

Static translate 172.16.20.200/0 to x.x.x.179/0

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 27, packet dispatched to next module

Result:

input-interface: DMZ

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

[/code]

i noticied that when i try access to my mail server from inside network i can ping but i can't access web mail on port 1000, https 444 etc...

The packet-tracer says that you should be able to ping to the internet. If these services also don't work it's very likely that your server has a problem.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

maybe problem with my provider?

what do you think about port forwarding mail server?

when i put my mail server direct on public ip x.x.x.179 he can ping for example 8.8.8.8. there's problem with my dmz zone on asa 5510. i can't access from zone security-level 50 to zone security-level 0, also i can't access from security-level 100 to security-level 50. Cisco say default that i can do without access-rules.

what i do?

It's very likely that there is something wrong with your server.

Enable logging:

logging enable

logging buffered informational

When you ping 8.8.8.8 from your DMZ-server, do you see anything in the logs?

show logging

do you see hit-counts in the ACL?

sh access-list DMZ_access_in

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

because of problems with mail server in my company i placed in outside_interface on address x.x.x.179 and he have directly public address. i proceed the testing from my inside LAN 192.168.0.0/24. From inside i can ping this mail server but i can't access for example remote desktop, not services on mail server. the same case like yesterday i can't access from high priority to low priority security level on asa 5510. my logging when i try access to remote desktop of mail server is

deny tcp connection (no connection) from 192.168.0.54/49351 to x.x.x.179 /3389 flags RST on interface inside

built outbound tcp connection 46632 for outside: 178.254.133.19/3389(178.254.133.179) to inside: 192.168.0.54/49351

What is your actual config after moving the server to the outside?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

configuration of my asa 5510 is:

ASA Version 8.4(2)

!

hostname asa5510

domain-name domen.coml

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.x.178 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.10 255.255.255.0

!

interface Ethernet0/2

description Mreza za virtualne masine- mail server, wsus....

nameif DMZ

security-level 50

ip address 172.16.20.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name dri.local

object network VPN-POOL

subnet 192.168.50.0 255.255.255.0

description VPN Client pool

object network LAN-NETWORK

subnet 192.168.0.0 255.255.255.0

description LAN Network

object network NETWORK_OBJ_192.168.0.0_24

subnet 192.168.0.0 255.255.255.0

object network 192.168.0.10

host 192.168.0.10

object service ssl

service tcp destination eq 465

object service tls

service tcp destination eq 995

object network mail_server

host 172.16.20.200

object service StartTLS

service tcp destination eq 587

object service admin_port

service tcp destination eq 1000

object service ODMR

service tcp destination eq 366

object service SSL-IMAP

service tcp destination eq 993

object network remote

host 172.16.20.200

object network test

host 192.168.0.22

object network mail

host 172.16.20.200

object network DMZ

host 172.16.20.200

object network Inside_DMZ

host 192.168.0.20

object service rdp

service tcp destination eq 3389

object-group network PAT-SOURCE-NETWORKS

description Source networks for PAT

network-object 192.168.0.0 255.255.255.0

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object tcp

service-object icmp echo-reply

service-object tcp destination eq domain

object-group service DM_INLINE_SERVICE_3

service-object ip

service-object tcp

service-object object rdp

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any 192.168.0.0 255.255.255.0

access-list Split_Tunnel_List extended permit ip 192.168.0.0 255.255.255.0 any

access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list DMZ_access_in extended permit tcp any any eq echo

access-list outside_dmz extended permit tcp any host x.x.x.179 eq smtp

access-list outside_dmz extended permit tcp any host x.x.x.179 eq pop3

access-list DMZ_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.0.20

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu management 1500

ip local pool vpnadrese 192.168.50.1-192.168.50.100 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static LAN-NETWORK LAN-NETWORK destination static VPN-POOL VPN-POOL

access-group outside_access_in in interface outside

access-group DMZ_access_in_1 in interface DMZ

route outside 0.0.0.0 0.0.0.0 x.x.x.177 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

action terminate

dynamic-access-policy-record dripolisa

aaa-server domen protocol ldap

aaa-server domen (inside) host 192.168.0.20

ldap-base-dn DC=domen,DC=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=dragan urukalo,OU=some,OU=some,OU=some,DC=domen,DC=com

server-type microsoft

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication telnet console LOCAL

aaa authorization command LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

virtual telnet 192.168.1.12

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer x.x.x.223

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.0.0 255.255.255.0 inside

telnet 192.168.1.0 255.255.255.0 management

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.0.14-192.168.0.45 inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy GroupPolicy_x.x.x.223 internal

group-policy GroupPolicy_x.x.x.223 attributes

vpn-tunnel-protocol ikev1 ikev2

group-policy drivpn internal

group-policy drivpn attributes

dns-server value 192.168.0.20 192.168.0.254

vpn-simultaneous-logins 10

vpn-idle-timeout 30

vpn-tunnel-protocol ikev1 l2tp-ipsec

split-tunnel-network-list value Split_Tunnel_List

default-domain value dri.local

username driadmin password AojCAMO/soZo8W.W encrypted privilege 15

tunnel-group drivpn type remote-access

tunnel-group drivpn general-attributes

address-pool vpnadrese

authentication-server-group domen

default-group-policy drivpn

tunnel-group drivpn ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group x.x.x.223

type ipsec-l2l

tunnel-group x.x.x.223

general-attributes

default-group-policy GroupPolicy_x.x.x.223

tunnel-group 195.222.96.223 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect http

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:eb77b38e3dfe0b52e655fac7854e7e2c

: end