In article , Richard Isaac wrote: :I have a PIX with the following Networks :Outside Inside DMZ
:1. I currently have a static NAT which allows an outside address direct :access to the servers in the DMZ.
:2. There is a NAT which allows inside traffic to the dmz - keeping the :source address.
:I need to add a translation which allows servers in the DMZ access to hosts :on the inside - keeping their original addresses.
If you want the inside and DMZ hosts to retain their original addresses when talking to each other, then create a new ACL permitting traffic with a source of your inside network and a destination of your dmz network, and then
nat (inside) 0 access-list TheNewACL
(Note: you are only allowed one nat 0 access-list per interface, so if you already have one, merge the new entry into the old acl.)
The above has an important security side effect: it allows the DMZ hosts to initiate connections to inside hosts whenever the access-group applied to the DMZ allows the traffic, even if there is no 'static' statement for that inside host.
static (inside,dmz) INSIDEIP INSIDEMASK INSIDEIP INSIDEMASK
Although this only talks about the inside IPs, your requirement #2 that DMZ to inside retains the DMZ source IPs, happens automatically because unless you configure specifically otherwise, traffic from a lower-security interface to a higher-security interface retains the source IP address.