Please look at the attached network diagram for your information. I added a command:
"same-security-traffic permit intra-interface" on the Internet FW, and I also force the traffic from internal firewall to 172.16.24.22 must pass through Internet FW by adding a route in the internal FW:
"route DMZ 172.16.24.22 255.255.255.255 172.16.24.3"
but this time I got the error message like this:"
%ASA-3-305006: portmap translation creation failed for tcp src inside:172.16.3.50/3925 dst inside:172.16.24.22/443"
and I did configured NAT and PAT on Internet FW, static NAt is used to translate the 172.16.24.22 into public IP and PAT is used to allow 172.16.3.0 to to able to access Internet:
global (outside) 1 2.x.x.41 netmask 255.255.255.224
global (outside) 2 2.x.x.42 netmask 255.255.255.224
nat (inside) 1 172.16.3.0 255.255.255.0
nat (inside) 2 172.16.2.0 255.255.255.0
static (inside,outside) 2.x.x.40 172.16.24.22 netmask 255.255.255.255
someone has the solution for this?
Actually I think I misunderstood your network, it should be:
global (inside) 1 172.16.24.200
Assuming you already have the same-security-traffic permit intra-interface, as stated in your email.