For example, let's say that you want to allow any outside user to access server1 and server2 on the DMZ.
Server1 has private1 and public1 IP addresses
Server2 has private2 and public2 IP addresses
Then, the configuration will look like this:
static (dmz,outside) public1 private1
static (dmz,outside) public2 private2
The above commands is to create the translation, then the ACL to allow the incoming traffic from the Internet
access-list outside permit tcp any host public1 eq 3389
access-list outside permit tcp any host public2 eq 3389
Remember that you must apply the ACL to the outside interface
access-group outside in interface outside
With the above configuration, you should be able to enter via TCP port 3389 to both servers using their respective public address.
If it is not working, you can try adding another line on the outside ACL to allow PING
access-list outside permit icmp any host public1
And try to PING the server. If it PINGs, then you know is not a connectivity problem.
If it does not PING, then we can do more tests on the ASA, like using the Packet Tracer utility via ASDM or CLI to simulate the connection
and see what are the results on the ASA.
Make sure that on the outside ACL, there's not a deny statement on top of the permit statements that could be blocking the traffic.
Also try from the server itself to get out to the Internet and see if traffic flows that way.
Let me know please.
Federico.
