config t interface gi0/0 ip address 188.8.131.52 255.255.255.0 nameif outside interface gi0/1 ip address 192.168.10.1 255.255.255.0 nameif inside interface gi0/3 ip address 172.28.0.2 255.255.255.0 nameif dmz security level 50 object network LAN subnet 192.168.10.0 255.255.255.0 object network DMZ host 172.28.0.15 object_group service Dmz_ports service-object destiantion TCP eq 80 service-object destination TCP eq 443 object network DMZ NAT(outside,dmz) static 184.108.40.206 service tcp 80 80 network object DMZ NAT(outside,dmz) static 220.127.116.11 service tcp 443 443 access_list out_acz_in permit object Dmz_ports any object DMZ access-group out_acz_in in interface outside
Note:-Traffic from LAN to DMZ is allowed (high-to-low) but only for the inspected protocols like Telnet,http…,
So http 80 is inspected -Not to worry about.Traffic with SP:80 from LAN-to-DMZ will flow by default.
for any other traffic use the below acess-list as appropriate
//ALLOW access all ports from DMZ to INSIDE access-list dmz_acz permit ip object dmz object inside access-group dmz_acz in interface inside //Allow access only port 443 from DMZ to INSIDE access-list dmz_acz permit tcp object dmz object inside eq 443 access-group dmz_acz in interface inside
please let me know on results