Okay, so you've got a DMZ with a mail server on it! The outside world needs to be able to get to your mail server on the global address aaa.bbb.ccc.ddd! Your inside The actual IP address of the server is, for example 172.16.2.100. This is the address that the static NAT statement will map to when the outside world connects to the mail server on aaa.bbb.ccc.ddd.
Also, your inside users need to be able to get to the mail server on the DMZ. They will use the private address 172.16.2.100.
For the outside world to be able to access the mail server we need to map the outside IP to the actual IP:
static (dmz, outside) aaa.bbb.ccc.ddd 172.16.2.100 netmask 255.255.255.0 0 0
The outside world also needs an access-list or conduit to allow it to access the DMZ. This is because the outside interface (the internet) has a lower security level (0) than the DMZ (1 to 99 .. probably something like 50).
access-list mail_in permit tcp any host aaa.bbb.ccc.ddd eq 25
This allows anyone on the internet access to the mail server on port 25 only. It would be applied to the outside interface:
access-group mail_in in interface outside
That takes care of the outside to the mail server. But, what about the inside connecting to the mail server?? Well, no special security measures are needed as the inside network is security 100, higher than the DMZ, so connections are allowed by ASA. But, if the inside network is on the IP range 192.168.1.0 /24 then all traffic going to the 172.16.2.0 /24 IP range will need to be NATed on the DMZ.
For this we could either have a pool of addresses or we could just use one address and use PAT. Let's say that all 192.168.1.x addresses will go to the DMZ with the IP address 172.16.2.10 (with a different port number .. Port Address Translation!!). The inside network is already subject to NAT with a statement such as:
nat (inside)1 192.168.1.0 255.255.255.0 0 0
To have this address range translated on the DMZ, we use:
global (dmz) 1 172.16.2.10 netmask 255.255.255.0
We could also allow the inside network out to the internet on the address of the outside interface:
global (outside) 1 interface
So, the nat statement defines what IP's will be subject to NAT and the global statement says what these IP's will be translated to!
I hope that this makes it a bit clearer!!
Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************