It's important to keep in mind the relationships between security levels, access-lists and NAT. Typical security assignments would look like this.
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security10
In this case, without any access lists, the inside interface can access all services on the outside and dmz1, dmz1 can access all services on just outside, and outside can't access any services on the inside or dmz1.
If you need to permit www traffic from the dmz to a server on the inside network for example, you would create an access list and apply it to the dmz interface like this.
access-list dmz-in permit tcp any host eq www
access-group dmz-in in interface dmz1
Your STATIC command has no bearing on what traffic is permitted. NAT and STATIC allow you to hide networks or hosts behind the firewall. You still need to use your access list to permit any type of traffic from a less trusted interface. An example to set up the static between the outside and dmz interfaces and then permit web traffic to the device would be:
The same rules apply to your configuration as the example I provided. To permit traffic from dmz2 to the inside you must configure an access list and apply it inbound to the dmz2 interface. If your not using nat between your inside and dmz2 interfaces, you need to specify the nat 0.
nat (dmz1) 0 access-list nonat
nat (inside) 0 access-list nonat
access-list nonat permit ip any 192.168.1.0 255.255.255.0
access-list nonat permit ip any 192.168.2.0 255.255.255.0
This would turn off nat for both your inside and dmz2 interfaces.
I'm not sure what the STATIC (inside,dmz2) dmz2 dmz2 netmask xxx.xxx.xxx.xxx is doing for you in this case.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...