I have looked over my config and gone through several cisco helpsheets, I still cannot access the outside from "inside" the dmz. Here is an overview of what I can and cannot do.
OUTSIDE >>> DMZ = OK
INSIDE >>>>> DMZ = OK
DMZ >>>>>>> INSIDE = OK
DMZ >>>>>>> OUTSIDE = FAIL.
What I need to do is to be able to access an external SMTP server from the DMZ. If I telnet pt 25 to an "OUTSIDE" server it fails. If I do it to my "INSIDE" server it works.
Here are the relevant sections of the config. I assume I have missed something stupid and have looked over it too many times and need some fresh eyes.
Many thanks for your help.
ip address 192.168.0.20 255.255.255.0
ip address 220.127.116.11 255.255.255.248
ip address 10.30.30.1 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
access-list services extended permit tcp any host 18.104.22.168 eq www
access-list inside extended permit tcp host 10.30.30.30 any eq smtp
access-list inside extended permit ip any any
access-list dmz-in extended permit udp host 10.30.30.30 host 192.168.0.10 eq domain
access-list dmz-in extended permit tcp host 10.30.30.30 host 192.168.0.10 eq 88
access-list dmz-in extended permit udp host 10.30.30.30 host 192.168.0.10 eq 389
access-list dmz-in extended permit ip any any
access-list dmz-in extended permit icmp any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.30.30.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) tcp 22.214.171.124 www 10.30.30.30 www netmask 255.255.255.255
static (inside,dmz) 10.30.30.30 192.168.0.111 netmask 255.255.255.255
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
access-group inside in interface inside
access-group services in interface outside
access-group dmz-in in interface dmz
route inside 10.1.0.0 255.255.0.0 192.168.0.250 1
route outside 0.0.0.0 0.0.0.0 126.96.36.199 1
Add the following statement and you should have access to the outside from dmz:
no nat (inside) 1 10.30.30.0 255.255.255.0
nat (dmz) 1 10.30.30.0 255.255.255.0
"clear xlate" after the above changes, and dmz should have access to the internet.
Hope that helps.