here is an example that might help:

access-list nat_DMZ_pool1_in_0 permit tcp 192.168.10.96 255.255.255.224 host 10.1.1.3 eq 5054

nat (DMZ) 1 access-list nat_DMZ_pool1_in_0 DMZ

The PAT pool (1) I used was 10.1.1.2

I used 192.168.10.1 as the DMZ address and 10.1.1.1 as the inside address for interfaces.

10.1.1.3 is the address of the inside server

I think I understand the concept, use and access list to select traffic to apply a nat pool to, but am having difficulty with the config.

i've created the access list to capture the hosts in the DHCP pool

access-list nat_DMZ_pool2_in permit tcp 192.168.32.96 255.255.255.224 host 10.6.6.15 eq 5054

then i configured nat

nat (DMZ) 2 access-list nat_DMZ_pool2_in 0 0

and the pool 2

global (DMZ) 2 192.168.32.5

my DMZ int add is 192.168.32.1

my inside host is 10.6.6.15 port 5054

Finally, I added a line to the access-list currently applied to my DMZ interface

access-list dmz_access_in permit tcp host 192.168.32.5 host 10.6.6.15 eq 5054

But I'm missing something cause it's not working yet.

change your access list applied to the DMZ interface to allow any source to the destination and see what happens. I am currently testing this on a PIX in my lab. I may have the policy PAT a bit off. When I am finished, I will post any changes I see that may be needed.

Changed the access-list, but still having trouble. I've attached an error the PDM produces about not supporting the policy nat commands in my config. Also, here is part of my config.

access-list dmz_access_in remark Access to Integrity

access-list dmz_access_in permit tcp any host 10.6.6.15 eq 5054

access-list nat_DMZ_pool2_in permit tcp 192.168.10.96 255.255.255.224 host 192.168.32.99 eq 5054 (also trid using access-list nat_DMZ_pool2_in permit tcp any host 192.168.32.99 eq 5054)

global (outside) 1 interface

global (DMZ) 1 interface

global (DMZ) 2 192.168.32.5

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (DMZ) 2 access-list nat_DMZ_pool2_in 0 0

nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0

access-group dmz_access_in in interface DMZ

thank you

I've found part of it. Found a sample config in my CCSP book.

nat (DMZ) 1 192.168.32.96 255.255.255.224 outside

global (inside) 1 10.4.0.50

The outside keyword in the nat statement is what did the trick. This statement allows my Integrity clients access to the integrity server, along with the access list. However, as soon as I apply that statement, my ability to reach the DMZ from the inside is lost.

How is your NAT to the DMZ handled? if it is a pool, then this is understandable. If it is, try changing your access from inside to DMZ to an Interface PAT.

No, I was using interface PAT. It's strange, I haven't been able to figure it out yet, but now it is working without translation...I setup the ACL on the DMZ to allow traffic from that subset of hosts, 192.168.32.96/28, and communication now occurs between dmz hosts and the integrity server.

access-list dmz_access_in remark Access to Integrity

access-list dmz_access_in permit tcp 192.168.32.96 255.255.255.224 host 10.6.6.15 eq 5054

HummPIX-515# sh global

global (outside) 1 interface

global (inside) 1 interface

global (DMZ) 1 interface

HummPIX-515# sh run | include nat

access-list inside_outbound_nat0_acl permit ip any 10.1.100.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0

Does the Server do a push to the clients, or do the clients contact the server for updates?

Do you have "nat control" turned off?

The clients check in with the server, initially when they connect to the network, and then periodically while connected. I'm not sure what "nat control" is?

Nat control allows or denies traffic through your firewall with or without natting.