ASA Outside Access > DMZ will not work

Hi Group

I can't see the solution in the forest.

There are some Networks on a ASA:

- Outside

- Inside

- Netfl

- DMZ

In the DMZ is a little NAS Box for WWW- and FTP Downloads. I just will map the outside address 21.7.1.219 to the DMZ address 192.168.9.219, but it doesn't work. I can't ping, ftp or www from outside. Here is the config:

: Saved : ASA Version 8.0(4) ! hostname ciscoasa domain-name networkcust.intra no names

name 192.168.20.1 netfl-asafw1 name 192.168.38.1 inside-asafw1 name 192.168.38.10 inside-lsrv1 name 192.168.38.11 inside-lsrv1-console name 192.168.38.2 inside-switch1 name 192.168.38.3 inside-switch2 name 192.168.38.12 inside-voip-server name 192.168.2.0 wan-vpnfrm2-lan name 192.168.7.0 wan-vpnclients name 192.168.38.5 inside-p1-laser name 192.168.38.6 inside-p2 name 192.168.38.7 inside-p3 name 192.168.20.5 netfl-p1-laser name 192.168.20.6 netfl-p2 name 192.168.9.10 dmz-nas-dm name 192.168.9.1 dmz-asafw1 name 21.7.1.218 wan-asa1 name 21.7.1.217 wan-gw1 name 21.7.1.219 wan-nas1 name 192.168.9.219 dmz-nas1 name 192.168.1.0 wan-vpn-bs ! interface Ethernet0/0 speed 100 duplex full nameif outside security-level 0 ip address 21.7.1.218 255.255.255.248 ! interface Ethernet0/1 speed 100 duplex full nameif inside security-level 100 ip address 192.168.38.1 255.255.255.0 ! interface Ethernet0/1.20 vlan 20 nameif netfl security-level 20 ip address 192.168.20.1 255.255.255.0 ! interface Ethernet0/2 speed 100 duplex full nameif dmz security-level 10 ip address 192.168.9.1 255.255.255.0 ! ftp mode passive

dns server-group DefaultDNS domain-name networkcust.intra object-group network inside-printer network-object host 192.168.38.5 network-object host 192.168.38.6 object-group network netfl2inside-Printer network-object host 192.168.20.5 network-object host 192.168.20.6 object-group service Printer tcp port-object eq 9100 port-object eq lpd object-group service dmz-nas1 service-object tcp eq ftp-data service-object tcp eq ftp service-object tcp eq https service-object tcp eq www service-object icmp

access-list outside_access_in extended permit object-group dmz-nas1 any host 21.7.1.219 access-list inside_nat0_outbound extended permit ip 192.168.38.0

255.255.255.0 192.168.7.0 255.255.255.224 access-list inside_nat0_outbound extended permit ip 192.168.38.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.38.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list outside_20_cryptomap extended permit ip 192.168.38.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list netfl_access_in extended permit tcp any object-group netfl2inside-Printer object-group Printer access-list netfl_access_in extended deny ip any object-group netfl2inside-Printer access-list netfl_access_in extended permit ip any any access-list splitTnlTT standard permit 192.168.38.0 255.255.255.0 access-list outside_1_cryptomap extended permit ip 192.168.38.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list dmz_access_in extended permit ip any any access-list dmz_access_in extended permit icmp any any

ip local pool dhcpVPNClientPool 192.168.7.10-192.168.7.30 ip verify reverse-path interface outside ip verify reverse-path interface inside ip verify reverse-path interface dmz

icmp unreachable rate-limit 1 burst-size 1 icmp permit any outside icmp permit any inside icmp permit any dmz

no asdm history enable nat-control

global (outside) 1 interface global (dmz) 1 interface

nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 nat (netfl) 1 0.0.0.0 0.0.0.0 nat (dmz) 1 0.0.0.0 0.0.0.0

static (inside,netfl) 192.168.20.5 192.168.38.5 netmask

255.255.255.255 static (inside,netfl) 192.168.20.6 192.168.38.6 netmask 255.255.255.255 static (dmz,outside) 21.7.1.219 192.168.9.219 netmask 255.255.255.255

access-group netfl_access_in in interface netfl access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 21.7.1.217 1 dynamic-access-policy-record DfltAccessPolicy

sysopt nodnsalias inbound sysopt nodnsalias outbound sysopt noproxyarp outside

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map outside_dyn_map 20 set pfs crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000 crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set peer 12.5.21.114 crypto map outside_map 1 set transform-set ESP-3DES-MD5 crypto map outside_map 1 set security-association lifetime seconds

28800 crypto map outside_map 1 set security-association lifetime kilobytes 4608000 crypto map outside_map 20 match address outside_20_cryptomap crypto map outside_map 20 set peer 21.7.1.186 crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map 20 set security-association lifetime seconds 28800 crypto map outside_map 20 set security-association lifetime kilobytes 4608000 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 3600 no crypto isakmp nat-traversal

dhcprelay server 192.168.38.10 inside dhcprelay enable netfl dhcprelay timeout 60

threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept

group-policy tnlGrpTT internal group-policy tnlGrpTT attributes dns-server value 192.168.38.10 vpn-tunnel-protocol IPSec password-storage enable group-lock value tnlGrpTT split-tunnel-policy tunnelspecified split-tunnel-network-list value splitTnlTT default-domain value networkcust.intra address-pools value dhcpVPNClientPool

username vpnUsr1 password 123123123123 privilege 0 username vpnUsr1 attributes vpn-group-policy tnlGrpTT service-type remote-access

tunnel-group tnlGrpTT type remote-access tunnel-group tnlGrpTT general-attributes address-pool dhcpVPNClientPool default-group-policy tnlGrpTT

tunnel-group tnlGrpTT ipsec-attributes pre-shared-key *

tunnel-group 21.7.1.186 type ipsec-l2l tunnel-group 21.7.1.186 ipsec-attributes pre-shared-key *

tunnel-group 12.5.21.114 type ipsec-l2l tunnel-group 12.5.21.114 ipsec-attributes pre-shared-key *

! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect pptp ! service-policy global_policy global

I can ping from the inside net the NAS with 192.168.9.219.

Anybody who can give me a tip, what little thing i forget?

Thank you.

ivo