Once again I find myself struggling with NAT and ACLs on a 5505. I am unable to access our new webserver in the DMZ.

The server can ping the DMZ interface of the 5505, but that's it. I've tried allowing ICMP in to it from the outside to test, but I think I'm making a bigger mess of it each time. I've been reading and reading and trying different things, including following Cisco's example for 9.1 but nothing has worked.

ASA Version 8.4(1)

object network LOCALSQL

host 192.168.1.2

object network DMZ-Webserver-Public-IP

host 43.114.152.57

object network dmz-subnet

subnet 192.18.36.0 255.255.255.0

object network webserver

host 192.18.36.57

object-group network DM_INLINE_NETWORK_16

network-object object DMZ-Webserver-Public-IP

network-object object webserver

object-group network DM_INLINE_NETWORK_18

network-object object DMZ-Webserver-Public-IP

network-object object webserver

object-group network DM_INLINE_NETWORK_19

network-object object DMZ-Webserver-Public-IP

network-object object webserver

object-group network DM_INLINE_NETWORK_20

network-object object DMZ-Webserver-Public-IP

access-list outside_acl extended permit tcp any object webserver eq www

access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_4 any object-group

DM_INLINE_NETWORK_19

access-list DMZ_access_in extended permit tcp any object-group DM_INLINE_NETWORK_20 object-group

Web_Services

access-list DMZ_access_in extended permit ip any object webserver

access-list dmz_acl extended permit ip any any

access-list dmz_acl extended deny ip any object Inside_LAN

access-list dmz_acl extended permit object SQL-Server any object LOCALSQL

access-list outside_in extended permit tcp object-group DM_INLINE_NETWORK_10 object-group

DM_INLINE_NETWORK_17 object-group DM_INLINE_TCP_2

access-list outside_in extended permit icmp any object DMZ-Webserver-Public-IP

access-list outside_in extended permit object-group DM_INLINE_SERVICE_3 any object-group

DM_INLINE_NETWORK_18

access-list outside_in extended permit tcp any object-group DM_INLINE_NETWORK_16 object-group

Web_Services

object network dmz-subnet

nat (DMZ,outside) dynamic interface

object network webserver

nat (DMZ,outside) static DMZ-Webserver-Public-IP service tcp www www

access-group outbound in interface inside

access-group outside_acl in interface outside

access-group DMZ_access_in in interface DMZ