Can't NAT from outside with PIX 515

And I forget to include this: It uses software version 6.3(4).

Did you happen to use the -same- access-list name for each of the access-group statements? If so, that could explain the situation.

You only need the static (inside,dmz) if you need the dmz to be able to initiate connections to the inside, or if for some reason you need your inside computer 192.168.10.101 to be recorded distinctly as 192.168.0.101 on the dmz (e.g., for authentication reasons.)

Otherwise, if you do not need to be able to initiate to inside, you could

nat (inside) 2 192.168.10.101 255.255.255.255 global (dmz) 2 192.168.0.101

Also, -typically- if you want an inside host to appear as a unique IP address to the dmz (e.g., logging purposes), you would static the IP to itself, or use nat 0 access-list to do much the same thing.

static (inside,dmz) 192.168.10.101 192.168.10.101 netmask 255.255.255.255

That behaviour would not surprise me if you have used the same access-list for all three access-group .

As I said, this is a test setup to solve the problem. It's not our real network layout.

The static (inside, dmz) is proposital, and it's not a problem at all. The problem is that I cannot open a page in the web server from outside with nat and no restriction.

About the ACLs, they are not the same. There are 3 distinct acls with "permit ip any any", one for each interface.

open an connection from an lower security interface to a higher security interface using static and ACL.

But the same thing doesn't happen with connections coming from outside to dmz, although it's exactly the same setup.

I suspect this PIX have a hardware problem... did anyone have the same problem?

Is the 200.200.200.200 exactly the IP address of the outside interface? If it is, then replace it with the word "interface" and use PAT:

static (dmz,outside) tcp interface www 192.168.0.50 www netmask 255.255.255.255 static (dmz,outside) tcp interface telnet 192.168.0.50 telnet netmask