will these 2 statements both tie to the outside interface then ?

Both solutions didn't work. It's frustrating. I hope the firewall won't be cursed :(

Post all the config - remove sensitive information.

After the last NAT changes, this is the complete configuration:

ASA Version 7.2(3)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password xxx

names

!

interface Ethernet0/0

nameif WAN

security-level 0

ip address 192.168.0.2 255.255.0.0

!

interface Ethernet0/1

nameif DMZ

security-level 100

ip address 172.16.1.1 255.255.255.0

!

interface Ethernet0/2

nameif LAN

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 20.0.0.1 255.255.255.0

management-only

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list 100 extended permit icmp any any echo-reply

access-list 100 extended permit icmp any any time-exceeded

access-list 100 extended permit icmp any any unreachable

access-list 100 extended permit tcp any host 192.168.0.3 eq 3389

access-list 100 extended permit tcp any host 192.168.0.3 eq 5400

access-list 100 extended permit tcp any host 192.168.0.3 eq 5900

access-list 101 extended permit tcp host 172.16.1.25 any eq www

pager lines 24

pager lines 24

logging asdm informational

mtu WAN 1500

mtu DMZ 1500

mtu LAN 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (WAN) 1 interface

nat (DMZ) 1 172.16.1.0 255.255.255.0

nat (LAN) 1 10.0.0.0 255.255.255.0

access-group 100 in interface WAN

access-group 101 in interface DMZ

route WAN 0.0.0.0 0.0.0.0 192.168.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 20.0.0.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns 80.58.0.33 62.37.228.20

!

dhcpd address 10.0.0.2-10.0.0.254 LAN

dhcpd enable LAN

!

dhcpd address 20.0.0.2-20.0.0.254 management

dhcpd enable management

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

Whart is the actual issue you are seeing? the server in the DMZ unable to connect to the internet and browse web pages??

Can you supply the following config from the WebServer:-

IP address

Subnet Mask

Default Gateway

DNS Servers

Also add the below to the ACL:-

access-list 101 extended permit tudp host 172.16.1.25 any eq 53

Hi monster!

Here is the webserver's configuration:

IP address: 172.16.1.25

Subnet mask: 255.255.255.0

Default gateway: 172.16.1.1

DNS Servers: 80.58.0.33 & 62.37.228.20

The last ACE works! Applications like messenger o skype can't connect; I'm able to surf on the net, though. Is it possible to disable ftp traffic? Thanks a lot! :))

Ok! thanks again, boss!

;o)

np - glad to help.