I am going nuts trying to figure this one out. I'm new to the ASA, but I've worked with Pix firewalls for years. All I'm doing is some simple one-to-one NAT for HTTPS, SMTP and WWW for an exchange server.

I've got my static NATs:

static (inside,outside) tcp 67.52.38.94 smtp 10.0.0.11 smtp netmask 255.255.255.255

static (inside,outside) tcp 67.52.38.94 www 10.0.0.11 www netmask 255.255.255.255

static (inside,outside) tcp 67.52.38.94 https 10.0.0.11 https netmask 255.255.255.255

I've got my Outside access-list:

access-list outside_access_in extended permit tcp any host 67.52.38.94 eq https

access-list outside_access_in extended permit tcp any host 67.52.38.94 eq smtp

access-list outside_access_in extended permit tcp any host 67.52.38.94 eq www

access-group outside_access_in in interface outside

From what i can tell everything should work. However, syslog is telling me my test connections are being dropped by ACL. When I use the packet trace tool in the ASDM it tells me the explicit deny at the end of my ACL is the reason it is denying the traffic. The maddening thing is my previous ACL entries are matches so why would the implicit deny even be considered?

I'm wondering if this is an issue due to the fact that I have one public IP address to deal with here and it is in use as the outside address on the ASA. However, I've performed similar configs on a Pix with no issues. Finally, I have disabled the http server and SSL VPN to ensure there are no conflicts on ports 80 and 443 for the exchange server.

I have attached a sample config with some of the sensitive data scrubbed. I don't think I have omitted anything that would be affecting the ACL.

Please help - I'm going crazy here!