Allow access from DMZ to Inside using a Cisco ASA 5505

I've been working on this problem for about 2 weeks now and for the life of me cannot figure out how to allow traffic to pass from my DMZ to my Inside network. I'm trying to allow ssh and icmp echo and echo-reply. I've searched the web and even followed the commands in Cisco's own documentation. I've created the static nat and the acces-list. Traffic just will not reach the destination. The DMZ host is and the Inside host is Please help. I'm pulling my hair out here. My config is below and thanks in advance.

omeasa> enable
Password: ********

homeasa# sh run  
: Saved
ASA Version 7.2(3) 
hostname homeasa
ddns update method OpenDNS
interface Vlan1
 nameif inside
 security-level 100
 ip address 
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
interface Vlan12
 nameif DMZ
 security-level 50
 ip address 
<--- More --->
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
 switchport monitor Ethernet0/0 
 switchport monitor Ethernet0/1 
 switchport monitor Ethernet0/2 
 switchport monitor Ethernet0/3 
 switchport monitor Ethernet0/4 
 switchport monitor Ethernet0/5 
interface Ethernet0/7
 switchport access vlan 12
<--- More --->
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
access-list inside_nat0_outbound extended permit ip 
access-list vpnusers_splitTunnelAcl standard permit 
access-list vpnusers_splitTunnelAcl standard permit any 
access-list vpnusers_splitTunnelAcl_1 standard permit 
access-list vpnusers_splitTunnelAcl_1 standard permit any 
access-list egress extended deny tcp host any log 
access-list outside_access_in extended permit tcp any interface outside eq ssh log 
access-list outside_access_in extended permit tcp any interface outside eq ftp log 
access-list outside_access_in extended permit tcp any interface outside eq ftp-data log 
access-list DMZtoInside extended permit tcp host host eq ssh 
access-list DMZtoInside extended permit icmp host host echo 
access-list DMZtoInside extended permit icmp host host echo-reply 
pager lines 24
logging enable
<--- More --->
logging timestamp
logging standby
logging monitor informational
logging trap informational
logging asdm informational
logging facility 22
logging host inside
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool VPN_Pool mask
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo-reply outside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (DMZ) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
nat (inside) 1
nat (DMZ) 1
<--- More --->
static (DMZ,outside) tcp interface ssh ssh netmask 
static (DMZ,outside) tcp interface ftp ftp netmask 
static (DMZ,outside) tcp interface ftp-data ftp-data netmask 
static (inside,DMZ) netmask  
access-group outside_access_in in interface outside
access-group DMZtoInside in interface DMZ
router ospf 1
 network area 0
 redistribute static subnets
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
http server enable
http inside
snmp-server host inside poll community 
no snmp-server location
<--- More --->
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-SHA
crypto dynamic-map outside_dyn_map 40 set pfs 
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh scopy enable
<--- More --->
ssh inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd address inside
dhcpd dns interface inside
dhcpd enable inside
dhcpd address DMZ
dhcpd enable DMZ

class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
<--- More --->
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
service-policy global_policy global
ntp server
group-policy vpnusers internal
group-policy vpnusers attributes
 dns-server value
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpnusers_splitTunnelAcl
 default-domain value 
tunnel-group vpnusers type ipsec-ra
<--- More --->
tunnel-group vpnusers general-attributes
 address-pool VPN_Pool
 default-group-policy vpnusers
tunnel-group vpnusers ipsec-attributes
 pre-shared-key *
prompt hostname context 
: end

homeasa# exit

Open in new window

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

have u added the statement in the asa to allow traffic through the firewall wihout address translation?

u can find it under NAT in ASDM

if so, then u won't need to NAT between LAN and DMZ, basic routing should occur

if u wan't NAT between DMZ and LAN then u have to add policy NAT instead.
CompushareAuthor Commented:
I added the no nat-control command. I'm not sure how to configure policy NAT.
CompushareAuthor Commented:
Policy nat didn't work for me. I may have configured it wrong.

I added a static nat statement...

static (inside,dmz) netmask

and the traffic started to pass from my DMZ to the Internal network.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
U should be able to use basic routing without having to use nat from LAN to DMZ and vice versa, but this will work too, a bit more to configure, but still managable.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.