Добрый день!
Бьюсь уже неделю над вопросом, делаю вроде как написано в многочисленных мануалах... Задача стоит в пропускании трафика на 25 и 110 порты из outside сети в dmz, взаимодействие между dmz и inside сделано через nat 0.
...
access-list acl_dmz permit tcp host 10.99.7.66 host 10.99.9.1 eq smtp
access-list acl_dmz permit udp host 10.99.7.66 host 10.99.9.1 eq domain
access-list acl_dmz permit tcp host 10.99.7.66 eq smtp 10.99.127.248 255.255.255.248
access-list acl_dmz permit tcp host 10.99.7.66 eq pop3 10.99.127.248 255.255.255.248
access-list acl_out permit tcp 10.99.127.248 255.255.255.248 host 10.99.127.252 eq smtp
access-list acl_out permit tcp 10.99.127.248 255.255.255.248 host 10.99.127.252 eq pop3
access-list acl_out deny ip any any
access-list acl_in permit tcp 10.99.0.0 255.255.240.0 host 10.99.7.66 eq ssh
access-list acl_in permit tcp 10.99.0.0 255.255.240.0 host 10.99.7.66 eq smtp
access-list acl_in permit tcp 10.99.0.0 255.255.240.0 host 10.99.7.66 eq domain
access-list acl_in permit udp host 10.99.9.1 eq domain 10.99.7.64 255.255.255.224
access-list acl_in permit tcp 10.99.0.0 255.255.240.0 host 10.99.7.66 eq telnet
access-list outside_nonat permit ip host 10.99.7.66 host 10.99.127.254
access-list inside_nonat permit ip 10.99.0.0 255.255.240.0 10.99.7.64 255.255.255.224
pager lines 24
logging on
logging monitor debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 10.99.127.253 255.255.255.248
ip address inside 10.99.15.251 255.255.255.0
ip address dmz 10.99.7.65 255.255.255.224
nat (inside) 0 access-list inside_nonat
static (dmz,outside) tcp 10.99.127.252 smtp 10.99.7.66 smtp netmask 255.255.255.255 0 0
static (dmz,outside) tcp 10.99.127.252 pop3 10.99.7.66 pop3 netmask 255.255.255.255 0 0
static (inside,dmz) 10.99.15.0 10.99.15.0 netmask 255.255.255.0 0 0
static (inside,dmz) 10.99.9.0 10.99.9.0 netmask 255.255.255.0 0 0
static (inside,dmz) 10.99.0.0 10.99.0.0 netmask 255.255.255.0 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
access-group acl_dmz in interface dmz
...

term mon PIX'а говорит следующее:

305011: Built static TCP translation from dmz:10.99.7.66/110 to outside:10.99.127.252/110
302013: Built inbound TCP connection 1040 for outside:10.99.127.254/2069 (10.99.127.254/2069) to dmz:10.99.7.66/110 (10.99.127.252/110)
305011: Built static TCP translation from dmz:10.99.7.66/25 to outside:10.99.127.252/25
302013: Built inbound TCP connection 1041 for outside:10.99.127.254/2071 (10.99.127.254/2071) to dmz:10.99.7.66/25 (10.99.127.252/25)
302014: Teardown TCP connection 1040 for outside:10.99.127.254/2069 to dmz:10.99.7.66/110 duration 0:02:01 bytes 0 SYN Timeout
302014: Teardown TCP connection 1041 for outside:10.99.127.254/2071 to dmz:10.99.7.66/25 duration 0:02:01 bytes 0 SYN Timeout
305012: Teardown static TCP translation from dmz:10.99.7.66/110 to outside:10.99.127.252/110 duration 0:02:06
305012: Teardown static TCP translation from dmz:10.99.7.66/25 to outside:10.99.127.252/25 duration 0:02:07

На сервере в DMZ default шлюзом стоит PIX, netstat показывает соединение из ouside узла с пометкой SYN_RCVD и все.

где копать может кто подскажет?