config t
interface gi0/0
ip address 1.2.3.4 255.255.255.0
nameif outside
interface gi0/1
ip address 192.168.10.1 255.255.255.0
nameif inside
interface gi0/3
ip address 172.28.0.2 255.255.255.0
nameif dmz
security level 50
object network LAN
subnet 192.168.10.0 255.255.255.0
object network DMZ
host 172.28.0.15
object_group service Dmz_ports
service-object destiantion TCP eq 80
service-object destination TCP eq 443
object network DMZ
NAT(outside,dmz) static 1.2.3.4 service tcp 80 80
network object DMZ
NAT(outside,dmz) static 1.2.3.4 service tcp 443 443
access_list out_acz_in permit object Dmz_ports any object DMZ
access-group out_acz_in in interface outside
Note:-Traffic from LAN to DMZ is allowed (high-to-low) but only for the inspected protocols like Telnet,http…,
So http 80 is inspected -Not to worry about.Traffic with SP:80 from LAN-to-DMZ will flow by default.
for any other traffic use the below acess-list as appropriate
//ALLOW access all ports from DMZ to INSIDE
access-list dmz_acz permit ip object dmz object inside
access-group dmz_acz in interface inside
//Allow access only port 443 from DMZ to INSIDE
access-list dmz_acz permit tcp object dmz object inside eq 443
access-group dmz_acz in interface inside
please let me know on results