My mistake, it is a 520 not a 506.

Thanks for your reply. I have the statement,

nat (inside) 1 192.168.0.0 255.255.0.0 0 0, already.

That should be fine then,

All you need to get from the Inside NW to the DMZ should be a global on the DMZ and a NAT on the inside.

If you post most of your config I'll take a look for you.

John

Thanks John, here is the relevant part of my config:

ip address outside 12.19.xxx.xx 255.255.255.240

ip address inside 192.168.40.3 255.255.255.0

ip address dmz 172.16.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address dmz 0.0.0.0

pdm history enable

arp timeout 14400

global (outside) 1 12.19.xxx.xx-12.19.xxx.xx netmask 255.255.255.240

global (outside) 1 12.19.xxx.xx netmask 255.255.255.240

global (dmz) 1 172.16.0.100-172.16.0.110

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.0.0 255.255.0.0 0 0

nat (dmz) 1 172.16.0.0 255.255.255.0 0 0

static (inside,outside) 12.19.xxx.ww192.168.13.59 netmask 255.255.255.255 0 0

static (inside,outside) 12.19.xxx.yy192.168.40.31 netmask 255.255.255.255 0 0

static (dmz,outside) 12.19.xxx.zz 172.16.0.21 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

access-group acl_in in interface inside

access-group acl_dmz in interface dmz

route outside 0.0.0.0 0.0.0.0 12.19.xxx.aa 1

route inside 192.168.0.0 255.255.0.0 192.168.40.1 1

timeout xlate 1:00:00

timeout conn 2:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 s0

timeout uauth 0:00:00 absolute uauth 0:40:00 inactivity

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 192.168.40.19 secret timeout 15

aaa authentication exclude tcp/0 inside 192.168.40.19 255.255.255.255 0.0.0.0 0S

aaa authentication exclude tcp/0 inside 192.168.40.26 255.255.255.255 0.0.0.0 0S

aaa authentication exclude tcp/0 inside 192.168.40.29 255.255.255.255 0.0.0.0 0S

aaa authentication exclude tcp/0 inside 192.168.40.30 255.255.255.255 0.0.0.0 0S

aaa authentication exclude tcp/0 inside 192.168.40.31 255.255.255.255 0.0.0.0 0S

aaa authentication exclude tcp/0 inside 192.168.13.59 255.255.255.255 0.0.0.0 0S

aaa authentication include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 RADIUS

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt security fragguard

sysopt connection permit-ipsec

no sysopt route dnat

Obviously this is not the full config but can you confirm that the access lists are OK and are not blocking what you are trying to do.

The NAT and Global statements look fine, the only thing I can see is that you have no netmask defined for your Global (DMZ) statement.

So, to confirm, from your 192.168.40.0 you are trying to access host 172.16.0.21, what sort of error do you see?

If you carry out a show xlate at this time what do you see?

One last thing, I assume that the host you are trying this from is not excluded by your AAA config ?

Regards

John

John, here are the access lists. We also use this PIX to connections to pixes at remote site using ipsec.

access-list acl_in permit icmp any any

access-list acl_in permit ip any any

access-list acl_out permit icmp any any

access-list acl_out permit tcp any host 12.19.224.xx eq smtp

access-list acl_out permit tcp any host 12.19.224.yy eq smtp

access-list acl_out permit tcp any host 12.19.224.zz eq ftp-data

access-list acl_out permit tcp any host 12.19.224.xx eq www

access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list nonat permit ip 192.168.40.0 255.255.255.0 host 200.171.173.178

access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.5.0 255.255.255.0

access-list nonat permit ip 192.168.40.0 255.255.255.0 host 64.219.15.121

access-list nonat permit ip 192.168.31.0 255.255.255.0 10.0.5.0 255.255.255.0

access-list nonat permit ip 192.168.31.0 255.255.255.0 host 64.219.15.121

access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.3.0 255.255.255.0

access-list nonat permit ip 192.168.40.0 255.255.255.0 host 148.233.144.17

access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.4.0 255.255.255.0

access-list nonat permit ip 192.168.40.0 255.255.255.0 host 148.235.11.101

access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.7.0 255.255.255.0

access-list nonat permit ip 192.168.40.0 255.255.255.0 host 66.136.190.89

access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.6.0 255.255.255.0

access-list nonat permit ip 192.168.40.0 255.255.255.0 host 64.22.205.74

access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list acl_dmz permit icmp any any

access-list 120 permit ip 192.168.40.0 255.255.255.0 10.0.3.0 255.255.255.0

access-list 120 permit ip 192.168.40.0 255.255.255.0 host 148.233.144.17

access-list 115 permit ip 192.168.40.0 255.255.255.0 host 64.219.15.121

access-list 115 permit ip 192.168.31.0 255.255.255.0 10.0.5.0 255.255.255.0

access-list 115 permit ip 192.168.31.0 255.255.255.0 host 64.219.15.121

access-list 115 permit ip 192.168.40.0 255.255.255.0 10.0.5.0 255.255.255.0

access-list 125 permit ip 192.168.40.0 255.255.255.0 10.0.4.0 255.255.255.0

access-list 125 permit ip 192.168.40.0 255.255.255.0 host 148.235.11.101

access-list 122 permit ip 192.168.40.0 255.255.255.0 10.0.7.0 255.255.255.0

access-list 122 permit ip 192.168.40.0 255.255.255.0 host 66.136.190.89

access-list 121 permit ip 192.168.40.0 255.255.255.0 10.0.6.0 255.255.255.0

access-list 121 permit ip 192.168.40.0 255.255.255.0 host 64.22.205.74

access-list 105 permit ip 192.168.40.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list 105 permit ip 192.168.40.0 255.255.255.0 host 200.171.173.178

access-list 110 permit ip 192.168.40.0 255.255.255.0 10.0.0.0 255.255.255.0

I suspect then that you will need to ammend the acl_dmz acl to allow the return traffic from your web server.

Thanks, that took care of it.