Using an ASA5500, I have the following allowing the outside to access servers on the dmz:
static (dmz,outside) 188.8.131.52 192.168.1.2 netmask 255.255.255.255
static (dmz,outside) 184.108.40.206 192.168.1.3 netmask 255.255.255.255
static (dmz,outside) 220.127.116.11 192.168.1.4 netmask 255.255.255.255
access-list incoming_outside extended permit tcp any host 18.104.22.168 eq www
access-list incoming_outside extended permit tcp any host 22.214.171.124 eq https
access-list incoming_outside extended permit tcp any host 126.96.36.199 eq www
access-group incoming_outside in interface outside
So the outside can access the public address on the respective ports, and that works ok.
However, we also want to allow DMZ servers to access the Internet, so we have the following:
nat (dmz) 2 192.168.1.0 255.255.255.0
global (outside) 2 188.8.131.52
But the question is, when dmz servers access the internet should they be pat'ed to their static translation IP address or to global 2?
For example, if 192.168.1.2 is to access the internet, should it be pat'ed to 184.108.40.206 or 220.127.116.11
I think the issue we are facing is that it goes out as one public IP and comes back as another public IP which could be the reason dmz cannot get to the internet.