Hi Everyone,

I was wondering if someone can lend a hand and look over this config for me.

The config below appears to work fine, inside network is able to get out to the internet, outside users are able to get to the website hosted in the dmz and internally.

The problem is that the servers with a static NAT translation are unable to get out to the internet(10.0.0.105, 192.168.0.106, 192.168.107). If I removed the static NAT translation than they can get internet access, but then outside can't access the websites.

PIX Version 7.2(2)

hostname FIREWALL

name 10.0.0.105 SYSLOG

name 70.x.x.97 INTERNET

!

interface Ethernet0

speed 100

duplex full

nameif outside

security-level 0

ip address 70.x.x.98 255.255.255.240

!

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address 10.0.0.1 255.255.252.0

!

interface Ethernet2

speed 100

duplex full

nameif dmz

security-level 50

ip address 192.168.0.1 255.255.255.0

!

ftp mode passive

dns server-group DefaultDNS

domain-name domain.NET

access-list NONAT extended permit ip 10.0.0.0 255.255.252.0 10.1.0.0 255.255.252.0

access-list DMZ_NONAT extended permit ip 192.168.0.0 255.255.255.0 10.1.0.0 255.255.252.0

access-list SPLIT_TUNNEL_LIST standard permit 10.0.0.0 255.255.252.0

access-list SPLIT_TUNNEL_LIST standard permit 192.168.0.0 255.255.255.0

access-list outside_access_in extended permit tcp any host 70.x.x.106 eq ftp

access-list outside_access_in extended permit tcp any host 70.x.x.105 eq www

access-list outside_access_in extended permit tcp any host 70.x.x.106 eq www

access-list outside_access_in extended permit tcp any host 70.x.x.107 eq www

ip local pool VPN_POOL 10.1.0.10-10.1.0.254

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 70.x.x.100-70.x.x.101

global (outside) 1 70.x.x.102

global (dmz) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 0 access-list DMZ_NONAT

nat (dmz) 1 192.168.0.0 255.255.255.0

static (dmz,outside) 70.x.x.106 192.168.0.106 netmask 255.255.255.255

static (inside,outside) 70.x.x.105 SYSLOG netmask 255.255.255.255

static (dmz,outside) 70.x.x.107 192.168.0.107 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 INTERNET 1

group-policy REMOTE_VPN_GP internal

group-policy REMOTE_VPN_GP attributes

dns-server value 10.0.0.100 10.0.0.101

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT_TUNNEL_LIST

default-domain value domain.net

crypto ipsec transform-set STRONGER esp-aes esp-sha-hmac

crypto ipsec transform-set STRONG esp-3des esp-sha-hmac

crypto ipsec transform-set STRONGEST esp-aes-256 esp-sha-hmac

crypto dynamic-map CLIENT_MAP 1 set transform-set STRONGEST STRONGER STRONG

crypto map VPN_MAP 50 set pfs

crypto map VPN_MAP 50 set transform-set STRONGEST STRONGER STRONG

crypto map VPN_MAP 65535 ipsec-isakmp dynamic CLIENT_MAP

crypto map VPN_MAP interface outside

crypto isakmp enable outside

crypto isakmp policy 150

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

tunnel-group REMOTE_VPN type ipsec-ra

tunnel-group REMOTE_VPN general-attributes

address-pool VPN_POOL

default-group-policy REMOTE_VPN_GP

tunnel-group REMOTE_VPN ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 30 retry 5

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ftp

inspect icmp

!

service-policy global_policy global