add your DMZ net to your no-nat ACL.

If your DMZ is 192.168.0.0/24 and your inside is 192.168.1.0/24 then use this.

access-list NoNAT permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

nat (inside) 0 access-list NoNAT

Instead of having the access-list separately, I have access-list any to the vpn client pool. I also have the nat 0 nonat.

Here's the configuration:

: Saved

: Written by enable_15 at 15:43:22.001 EST Thu Nov 20 2003

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security15

enable password yyyyyyy encrypted

passwd ttttttt encrypted

hostname mars

domain-name abc.com

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name 172.16.1.23 eppie

name 142.77.1.1 uunet

name 172.16.1.7 localdns

object-group service HTTP_HTTPS tcp

port-object eq https

port-object eq www

access-list inside_access_in permit tcp any any eq pop3 log

access-list inside_access_in permit tcp any any eq smtp

access-list inside_access_in permit tcp any any eq domain

access-list inside_access_in permit tcp any any eq www

access-list inside_access_in permit tcp any any eq https

access-list inside_access_in permit udp any any eq domain log

access-list inside_access_in permit tcp IT 255.255.255.0 any eq ftp

access-list inside_access_in permit tcp IT 255.255.255.0 any eq telnet

access-list inside_access_in permit tcp any host mail eq smtp

access-list inside_access_in permit tcp any host mail eq pop3

access-list inside_access_in permit tcp any host mail eq imap4

access-list inside_access_in permit tcp host localdns any eq telnet

access-list outside_access_in permit tcp any host 12.34.56.2 eq smtp

access-list outside_access_in permit tcp any host 12.34.56.2 eq pop3

access-list DMZ_access_in permit tcp host mail any eq smtp

access-list DMZ_access_in permit tcp host mail any eq pop3

access-list DMZ_access_in permit tcp host mail any eq imap4

access-list DMZ_access_in permit tcp host mail any eq ident

access-list DMZ_access_in permit udp host mail host localdns eq domain

access-list DMZ_access_in permit icmp any any

access-list outside_cryptomap_20 permit ip any sister 255.255.255.0

access-list 120 permit ip IT 255.255.255.0 sister 255.255.255.0

access-list 120 permit ip HR 255.255.255.0 sister 255.255.255.0

access-list nonat permit ip IT 255.255.255.0 sister 255.255.255.0

access-list nonat permit ip host 172.16.10.15 sister 255.255.255.0

access-list nonat permit ip host 172.16.10.7 sister 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.192

access-list nonat permit ip HR 255.255.255.0 sister 255.255.255.0

access-list nonat permit ip any 172.16.255.0 255.255.255.192

access-list outside_cryptomap_dyn_20 permit ip any 172.16.255.0 255.255.255.192

access-list king_splitTunnelAcl permit ip 172.16.0.0 255.255.0.0 any

access-list king_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any

access-list nonatDMZ permit ip any 172.16.255.0 255.255.255.192

pager lines 24

logging on

logging timestamp

logging trap notifications

logging host inside 172.16.1.15

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip address outside 12.34.56.1 255.255.255.192

ip address inside 172.16.1.1 255.255.128.0

ip address DMZ 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool kingvpn1 172.16.255.1-172.16.255.32

pdm location 172.16.1.2 255.255.255.255 inside

pdm location 172.16.1.15 255.255.255.255 inside

pdm location eppie 255.255.255.255 inside

pdm location 192.168.68.3 255.255.255.255 outside

pdm location IT 255.255.255.0 inside

pdm location 172.16.10.15 255.255.255.255 inside

pdm location 172.16.10.7 255.255.255.255 inside

pdm location 172.16.10.139 255.255.255.255 inside

pdm location time.server 255.255.255.255 inside

pdm location time.server 255.255.255.255 outside

pdm logging errors 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 172.16.131.0 255.255.255.0 0 0

nat (inside) 1 172.16.0.0 255.255.128.0 0 0

nat (DMZ) 0 access-list nonatDMZ

static (inside,DMZ) 172.16.0.0 172.16.0.0 netmask 255.255.0.0 0 0

static (DMZ,outside) 12.34.56.2 mail netmask 255.255.255.255 0 0

static (inside,outside) 12.34.56.7 localdns netmask 255.255.255.255 0 0

static (inside,outside) time.server time.server netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group DMZ_access_in in interface DMZ

route outside 0.0.0.0 0.0.0.0 12.34.56.1 1

route inside 172.16.128.0 255.255.192.0 172.16.1.254 1

route inside 172.16.192.0 255.255.192.0 172.16.1.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication http console LOCAL

aaa authentication telnet console LOCAL

http server enable

http eppie 255.255.255.255 inside

http 172.16.1.15 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside eppie Pix-running-config.txt

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto dynamic-map outside_dyn_map_1 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map_1 20 set transform-set ESP-DES-MD5

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address 120

crypto map outside_map 20 set peer digital

crypto map outside_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map_1

crypto map outside_map client authentication LOCAL

crypto map outside_map interface outside

isakmp enable outside

isakmp key xxxxxx address digital netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup king address-pool kingvpn1

vpngroup king dns-server localdns

vpngroup king default-domain abc.com

vpngroup king split-tunnel king_splitTunnelAcl

vpngroup king idle-time 1800

vpngroup king password

telnet eppie 255.255.255.255 inside

telnet 172.16.1.15 255.255.255.255 inside

telnet timeout 30

ssh timeout 30

console timeout 0

username eppie password xxxxxxx encrypted privilege 15

privilege show level 3 command blocks

privilege show level 3 command pdm

terminal width 80

Cryptochecksum:vvvvvvvvvvvvvvvvvvvvv

: end