Yes. So DMZ is 192.168.1.x, Inside is 10.0.0.1 with a route that all 192.168.100.x traffic goes to 10.0.0.2 which is an ISA appliance. There's a static route like this:

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0

so that all traffic from 192.168.1.x and 192.168.100.x can move between each other. The 192.168.1.x on the DMZ cannot seem to get to the 192.168.100.x because the inside doesn't seem to be taking that 192.168.100.x request and passing it on to 10.0.0.2 (the ISA box).

Here's the inside rule:

route inside 192.168.100.0 255.255.255.0 10.0.0.2 1

Not to be nitpicky but the "static" statements aren't routes, they define address translations.

You need a global statement for your dmz, to tell the box what addresses your inside hosts should use when they talk to the dmz. I always miss that part when I add an interface.

Thanks, I'm no routing expert. So the statics are just static NAT's?

Anyway, are you talking about the global I get when I put in "show global"? Currently it just says this:

global (outside) 1 209.193.133.73

I attached my config to my first post if you need to see any more of it.

That's correct, the statics are just NATs (although they can also do much more).

The global statement will just do for your dmz what you already have set up for your inside - a global statement for the outside and a nat statement that specifies what inside addresses can use the outside address. So you might use:

global (dmz) 1

The index number (in this case 1) has to match between the global and nat statements. You could use index 2 (or whatever) if you had another group of inside addresses that you wanted to assign to a different outside address.

It took me a long time to get used to thinking of the dmz as just another interface, to generalize the concept.

I looked at your config again and now see the static (inside,dmz), and dmz acl, which should take care of addresses. Try narrowing the static mask to class C.

OK so I'll change this:

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0

to this:

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0

Correct?

BTW, here's s diagram (made in MS Paint):

ftp://pc:pc1@208.63.124.254/PAGEPixRoute.bmp (2.5MB)

OR slightly blurry jpg 55KB

ftp://pc:pc1@208.63.124.254/PAGEPixRoute.jpg

Thanks!

Update: I tried that, but still cannot reach the 192.168.100.x network.

Sorry to be so chatty. You might try switching to the nat/global approach instead of statics. Put in a global statement for the dmz, and change (temporarily) your nat statements to allow all addresses - 0.0.0.0 0.0.0.0

OK I removed this:

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0

And put in

global (dmz) 1 192.168.1.2

I then went to routes and tried to add some 0 routes, but it kept saying I couldn't.

Oh, and I can get to the outside just fine from the DMZ. I can ping internet addresses. I just can't figure out why it can't get thru the inside interface and connect with it.

did you do the second part also - change the allowed nat source addresses to 0.0.0.0 0.0.0.0? Which server is initiating the connection, sql or web server? We need to focus on which interface starts the session.

If I am correct, your NAT solution still does not allow for users on the DMZ interface to initate connections to users on the Internal interface.

How about trying -

static (inside, DMZ) 10.x.x.x 10.x.x.x netmask 255.255.0.0 0 0.

Ensure that the access-list is configured for this static command.

Thanks for the input. I had to temporarily remove the ISA box from the equation as there were several other things that it was blocking and we were running short on time for getting an Exchange Cluster up and running so I'll have to look at it again in the future.