I have an ACE on an ASA DMZ. From my client on the inside, and with NATing on the DMZ interface where the ACE is, I could not hit the ACE (a.k.a wouldn't be served web pages). ACE service-policy doesn't show any hits or client byte counts. However, of the inside connects are PATed (using the DMZ interface), loadbalancing works fine. The NAT pool being used for the DMZ is within the same address range as the interface itself. Subnet masks look good. CSS on the DMZ works fine without PAT. Any ideas why I have to do this for the ACE?
Note: I am also NATing on the ACE for client source addresses.
It is very odd that the ACE wouldn't even show hits with NAT. I could PING the ACE from the ASA prior to PAT.
THANKS for any ideas!