We have exchange in our inside network (one public IP), and a FTP (Another public IP) on the DMZ. But we can't connect to them when using the new firewall

access-list Outside_access_in extended permit tcp object-group SoftScan host exchange eq smtp

access-list Outside_access_in extended permit tcp any host citrix-securegw eq https

access-list Outside_access_in extended permit tcp any host webserver eq www

In above access-lists, you should permit the traffic to Public_IP not the private IPs like "exchange" or "webserver"

access-list Outside_access_in extended permit tcp any host Public_IP eq smtp

access-list Outside_access_in extended permit tcp any host Public_IP eq https

access-list Outside_access_in extended permit tcp any host Public_IP eq www

Plus, assuming that you are using a single public IP, you can not one-to-one map it to multiple hosts like exchange webserver etc. You should use PAT like following

static (DMZ,Outside) tcp Public_IP 80 webserver 80 netmask 255.255.255.255

static (Inside,Outside) tcp Public_IP 25 exchange 25 netmask 255.255.255.255

static (Inside,Outside) tcp Public_IP 110 exchange 110 netmask 255.255.255.255

Regards

Got it working.

But I'm not able to access my FTP / WEB servers on my DMZ from Intern. Using ftp.domain.dk makes an lookup to my public IP ( that works from another site) - In my old configuration on the PIX 515 it was translated to the ip in my DMZ. Hopes this makes sence.

access-list Outside_access_in extended permit udp any host Public_IP eq domain

access-list Outside_access_in extended permit tcp any host Public_IP eq ftp

static (DMZ,Outside) udp Public_IP 53 DNSServer 53 netmask 255.255.255.255

static (DMZ,Outside) tcp Public_IP 21 FTPServer 21 netmask 255.255.255.255

I'm not sure you understood me.

From intern 192.9.200.0/24 we want to connect to 172.0.0.0/24 using the public name ftp.domainname.dk.

If we make a lookup we get the publib IP 217.x.x.x for that A-record

We don't have a DNS server in our DMZ.

Our ASA 5510 comes with the base license