From what you are saying, it looks like you have been given the a.a.a.96/30 network for your outside interface and have been assigned a seperate range of "b.b.b.b" for your NAT requirements?
Rather than using your "b.b.b.b" public IP range on the dmz, you should be configuring your DMZ on a private address range, say 192.168.200.0/24 and statically mapping those addresses to outside addresses, i.e.
This should present your "b.b.b.x" address on the outside interface so you can allow, for example, smtp to this "b.b.b.x" address in the access-list you have applied inbound on your outside interface i.e.
access-list acl_out permit tcp any host b.b.b.x eq smtp
Ah got you, I can see where your coming from, but no was assigned the a.a.a.a range 1st, then a some months later told the ISP I wanted to create a dmz and they gave me b.b.b.b range routed through a.a.a.98.
So rather then creating another Private range for the DMZ and then mapping them to the Public b.b.b.b range, how would I go about just using the Public b.b.b.b range in the dmz?
Which comes back to the pervious post, do you think it could be a routing problem?
Kev, thanks for the answer re: outside a.a.a.96 netmask a.a.a.98 1 CONNECT static.
Although they statically map the entire dmz subnet, you should be able to adapt it to however your particular setup requires. If it looks something like that - with the nat 0, statics and acls permitting what you want to permit, you should be ok.
As for the routing side of things, you mention that the ISP routes that second subnet to your pix's outside IP address? If your config is sound you may want to ask your ISP if they can just route that second subnet onto the wire instead, and let the pix just listen out for it, rather than try to get your pix to route it. Might be worth a try as I have seen it working this way.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :