This is the resolution from a TAC case it might help.
All devices on both the inside interface of the PIX and the DMZ, for the purpose of this example, need to use their native addresses.
It is necessary to configure a static translation and access for the workstations on the DMZ to reach the inside network.
Note: The static Network Address Translation (NAT) that is required, is for the entire inside network, rather than for a single device. The ACL will not defer from the standard, but will be applied to the DMZ interface.
In this example, the inside network will be 192.168.1.0 and the DMZ network will be 10.10.3.0. This allows all traffic to pass between the DMZ and the inside networks.
Issue the following commands to configure static NAT:
pixfirewall> enable
pixfirewall# configure terminal
pixfirewall (config t)# static (inside, DMZ) 192.168.1.0 192.168.1.0
What the above statement tells the PIX is that when traffic hits it from the DMZ and is destined for the inside interface''s network (192.168.1.0), to translate that address to itself. Any traffic that passes through a PIX must be translated. To satisfy this requirement, the PIX translates any address in this range to itself. This is a one-to-one translation. Because this example uses the same range twice, if traffic destined for 192.168.1.25 hits the PIX, when it is sent out of the inside interface it will remain destined for 192.168.1.25. It does not reassign it a random IP address in the range.
Issue the following commands to configure the ACL:
pixfirewall (config t)# access-list dmztoinside permit ip any any
pixfirewall (config t)# access-group dmztoinside in interface DMZ
After these commands have been issued, you should be able to pass the specified traffic. If there is any problem with passing traffic at that point, issue the clear xlate command.
Note: Issuing this command will temporarily drop active connections. It should re-establish within 10 seconds.
