since your interfaces inside and dmz are on the same security level you dont need to do any NAT.

Try this.

access-list DMZ_access_in extended permit ip 192.168.89.0 255.255.255.0 192.168.88.0 255.255.255.0

access-group DMZ_access_in in interface DMZ

static (inside,DMZ) 192.168.88.0 192.168.88.0 netmask 255.255.255.0

Thank for your help

I change security level of DMZ and add your suggest commands, not still fail to access DMZ from internal

Please help. :(

Config file

Hi Don

Try this

no static (inside,DMZ) 192.168.88.0 192.168.88.0 netmask 255.255.255.0

static (DMZ,inside) 192.168.89.0 192.168.89.0 netmask 255.255.255.0

Regards

Don,

Since you want to reach DMZ from inside, please ignore my above comment. And plus, you dont need an ACL for this. Make the following changes in your config then post the most recent config

You dont have a global statement, are you sure that your inside can connect to internet?

no nat (inside) 0 0.0.0.0 0.0.0.0

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

no access-group DMZ_access_in in interface DMZ

no access-list DMZ_access_in extended permit ip 192.168.89.0 255.255.255.0 192.168.88.0 255.255.255.0

Above are necessary. And one of the following is necessary. It is either

global (dmz) 1 interface

or

static (inside,DMZ) 192.168.88.0 192.168.88.0 netmask 255.255.255.0

After you are done, run the following

clear xlate

This will temporarily disconnect all connections.

Regards

Hi Don

Please rate the posts with highest grade (if it fixed your issue) and click on resolved my issue, which fixed the issue. Rating does not cost any fee.

http://forums.cisco.com/eforum/servlet/NetProf?page=help_rating

Regards